doc/src/sgml/html/preventing-server-spoofing.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>19.7. Preventing Server Spoofing</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="upgrading.html" title="19.6. Upgrading a PostgreSQL Cluster" /><link rel="next" href="encryption-options.html" title="19.8. Encryption Options" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">19.7. Preventing Server Spoofing</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="upgrading.html" title="19.6. Upgrading a PostgreSQL Cluster">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime.html" title="Chapter 19. Server Setup and Operation">Up</a></td><th width="60%" align="center">Chapter 19. Server Setup and Operation</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="encryption-options.html" title="19.8. Encryption Options">Next</a></td></tr></table><hr /></div><div class="sect1" id="PREVENTING-SERVER-SPOOFING"><div class="titlepage"><div><div><h2 class="title" style="clear: both">19.7. Preventing Server Spoofing <a href="#PREVENTING-SERVER-SPOOFING" class="id_link">#</a></h2></div></div></div><a id="id-1.6.6.10.2" class="indexterm"></a><p>
   While the server is running, it is not possible for a malicious user
   to take the place of the normal database server.  However, when the
   server is down, it is possible for a local user to spoof the normal
   server by starting their own server.  The spoof server could read
   passwords and queries sent by clients, but could not return any data
   because the <code class="varname">PGDATA</code> directory would still be secure because
   of directory permissions. Spoofing is possible because any user can
   start a database server; a client cannot identify an invalid server
   unless it is specially configured.
  </p><p>
   One way to prevent spoofing of <code class="literal">local</code>
   connections is to use a Unix domain socket directory (<a class="xref" href="runtime-config-connection.html#GUC-UNIX-SOCKET-DIRECTORIES">unix_socket_directories</a>) that has write permission only
   for a trusted local user.  This prevents a malicious user from creating
   their own socket file in that directory.  If you are concerned that
   some applications might still reference <code class="filename">/tmp</code> for the
   socket file and hence be vulnerable to spoofing, during operating system
   startup create a symbolic link <code class="filename">/tmp/.s.PGSQL.5432</code> that points
   to the relocated socket file.  You also might need to modify your
   <code class="filename">/tmp</code> cleanup script to prevent removal of the symbolic link.
  </p><p>
   Another option for <code class="literal">local</code> connections is for clients to use
   <a class="link" href="libpq-connect.html#LIBPQ-CONNECT-REQUIREPEER"><code class="literal">requirepeer</code></a>
   to specify the required owner of the server process connected to
   the socket.
  </p><p>
   To prevent spoofing on TCP connections, either use
   SSL certificates and make sure that clients check the server's certificate,
   or use GSSAPI encryption (or both, if they're on separate connections).
  </p><p>
   To prevent spoofing with SSL, the server
   must be configured to accept only <code class="literal">hostssl</code> connections (<a class="xref" href="auth-pg-hba-conf.html" title="21.1. The pg_hba.conf File">Section 21.1</a>) and have SSL key and certificate files
   (<a class="xref" href="ssl-tcp.html" title="19.9. Secure TCP/IP Connections with SSL">Section 19.9</a>). The TCP client must connect using
   <code class="literal">sslmode=verify-ca</code> or
   <code class="literal">verify-full</code> and have the appropriate root certificate
   file installed (<a class="xref" href="libpq-ssl.html#LIBQ-SSL-CERTIFICATES" title="34.19.1. Client Verification of Server Certificates">Section 34.19.1</a>). Alternatively the
   system CA pool can be used using <code class="literal">sslrootcert=system</code>; in
   this case, <code class="literal">sslmode=verify-full</code> is forced for safety, since
   it is generally trivial to obtain certificates which are signed by a public
   CA.
  </p><p>
   To prevent server spoofing from occurring when using
   <a class="link" href="auth-password.html" title="21.5. Password Authentication">scram-sha-256</a> password authentication
   over a network, you should ensure that you connect to the server using SSL
   and with one of the anti-spoofing methods described in the previous
   paragraph. Additionally, the SCRAM implementation in
   <span class="application">libpq</span> cannot protect the entire authentication
   exchange, but using the <code class="literal">channel_binding=require</code> connection
   parameter provides a mitigation against server spoofing. An attacker that
   uses a rogue server to intercept a SCRAM exchange can use offline analysis to
   potentially determine the hashed password from the client.
  </p><p>
    To prevent spoofing with GSSAPI, the server must be configured to accept
    only <code class="literal">hostgssenc</code> connections
    (<a class="xref" href="auth-pg-hba-conf.html" title="21.1. The pg_hba.conf File">Section 21.1</a>) and use <code class="literal">gss</code>
    authentication with them.  The TCP client must connect
    using <code class="literal">gssencmode=require</code>.
  </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading.html" title="19.6. Upgrading a PostgreSQL Cluster">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime.html" title="Chapter 19. Server Setup and Operation">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="encryption-options.html" title="19.8. Encryption Options">Next</a></td></tr><tr><td width="40%" align="left" valign="top">19.6. Upgrading a <span class="productname">PostgreSQL</span> Cluster </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 16.2 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 19.8. Encryption Options</td></tr></table></div></body></html>