summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/gssapi-auth.html
blob: 04a76d599be09ae22857d93abc2a46d55d12c173 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.6. GSSAPI Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="auth-password.html" title="21.5. Password Authentication" /><link rel="next" href="sspi-auth.html" title="21.7. SSPI Authentication" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.6. GSSAPI Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-password.html" title="21.5. Password Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 21. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 16.3 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sspi-auth.html" title="21.7. SSPI Authentication">Next</a></td></tr></table><hr /></div><div class="sect1" id="GSSAPI-AUTH"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.6. GSSAPI Authentication <a href="#GSSAPI-AUTH" class="id_link">#</a></h2></div></div></div><a id="id-1.6.8.13.2" class="indexterm"></a><p>
    <span class="productname">GSSAPI</span> is an industry-standard protocol
    for secure authentication defined in
    <a class="ulink" href="https://datatracker.ietf.org/doc/html/rfc2743" target="_top">RFC 2743</a>.
    <span class="productname">PostgreSQL</span>
    supports <span class="productname">GSSAPI</span> for authentication,
    communications encryption, or both.
    <span class="productname">GSSAPI</span> provides automatic authentication
    (single sign-on) for systems that support it. The authentication itself is
    secure.  If <span class="productname">GSSAPI</span> encryption
    or <acronym class="acronym">SSL</acronym> encryption is
    used, the data sent along the database connection will be encrypted;
    otherwise, it will not.
   </p><p>
    GSSAPI support has to be enabled when <span class="productname">PostgreSQL</span> is built;
    see <a class="xref" href="installation.html" title="Chapter 17. Installation from Source Code">Chapter 17</a> for more information.
   </p><p>
    When <span class="productname">GSSAPI</span> uses
    <span class="productname">Kerberos</span>, it uses a standard service
    principal (authentication identity) name in the format
    <code class="literal"><em class="replaceable"><code>servicename</code></em>/<em class="replaceable"><code>hostname</code></em>@<em class="replaceable"><code>realm</code></em></code>.
    The principal name used by a particular installation is not encoded in
    the <span class="productname">PostgreSQL</span> server in any way; rather it
    is specified in the <em class="firstterm">keytab</em> file that the server
    reads to determine its identity.  If multiple principals are listed in
    the keytab file, the server will accept any one of them.
    The server's realm name is the preferred realm specified in the Kerberos
    configuration file(s) accessible to the server.
   </p><p>
    When connecting, the client must know the principal name of the server
    it intends to connect to.  The <em class="replaceable"><code>servicename</code></em>
    part of the principal is ordinarily <code class="literal">postgres</code>,
    but another value can be selected via <span class="application">libpq</span>'s
    <a class="xref" href="libpq-connect.html#LIBPQ-CONNECT-KRBSRVNAME">krbsrvname</a> connection parameter.
    The <em class="replaceable"><code>hostname</code></em> part is the fully qualified
    host name that <span class="application">libpq</span> is told to connect to.
    The realm name is the preferred realm specified in the Kerberos
    configuration file(s) accessible to the client.
   </p><p>
    The client will also have a principal name for its own identity
    (and it must have a valid ticket for this principal).  To
    use <span class="productname">GSSAPI</span> for authentication, the client
    principal must be associated with
    a <span class="productname">PostgreSQL</span> database user name.
    The <code class="filename">pg_ident.conf</code> configuration file can be used
    to map principals to user names; for example,
    <code class="literal">pgusername@realm</code> could be mapped to just <code class="literal">pgusername</code>.
    Alternatively, you can use the full <code class="literal">username@realm</code> principal as
    the role name in <span class="productname">PostgreSQL</span> without any mapping.
   </p><p>
    <span class="productname">PostgreSQL</span> also supports mapping
    client principals to user names by just stripping the realm from
    the principal.  This method is supported for backwards compatibility and is
    strongly discouraged as it is then impossible to distinguish different users
    with the same user name but coming from different realms.  To enable this,
    set <code class="literal">include_realm</code> to 0.  For simple single-realm
    installations, doing that combined with setting the
    <code class="literal">krb_realm</code> parameter (which checks that the principal's realm
    matches exactly what is in the <code class="literal">krb_realm</code> parameter)
    is still secure; but this is a
    less capable approach compared to specifying an explicit mapping in
    <code class="filename">pg_ident.conf</code>.
   </p><p>
    The location of the server's keytab file is specified by the <a class="xref" href="runtime-config-connection.html#GUC-KRB-SERVER-KEYFILE">krb_server_keyfile</a> configuration parameter.
    For security reasons, it is recommended to use a separate keytab
    just for the <span class="productname">PostgreSQL</span> server rather
    than allowing the server to read the system keytab file.
    Make sure that your server keytab file is readable (and preferably
    only readable, not writable) by the <span class="productname">PostgreSQL</span>
    server account.  (See also <a class="xref" href="postgres-user.html" title="19.1. The PostgreSQL User Account">Section 19.1</a>.)
   </p><p>
    The keytab file is generated using the Kerberos software; see the
    Kerberos documentation for details. The following example shows
    doing this using the <span class="application">kadmin</span> tool of
    MIT Kerberos:
</p><pre class="screen">
<code class="prompt">kadmin% </code><strong class="userinput"><code>addprinc -randkey postgres/server.my.domain.org</code></strong>
<code class="prompt">kadmin% </code><strong class="userinput"><code>ktadd -k krb5.keytab postgres/server.my.domain.org</code></strong>
</pre><p>
   </p><p>
    The following authentication options are supported for
    the <span class="productname">GSSAPI</span> authentication method:
    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">include_realm</code></span></dt><dd><p>
        If set to 0, the realm name from the authenticated user principal is
        stripped off before being passed through the user name mapping
        (<a class="xref" href="auth-username-maps.html" title="21.2. User Name Maps">Section 21.2</a>). This is discouraged and is
        primarily available for backwards compatibility, as it is not secure
        in multi-realm environments unless <code class="literal">krb_realm</code> is
        also used.  It is recommended to
        leave <code class="literal">include_realm</code> set to the default (1) and to
        provide an explicit mapping in <code class="filename">pg_ident.conf</code> to convert
        principal names to <span class="productname">PostgreSQL</span> user names.
       </p></dd><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>
        Allows mapping from client principals to database user names. See
        <a class="xref" href="auth-username-maps.html" title="21.2. User Name Maps">Section 21.2</a> for details.  For a GSSAPI/Kerberos
        principal, such as <code class="literal">username@EXAMPLE.COM</code> (or, less
        commonly, <code class="literal">username/hostbased@EXAMPLE.COM</code>), the
        user name used for mapping is
        <code class="literal">username@EXAMPLE.COM</code> (or
        <code class="literal">username/hostbased@EXAMPLE.COM</code>, respectively),
        unless <code class="literal">include_realm</code> has been set to 0, in which case
        <code class="literal">username</code> (or <code class="literal">username/hostbased</code>)
        is what is seen as the system user name when mapping.
       </p></dd><dt><span class="term"><code class="literal">krb_realm</code></span></dt><dd><p>
        Sets the realm to match user principal names against. If this parameter
        is set, only users of that realm will be accepted.  If it is not set,
        users of any realm can connect, subject to whatever user name mapping
        is done.
       </p></dd></dl></div><p>
   </p><p>
    In addition to these settings, which can be different for
    different <code class="filename">pg_hba.conf</code> entries, there is the
    server-wide <a class="xref" href="runtime-config-connection.html#GUC-KRB-CASEINS-USERS">krb_caseins_users</a> configuration
    parameter.  If that is set to true, client principals are matched to
    user map entries case-insensitively.  <code class="literal">krb_realm</code>, if
    set, is also matched case-insensitively.
   </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-password.html" title="21.5. Password Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sspi-auth.html" title="21.7. SSPI Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.5. Password Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 16.3 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.7. SSPI Authentication</td></tr></table></div></body></html>