diff options
Diffstat (limited to 'doc/src/sgml/html/auth-ident.html')
| -rw-r--r-- | doc/src/sgml/html/auth-ident.html | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/doc/src/sgml/html/auth-ident.html b/doc/src/sgml/html/auth-ident.html new file mode 100644 index 0000000..52fc5c8 --- /dev/null +++ b/doc/src/sgml/html/auth-ident.html @@ -0,0 +1,52 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.8. Ident Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="sspi-auth.html" title="21.7. SSPI Authentication" /><link rel="next" href="auth-peer.html" title="21.9. Peer Authentication" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.8. Ident Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sspi-auth.html" title="21.7. SSPI Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 21. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-peer.html" title="21.9. Peer Authentication">Next</a></td></tr></table><hr /></div><div class="sect1" id="AUTH-IDENT"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.8. Ident Authentication <a href="#AUTH-IDENT" class="id_link">#</a></h2></div></div></div><a id="id-1.6.8.15.2" class="indexterm"></a><p> + The ident authentication method works by obtaining the client's + operating system user name from an ident server and using it as + the allowed database user name (with an optional user name mapping). + This is only supported on TCP/IP connections. + </p><div class="note"><h3 class="title">Note</h3><p> + When ident is specified for a local (non-TCP/IP) connection, + peer authentication (see <a class="xref" href="auth-peer.html" title="21.9. Peer Authentication">Section 21.9</a>) will be + used instead. + </p></div><p> + The following configuration options are supported for <code class="literal">ident</code>: + </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">map</code></span></dt><dd><p> + Allows for mapping between system and database user names. See + <a class="xref" href="auth-username-maps.html" title="21.2. User Name Maps">Section 21.2</a> for details. + </p></dd></dl></div><p> + </p><p> + The <span class="quote">“<span class="quote">Identification Protocol</span>”</span> is described in + <a class="ulink" href="https://tools.ietf.org/html/rfc1413" target="_top">RFC 1413</a>. + Virtually every Unix-like + operating system ships with an ident server that listens on TCP + port 113 by default. The basic functionality of an ident server + is to answer questions like <span class="quote">“<span class="quote">What user initiated the + connection that goes out of your port <em class="replaceable"><code>X</code></em> + and connects to my port <em class="replaceable"><code>Y</code></em>?</span>”</span>. + Since <span class="productname">PostgreSQL</span> knows both <em class="replaceable"><code>X</code></em> and + <em class="replaceable"><code>Y</code></em> when a physical connection is established, it + can interrogate the ident server on the host of the connecting + client and can theoretically determine the operating system user + for any given connection. + </p><p> + The drawback of this procedure is that it depends on the integrity + of the client: if the client machine is untrusted or compromised, + an attacker could run just about any program on port 113 and + return any user name they choose. This authentication method is + therefore only appropriate for closed networks where each client + machine is under tight control and where the database and system + administrators operate in close contact. In other words, you must + trust the machine running the ident server. + Heed the warning: + </p><div class="blockquote"><table border="0" class="blockquote" style="width: 100%; cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p> + The Identification Protocol is not intended as an authorization + or access control protocol. + </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">RFC 1413</span></td></tr></table></div><p> + </p><p> + Some ident servers have a nonstandard option that causes the returned + user name to be encrypted, using a key that only the originating + machine's administrator knows. This option <span class="emphasis"><em>must not</em></span> be + used when using the ident server with <span class="productname">PostgreSQL</span>, + since <span class="productname">PostgreSQL</span> does not have any way to decrypt the + returned string to determine the actual user name. + </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sspi-auth.html" title="21.7. SSPI Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-peer.html" title="21.9. Peer Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.7. SSPI Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.9. Peer Authentication</td></tr></table></div></body></html>
\ No newline at end of file |