1 <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.126 2010/01/15 09:18:56 heikki Exp $ -->
3 <chapter id="client-authentication">
4 <title>Client Authentication</title>
6 <indexterm zone="client-authentication">
7 <primary>client authentication</primary>
11 When a client application connects to the database server, it
12 specifies which <productname>PostgreSQL</productname> database user name it
13 wants to connect as, much the same way one logs into a Unix computer
14 as a particular user. Within the SQL environment the active database
15 user name determines access privileges to database objects — see
16 <xref linkend="user-manag"> for more information. Therefore, it is
17 essential to restrict which database users can connect.
22 As explained in <xref linkend="user-manag">,
23 <productname>PostgreSQL</productname> actually does privilege
24 management in terms of <quote>roles</>. In this chapter, we
25 consistently use <firstterm>database user</> to mean <quote>role with the
26 <literal>LOGIN</> privilege</quote>.
31 <firstterm>Authentication</firstterm> is the process by which the
32 database server establishes the identity of the client, and by
33 extension determines whether the client application (or the user
34 who runs the client application) is permitted to connect with the
35 database user name that was requested.
39 <productname>PostgreSQL</productname> offers a number of different
40 client authentication methods. The method used to authenticate a
41 particular client connection can be selected on the basis of
42 (client) host address, database, and user.
46 <productname>PostgreSQL</productname> database user names are logically
47 separate from user names of the operating system in which the server
48 runs. If all the users of a particular server also have accounts on
49 the server's machine, it makes sense to assign database user names
50 that match their operating system user names. However, a server that
51 accepts remote connections might have many database users who have no local operating system
52 account, and in such cases there need be no connection between
53 database user names and OS user names.
56 <sect1 id="auth-pg-hba-conf">
57 <title>The <filename>pg_hba.conf</filename> file</title>
59 <indexterm zone="auth-pg-hba-conf">
60 <primary>pg_hba.conf</primary>
64 Client authentication is controlled by a configuration file,
65 which traditionally is named
66 <filename>pg_hba.conf</filename> and is stored in the database
67 cluster's data directory.
68 (<acronym>HBA</> stands for host-based authentication.) A default
69 <filename>pg_hba.conf</filename> file is installed when the data
70 directory is initialized by <command>initdb</command>. It is
71 possible to place the authentication configuration file elsewhere,
72 however; see the <xref linkend="guc-hba-file"> configuration parameter.
76 The general format of the <filename>pg_hba.conf</filename> file is
77 a set of records, one per line. Blank lines are ignored, as is any
78 text after the <literal>#</literal> comment character. A record is made
79 up of a number of fields which are separated by spaces and/or tabs.
80 Fields can contain white space if the field value is quoted. Records
81 cannot be continued across lines.
85 Each record specifies a connection type, a client IP address range
86 (if relevant for the connection type), a database name, a user name,
87 and the authentication method to be used for connections matching
88 these parameters. The first record with a matching connection type,
89 client address, requested database, and user name is used to perform
90 authentication. There is no <quote>fall-through</> or
91 <quote>backup</>: if one record is chosen and the authentication
92 fails, subsequent records are not considered. If no record matches,
97 A record can have one of the seven formats
99 local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
100 host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
101 hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
102 hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
103 host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
104 hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
105 hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
107 The meaning of the fields is as follows:
111 <term><literal>local</literal></term>
114 This record matches connection attempts using Unix-domain
115 sockets. Without a record of this type, Unix-domain socket
116 connections are disallowed.
122 <term><literal>host</literal></term>
125 This record matches connection attempts made using TCP/IP.
126 <literal>host</literal> records match either
127 <acronym>SSL</acronym> or non-<acronym>SSL</acronym> connection
132 Remote TCP/IP connections will not be possible unless
133 the server is started with an appropriate value for the
134 <xref linkend="guc-listen-addresses"> configuration parameter,
135 since the default behavior is to listen for TCP/IP connections
136 only on the local loopback address <literal>localhost</>.
143 <term><literal>hostssl</literal></term>
146 This record matches connection attempts made using TCP/IP,
147 but only when the connection is made with <acronym>SSL</acronym>
152 To make use of this option the server must be built with
153 <acronym>SSL</acronym> support. Furthermore,
154 <acronym>SSL</acronym> must be enabled at server start time
155 by setting the <xref linkend="guc-ssl"> configuration parameter (see
156 <xref linkend="ssl-tcp"> for more information).
162 <term><literal>hostnossl</literal></term>
165 This record type has the opposite logic to <literal>hostssl</>:
166 it only matches connection attempts made over
167 TCP/IP that do not use <acronym>SSL</acronym>.
173 <term><replaceable>database</replaceable></term>
176 Specifies which database name(s) this record matches. The value
177 <literal>all</literal> specifies that it matches all databases.
178 The value <literal>sameuser</> specifies that the record
179 matches if the requested database has the same name as the
180 requested user. The value <literal>samerole</> specifies that
181 the requested user must be a member of the role with the same
182 name as the requested database. (<literal>samegroup</> is an
183 obsolete but still accepted spelling of <literal>samerole</>.)
184 The value <literal>replication</> specifies that the record
185 matches if streaming replication is requested.
186 Otherwise, this is the name of
187 a specific <productname>PostgreSQL</productname> database.
188 Multiple database names can be supplied by separating them with
189 commas. A separate file containing database names can be specified by
190 preceding the file name with <literal>@</>.
196 <term><replaceable>user</replaceable></term>
199 Specifies which database user name(s) this record
200 matches. The value <literal>all</literal> specifies that it
201 matches all users. Otherwise, this is either the name of a specific
202 database user, or a group name preceded by <literal>+</>.
203 (Recall that there is no real distinction between users and groups
204 in <productname>PostgreSQL</>; a <literal>+</> mark really means
205 <quote>match any of the roles that are directly or indirectly members
206 of this role</>, while a name without a <literal>+</> mark matches
207 only that specific role.)
208 Multiple user names can be supplied by separating them with commas.
209 A separate file containing user names can be specified by preceding the
210 file name with <literal>@</>.
216 <term><replaceable>CIDR-address</replaceable></term>
219 Specifies the client machine IP address range that this record
220 matches. This field contains an IP address in standard dotted decimal
221 notation and a CIDR mask length. (IP addresses can only be
222 specified numerically, not as domain or host names.) The mask
223 length indicates the number of high-order bits of the client
224 IP address that must match. Bits to the right of this must
225 be zero in the given IP address.
226 There must not be any white space between the IP address, the
227 <literal>/</literal>, and the CIDR mask length.
231 Instead of a <replaceable>CIDR-address</replaceable>, you can write
232 <literal>samehost</literal> to match any of the server's own IP
233 addresses, or <literal>samenet</literal> to match any address in any
234 subnet that the server is directly connected to.
238 Typical examples of a <replaceable>CIDR-address</replaceable> are
239 <literal>172.20.143.89/32</literal> for a single host, or
240 <literal>172.20.143.0/24</literal> for a small network, or
241 <literal>10.6.0.0/16</literal> for a larger one.
242 To specify a single host, use a CIDR mask of 32 for IPv4 or
243 128 for IPv6. In a network address, do not omit trailing zeroes.
247 An IP address given in IPv4 format will match IPv6 connections that
248 have the corresponding address, for example <literal>127.0.0.1</>
249 will match the IPv6 address <literal>::ffff:127.0.0.1</>. An entry
250 given in IPv6 format will match only IPv6 connections, even if the
251 represented address is in the IPv4-in-IPv6 range. Note that entries
252 in IPv6 format will be rejected if the system's C library does not have
253 support for IPv6 addresses.
257 This field only applies to <literal>host</literal>,
258 <literal>hostssl</literal>, and <literal>hostnossl</> records.
264 <term><replaceable>IP-address</replaceable></term>
265 <term><replaceable>IP-mask</replaceable></term>
268 These fields can be used as an alternative to the
269 <replaceable>CIDR-address</replaceable> notation. Instead of
270 specifying the mask length, the actual mask is specified in a
271 separate column. For example, <literal>255.0.0.0</> represents an IPv4
272 CIDR mask length of 8, and <literal>255.255.255.255</> represents a
273 CIDR mask length of 32.
277 These fields only apply to <literal>host</literal>,
278 <literal>hostssl</literal>, and <literal>hostnossl</> records.
284 <term><replaceable>auth-method</replaceable></term>
287 Specifies the authentication method to use when a connection matches
288 this record. The possible choices are summarized here; details
289 are in <xref linkend="auth-methods">.
293 <term><literal>trust</></term>
296 Allow the connection unconditionally. This method
297 allows anyone that can connect to the
298 <productname>PostgreSQL</productname> database server to login as
299 any <productname>PostgreSQL</productname> user they like,
300 without the need for a password. See <xref
301 linkend="auth-trust"> for details.
307 <term><literal>reject</></term>
310 Reject the connection unconditionally. This is useful for
311 <quote>filtering out</> certain hosts from a group.
317 <term><literal>md5</></term>
320 Require the client to supply an MD5-encrypted password for
322 See <xref linkend="auth-password"> for details.
328 <term><literal>password</></term>
331 Require the client to supply an unencrypted password for
333 Since the password is sent in clear text over the
334 network, this should not be used on untrusted networks.
335 See <xref linkend="auth-password"> for details.
341 <term><literal>gss</></term>
344 Use GSSAPI to authenticate the user. This is only
345 available for TCP/IP connections. See <xref
346 linkend="gssapi-auth"> for details.
352 <term><literal>sspi</></term>
355 Use SSPI to authenticate the user. This is only
356 available on Windows. See <xref
357 linkend="sspi-auth"> for details.
363 <term><literal>krb5</></term>
366 Use Kerberos V5 to authenticate the user. This is only
367 available for TCP/IP connections. See <xref
368 linkend="kerberos-auth"> for details.
374 <term><literal>ident</></term>
377 Obtain the operating system user name of the client (for
378 TCP/IP connections by contacting the ident server on the
379 client, for local connections by getting it from the
380 operating system) and check if it matches the requested
382 See <xref linkend="auth-ident"> for details.
388 <term><literal>ldap</></term>
391 Authenticate using an LDAP server. See <xref
392 linkend="auth-ldap"> for details.
398 <term><literal>cert</></term>
401 Authenticate using SSL client certificates. See
402 <xref linkend="auth-cert"> for details.
408 <term><literal>pam</></term>
411 Authenticate using the Pluggable Authentication Modules
412 (PAM) service provided by the operating system. See <xref
413 linkend="auth-pam"> for details.
424 <term><replaceable>auth-options</replaceable></term>
427 After the <replaceable>auth-method</> field, there can be field(s) of
428 the form <replaceable>name</><literal>=</><replaceable>value</> that
429 specify options for the authentication method. Details about which
430 options are available for which authentication method appear below.
438 Files included by <literal>@</> constructs are read as lists of names,
439 which can be separated by either whitespace or commas. Comments are
440 introduced by <literal>#</literal>, just as in
441 <filename>pg_hba.conf</filename>, and nested <literal>@</> constructs are
442 allowed. Unless the file name following <literal>@</> is an absolute
443 path, it is taken to be relative to the directory containing the
448 Since the <filename>pg_hba.conf</filename> records are examined
449 sequentially for each connection attempt, the order of the records is
450 significant. Typically, earlier records will have tight connection
451 match parameters and weaker authentication methods, while later
452 records will have looser match parameters and stronger authentication
453 methods. For example, one might wish to use <literal>trust</>
454 authentication for local TCP/IP connections but require a password for
455 remote TCP/IP connections. In this case a record specifying
456 <literal>trust</> authentication for connections from 127.0.0.1 would
457 appear before a record specifying password authentication for a wider
458 range of allowed client IP addresses.
462 The <filename>pg_hba.conf</filename> file is read on start-up and when
463 the main server process receives a
464 <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
465 signal. If you edit the file on an
466 active system, you will need to signal the server
467 (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to make it
473 To connect to a particular database, a user must not only pass the
474 <filename>pg_hba.conf</filename> checks, but must have the
475 <literal>CONNECT</> privilege for the database. If you wish to
476 restrict which users can connect to which databases, it's usually
477 easier to control this by granting/revoking <literal>CONNECT</> privilege
478 than to put the rules into <filename>pg_hba.conf</filename> entries.
483 Some examples of <filename>pg_hba.conf</filename> entries are shown in
484 <xref linkend="example-pg-hba.conf">. See the next section for details on the
485 different authentication methods.
488 <example id="example-pg-hba.conf">
489 <title>Example <filename>pg_hba.conf</filename> entries</title>
491 # Allow any user on the local system to connect to any database under
492 # any database user name using Unix-domain sockets (the default for local
495 # TYPE DATABASE USER CIDR-ADDRESS METHOD
498 # The same using local loopback TCP/IP connections.
500 # TYPE DATABASE USER CIDR-ADDRESS METHOD
501 host all all 127.0.0.1/32 trust
503 # The same as the previous line, but using a separate netmask column
505 # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
506 host all all 127.0.0.1 255.255.255.255 trust
508 # Allow any user from any host with IP address 192.168.93.x to connect
509 # to database "postgres" as the same user name that ident reports for
510 # the connection (typically the Unix user name).
512 # TYPE DATABASE USER CIDR-ADDRESS METHOD
513 host postgres all 192.168.93.0/24 ident
515 # Allow any user from host 192.168.12.10 to connect to database
516 # "postgres" if the user's password is correctly supplied.
518 # TYPE DATABASE USER CIDR-ADDRESS METHOD
519 host postgres all 192.168.12.10/32 md5
521 # In the absence of preceding "host" lines, these two lines will
522 # reject all connections from 192.168.54.1 (since that entry will be
523 # matched first), but allow Kerberos 5 connections from anywhere else
524 # on the Internet. The zero mask means that no bits of the host IP
525 # address are considered so it matches any host.
527 # TYPE DATABASE USER CIDR-ADDRESS METHOD
528 host all all 192.168.54.1/32 reject
529 host all all 0.0.0.0/0 krb5
531 # Allow users from 192.168.x.x hosts to connect to any database, if
532 # they pass the ident check. If, for example, ident says the user is
533 # "bryanh" and he requests to connect as PostgreSQL user "guest1", the
534 # connection is allowed if there is an entry in pg_ident.conf for map
535 # "omicron" that says "bryanh" is allowed to connect as "guest1".
537 # TYPE DATABASE USER CIDR-ADDRESS METHOD
538 host all all 192.168.0.0/16 ident map=omicron
540 # If these are the only three lines for local connections, they will
541 # allow local users to connect only to their own databases (databases
542 # with the same name as their database user name) except for administrators
543 # and members of role "support", who can connect to all databases. The file
544 # $PGDATA/admins contains a list of names of administrators. Passwords
545 # are required in all cases.
547 # TYPE DATABASE USER CIDR-ADDRESS METHOD
548 local sameuser all md5
549 local all @admins md5
550 local all +support md5
552 # The last two lines above can be combined into a single line:
553 local all @admins,+support md5
555 # The database column can also use lists and file names:
556 local db1,db2,@demodbs all md5
561 <sect1 id="auth-username-maps">
562 <title>Username maps</title>
564 <indexterm zone="auth-username-maps">
565 <primary>Username maps</primary>
569 When using an external authentication system like Ident or GSSAPI,
570 the name of the operating system user that initiated the connection
571 might not be the same as the database user he needs to connect as.
572 In this case, a user name map can be applied to map the operating system
573 username to a database user. To use username mapping, specify
574 <literal>map</literal>=<replaceable>map-name</replaceable>
575 in the options field in <filename>pg_hba.conf</filename>. This option is
576 supported for all authentication methods that receive external usernames.
577 Since different mappings might be needed for different connections,
578 the name of the map to be used is specified in the
579 <replaceable>map-name</replaceable> parameter in <filename>pg_hba.conf</filename>
580 to indicate which map to use for each individual connection.
584 Username maps are defined in the ident map file, which by default is named
585 <filename>pg_ident.conf</><indexterm><primary>pg_ident.conf</primary></indexterm>
587 cluster's data directory. (It is possible to place the map file
588 elsewhere, however; see the <xref linkend="guc-ident-file">
589 configuration parameter.)
590 The ident map file contains lines of the general form:
592 <replaceable>map-name</> <replaceable>system-username</> <replaceable>database-username</>
594 Comments and whitespace are handled in the same way as in
595 <filename>pg_hba.conf</>. The
596 <replaceable>map-name</> is an arbitrary name that will be used to
597 refer to this mapping in <filename>pg_hba.conf</filename>. The other
598 two fields specify an operating system user name and a matching
599 database user name. The same <replaceable>map-name</> can be
600 used repeatedly to specify multiple user-mappings within a single map.
603 There is no restriction regarding how many database users a given
604 operating system user can correspond to, nor vice versa. Thus, entries
605 in a map should be thought of as meaning <quote>this operating system
606 user is allowed to connect as this database user</quote>, rather than
607 implying that they are equivalent. The connection will be allowed if
608 there is any map entry that matches the user name obtained from the
609 external authentication system to the database user name that the
610 user has requested to connect as.
613 If the <replaceable>system-username</> field starts with a slash (<literal>/</>),
614 the remainder of the field is treated as a regular expression.
615 (See <xref linkend="posix-syntax-details"> for details of
616 <productname>PostgreSQL</>'s regular expression syntax.
617 Regular expressions in username maps are always treated as being
618 <quote>advanced</> flavor.) The regular
619 expression can include a single capture, or parenthesized subexpression,
620 which can then be referenced in the <replaceable>database-username</>
621 field as <literal>\1</> (backslash-one). This allows the mapping of
622 multiple usernames in a single line, which is particularly useful for
623 simple syntax substitutions. For example, these entries
625 mymap /^(.*)@mydomain\.com$ \1
626 mymap /^(.*)@otherdomain\.com$ guest
628 will remove the domain part for users with system usernames that end with
629 <literal>@mydomain.com</>, and allow any user whose system name ends with
630 <literal>@otherdomain.com</> to log in as <literal>guest</>.
635 Keep in mind that by default, a regular expression can match just part of
636 a string. It's usually wise to use <literal>^</> and <literal>$</>, as
637 shown in the above example, to force the match to be to the entire
643 The <filename>pg_ident.conf</filename> file is read on start-up and
644 when the main server process receives a
645 <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
646 signal. If you edit the file on an
647 active system, you will need to signal the server
648 (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to make it
653 A <filename>pg_ident.conf</filename> file that could be used in
654 conjunction with the <filename>pg_hba.conf</> file in <xref
655 linkend="example-pg-hba.conf"> is shown in <xref
656 linkend="example-pg-ident.conf">. In this example setup, anyone
657 logged in to a machine on the 192.168 network that does not have the
658 Unix user name <literal>bryanh</>, <literal>ann</>, or
659 <literal>robert</> would not be granted access. Unix user
660 <literal>robert</> would only be allowed access when he tries to
661 connect as <productname>PostgreSQL</> user <literal>bob</>, not
662 as <literal>robert</> or anyone else. <literal>ann</> would
663 only be allowed to connect as <literal>ann</>. User
664 <literal>bryanh</> would be allowed to connect as either
665 <literal>bryanh</> himself or as <literal>guest1</>.
668 <example id="example-pg-ident.conf">
669 <title>An example <filename>pg_ident.conf</> file</title>
671 # MAPNAME SYSTEM-USERNAME PG-USERNAME
673 omicron bryanh bryanh
675 # bob has user name robert on these machines
677 # bryanh can also connect as guest1
678 omicron bryanh guest1
683 <sect1 id="auth-methods">
684 <title>Authentication methods</title>
686 The following subsections describe the authentication methods in more detail.
689 <sect2 id="auth-trust">
690 <title>Trust authentication</title>
693 When <literal>trust</> authentication is specified,
694 <productname>PostgreSQL</productname> assumes that anyone who can
695 connect to the server is authorized to access the database with
696 whatever database user name they specify (even superuser names).
697 Of course, restrictions made in the <literal>database</> and
698 <literal>user</> columns still apply.
699 This method should only be used when there is adequate
700 operating-system-level protection on connections to the server.
704 <literal>trust</> authentication is appropriate and very
705 convenient for local connections on a single-user workstation. It
706 is usually <emphasis>not</> appropriate by itself on a multiuser
707 machine. However, you might be able to use <literal>trust</> even
708 on a multiuser machine, if you restrict access to the server's
709 Unix-domain socket file using file-system permissions. To do this, set the
710 <varname>unix_socket_permissions</varname> (and possibly
711 <varname>unix_socket_group</varname>) configuration parameters as
712 described in <xref linkend="runtime-config-connection">. Or you
713 could set the <varname>unix_socket_directory</varname>
714 configuration parameter to place the socket file in a suitably
715 restricted directory.
719 Setting file-system permissions only helps for Unix-socket connections.
720 Local TCP/IP connections are not restricted by file-system permissions.
721 Therefore, if you want to use file-system permissions for local security,
722 remove the <literal>host ... 127.0.0.1 ...</> line from
723 <filename>pg_hba.conf</>, or change it to a
724 non-<literal>trust</> authentication method.
728 <literal>trust</> authentication is only suitable for TCP/IP connections
729 if you trust every user on every machine that is allowed to connect
730 to the server by the <filename>pg_hba.conf</> lines that specify
731 <literal>trust</>. It is seldom reasonable to use <literal>trust</>
732 for any TCP/IP connections other than those from <systemitem>localhost</> (127.0.0.1).
737 <sect2 id="auth-password">
738 <title>Password authentication</title>
744 <primary>password</primary>
745 <secondary>authentication</secondary>
749 The password-based authentication methods are <literal>md5</>
750 and <literal>password</>. These methods operate
751 similarly except for the way that the password is sent across the
752 connection: respectively, MD5-hashed and clear-text.
756 If you are at all concerned about password
757 <quote>sniffing</> attacks then <literal>md5</> is preferred.
758 Plain <literal>password</> should always be avoided if possible.
759 However, <literal>md5</> cannot be used with the <xref
760 linkend="guc-db-user-namespace"> feature. If the connection is
761 protected by SSL encryption then <literal>password</> can be used
762 safely (though SSL certificate authentication might be a better
763 choice if one is depending on using SSL).
767 <productname>PostgreSQL</productname> database passwords are
768 separate from operating system user passwords. The password for
769 each database user is stored in the <literal>pg_authid</> system
770 catalog. Passwords can be managed with the SQL commands
771 <xref linkend="sql-createuser" endterm="sql-createuser-title"> and
772 <xref linkend="sql-alteruser" endterm="sql-alteruser-title">,
773 e.g., <userinput>CREATE USER foo WITH PASSWORD 'secret';</userinput>.
774 By default, that is, if no password has been set up, the stored password
775 is null and password authentication will always fail for that user.
780 <sect2 id="gssapi-auth">
781 <title>GSSAPI authentication</title>
783 <indexterm zone="gssapi-auth">
784 <primary>GSSAPI</primary>
788 <productname>GSSAPI</productname> is an industry-standard protocol
789 for secure authentication defined in RFC 2743.
790 <productname>PostgreSQL</productname> supports
791 <productname>GSSAPI</productname> with <productname>Kerberos</productname>
792 authentication according to RFC 1964. <productname>GSSAPI</productname>
793 provides automatic authentication (single sign-on) for systems
794 that support it. The authentication itself is secure, but the
795 data sent over the database connection will be in clear unless
796 <acronym>SSL</acronym> is used.
800 When <productname>GSSAPI</productname> uses
801 <productname>Kerberos</productname>, it uses a standard principal
803 <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. For information about the parts of the principal, and
804 how to set up the required keys, see <xref linkend="kerberos-auth">.
805 GSSAPI support has to be enabled when <productname>PostgreSQL</> is built;
806 see <xref linkend="installation"> for more information.
810 The following configuration options are supported for <productname>GSSAPI</productname>:
813 <term><literal>map</literal></term>
816 Allows for mapping between system and database usernames. See
817 <xref linkend="auth-username-maps"> for details.
823 <term><literal>include_realm</literal></term>
826 If set to <literal>1</>, the realm name from the authenticated user
827 principal is included in the system user name that's passed through
828 username mapping (<xref linkend="auth-username-maps">). This is
829 useful for handling users from multiple realms.
835 <term><literal>krb_realm</literal></term>
838 Sets the realm to match user principal names against. If this parameter
839 is set, only users of that realm will be accepted. If it is not set,
840 users of any realm can connect, subject to whatever username mapping
849 <sect2 id="sspi-auth">
850 <title>SSPI authentication</title>
852 <indexterm zone="sspi-auth">
853 <primary>SSPI</primary>
857 <productname>SSPI</productname> is a <productname>Windows</productname>
858 technology for secure authentication with single sign-on.
859 <productname>PostgreSQL</productname> will use SSPI in
860 <literal>negotiate</literal> mode, which will use
861 <productname>Kerberos</productname> when possible and automatically
862 fall back to <productname>NTLM</productname> in other cases.
863 <productname>SSPI</productname> authentication only works when both
864 server and client are running <productname>Windows</productname>.
868 When using <productname>Kerberos</productname> authentication,
869 <productname>SSPI</productname> works the same way
870 <productname>GSSAPI</productname> does. See <xref linkend="gssapi-auth">
875 The following configuration options are supported for <productname>SSPI</productname>:
878 <term><literal>map</literal></term>
881 Allows for mapping between system and database usernames. See
882 <xref linkend="auth-username-maps"> for details.
888 <term><literal>include_realm</literal></term>
891 If set to <literal>1</>, the realm name from the authenticated user
892 principal is included in the system user name that's passed through
893 username mapping (<xref linkend="auth-username-maps">). This is
894 useful for handling users from multiple realms.
900 <term><literal>krb_realm</literal></term>
903 Sets the realm to match user principal names against. If this parameter
904 is set, only users of that realm will be accepted. If it is not set,
905 users of any realm can connect, subject to whatever username mapping
914 <sect2 id="kerberos-auth">
915 <title>Kerberos authentication</title>
917 <indexterm zone="kerberos-auth">
918 <primary>Kerberos</primary>
923 Native Kerberos authentication has been deprecated and should be used
924 only for backward compatibility. New and upgraded installations are
925 encouraged to use the industry-standard <productname>GSSAPI</productname>
926 authentication (see <xref linkend="gssapi-auth">) instead.
931 <productname>Kerberos</productname> is an industry-standard secure
932 authentication system suitable for distributed computing over a public
933 network. A description of the <productname>Kerberos</productname> system
934 is far beyond the scope of this document; in full generality it can be
935 quite complex (yet powerful). The
936 <ulink url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">
937 Kerberos <acronym>FAQ</></ulink> or
938 <ulink url="http://web.mit.edu/kerberos/www/">MIT Kerberos page</ulink>
939 can be good starting points for exploration.
940 Several sources for <productname>Kerberos</> distributions exist.
941 <productname>Kerberos</productname> provides secure authentication but
942 does not encrypt queries or data passed over the network; for that
943 use <acronym>SSL</acronym>.
947 <productname>PostgreSQL</> supports Kerberos version 5. Kerberos
948 support has to be enabled when <productname>PostgreSQL</> is built;
949 see <xref linkend="installation"> for more information.
953 <productname>PostgreSQL</> operates like a normal Kerberos service.
954 The name of the service principal is
955 <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
959 <replaceable>servicename</> can be set on the server side using the
960 <xref linkend="guc-krb-srvname"> configuration parameter, and on the
961 client side using the <literal>krbsrvname</> connection parameter. (See
962 also <xref linkend="libpq-connect">.) The installation default can be
963 changed from the default <literal>postgres</literal> at build time using
964 <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
965 In most environments,
966 this parameter never needs to be changed. However, to support multiple
967 <productname>PostgreSQL</> installations on the same host it is necessary.
968 Some Kerberos implementations might also require a different service name,
969 such as Microsoft Active Directory which requires the service name
970 to be in uppercase (<literal>POSTGRES</literal>).
974 <replaceable>hostname</> is the fully qualified host name of the
975 server machine. The service principal's realm is the preferred realm
976 of the server machine.
980 Client principals must have their <productname>PostgreSQL</> database user
981 name as their first component, for example
982 <literal>pgusername@realm</>. Alternatively, you can use a username
983 mapping to map from the first component of the principal name to the
984 database user name. By default, the realm of the client is
985 not checked by <productname>PostgreSQL</>. If you have cross-realm
986 authentication enabled and need to verify the realm, use the
987 <literal>krb_realm</> parameter, or enable <literal>include_realm</>
988 and use username mapping to check the realm.
992 Make sure that your server keytab file is readable (and preferably
993 only readable) by the <productname>PostgreSQL</productname> server
994 account. (See also <xref linkend="postgres-user">.) The location
995 of the key file is specified by the <xref
996 linkend="guc-krb-server-keyfile"> configuration
997 parameter. The default is
998 <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
999 directory was specified as <varname>sysconfdir</> at build time).
1003 The keytab file is generated by the Kerberos software; see the
1004 Kerberos documentation for details. The following example is
1005 for MIT-compatible Kerberos 5 implementations:
1007 <prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</>
1008 <prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
1013 When connecting to the database make sure you have a ticket for a
1014 principal matching the requested database user name. For example, for
1015 database user name <literal>fred</>, both principal
1016 <literal>fred@EXAMPLE.COM</> and
1017 <literal>fred/users.example.com@EXAMPLE.COM</> could be used to
1018 authenticate to the database server.
1022 If you use <ulink url="http://modauthkerb.sf.net">
1023 <application>mod_auth_kerb</application></ulink>
1024 and <application>mod_perl</application> on your
1025 <productname>Apache</productname> web server, you can use
1026 <literal>AuthType KerberosV5SaveCredentials</literal> with a
1027 <application>mod_perl</application> script. This gives secure
1028 database access over the web, no extra passwords required.
1032 The following configuration options are supported for
1033 <productname>Kerberos</productname>:
1036 <term><literal>map</literal></term>
1039 Allows for mapping between system and database usernames. See
1040 <xref linkend="auth-username-maps"> for details.
1046 <term><literal>include_realm</literal></term>
1049 If set to <literal>1</>, the realm name from the authenticated user
1050 principal is included in the system user name that's passed through
1051 username mapping (<xref linkend="auth-username-maps">). This is
1052 useful for handling users from multiple realms.
1058 <term><literal>krb_realm</literal></term>
1061 Sets the realm to match user principal names against. If this parameter
1062 is set, only users of that realm will be accepted. If it is not set,
1063 users of any realm can connect, subject to whatever username mapping
1070 <term><literal>krb_server_hostname</literal></term>
1073 Sets the host name part of the service principal.
1074 This, combined with <varname>krb_srvname</>, is used to generate
1075 the complete service principal, that is
1076 <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
1077 If not set, the default is the server host name.
1085 <sect2 id="auth-ident">
1086 <title>Ident-based authentication</title>
1089 <primary>ident</primary>
1093 The ident authentication method works by obtaining the client's
1094 operating system user name and using it as the allowed database user
1095 name (with an optional username mapping).
1096 The determination of the client's
1097 user name is the security-critical point, and it works differently
1098 depending on the connection type.
1102 The following configuration options are supported for <productname>ident</productname>:
1105 <term><literal>map</literal></term>
1108 Allows for mapping between system and database usernames. See
1109 <xref linkend="auth-username-maps"> for details.
1117 <title>Ident Authentication over TCP/IP</title>
1120 The <quote>Identification Protocol</quote> is described in
1121 RFC 1413. Virtually every Unix-like
1122 operating system ships with an ident server that listens on TCP
1123 port 113 by default. The basic functionality of an ident server
1124 is to answer questions like <quote>What user initiated the
1125 connection that goes out of your port <replaceable>X</replaceable>
1126 and connects to my port <replaceable>Y</replaceable>?</quote>.
1127 Since <productname>PostgreSQL</> knows both <replaceable>X</> and
1128 <replaceable>Y</> when a physical connection is established, it
1129 can interrogate the ident server on the host of the connecting
1130 client and could theoretically determine the operating system user
1131 for any given connection this way.
1135 The drawback of this procedure is that it depends on the integrity
1136 of the client: if the client machine is untrusted or compromised
1137 an attacker could run just about any program on port 113 and
1138 return any user name he chooses. This authentication method is
1139 therefore only appropriate for closed networks where each client
1140 machine is under tight control and where the database and system
1141 administrators operate in close contact. In other words, you must
1142 trust the machine running the ident server.
1145 <attribution>RFC 1413</attribution>
1147 The Identification Protocol is not intended as an authorization
1148 or access control protocol.
1154 Some ident servers have a nonstandard option that causes the returned
1155 user name to be encrypted, using a key that only the originating
1156 machine's administrator knows. This option <emphasis>must not</> be
1157 used when using the ident server with <productname>PostgreSQL</>,
1158 since <productname>PostgreSQL</> does not have any way to decrypt the
1159 returned string to determine the actual user name.
1164 <title>Ident Authentication over Local Sockets</title>
1167 On systems supporting <symbol>SO_PEERCRED</symbol> requests for
1168 Unix-domain sockets (currently <systemitem
1169 class="osname">Linux</>, <systemitem class="osname">FreeBSD</>,
1170 <systemitem class="osname">NetBSD</>, <systemitem class="osname">OpenBSD</>,
1171 <systemitem class="osname">BSD/OS</>, and <systemitem class="osname">Solaris</systemitem>), ident authentication can also
1172 be applied to local connections. In this case, no security risk is added by
1173 using ident authentication; indeed it is a preferable choice for
1174 local connections on such systems.
1178 On systems without <symbol>SO_PEERCRED</> requests, ident
1179 authentication is only available for TCP/IP connections. As a
1180 work-around, it is possible to specify the <systemitem
1181 class="systemname">localhost</> address <systemitem
1182 class="systemname">127.0.0.1</> and make connections to this
1183 address. This method is trustworthy to the extent that you trust
1184 the local ident server.
1190 <sect2 id="auth-ldap">
1191 <title>LDAP authentication</title>
1193 <indexterm zone="auth-ldap">
1194 <primary>LDAP</primary>
1198 This authentication method operates similarly to
1199 <literal>password</literal> except that it uses LDAP
1200 as the password verification method. LDAP is used only to validate
1201 the user name/password pairs. Therefore the user must already
1202 exist in the database before LDAP can be used for
1207 LDAP authentication can operate in two modes. In the first mode,
1208 the server will bind to the distinguished name constructed as
1209 <replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
1210 Typically, the <replaceable>prefix</> parameter is used to specify
1211 <literal>cn=</>, or <replaceable>DOMAIN</><literal>\</> in an Active
1212 Directory environment. <replaceable>suffix</> is used to specify the
1213 remaining part of the DN in a non-Active Directory environment.
1217 In the second mode, the server first binds to the LDAP directory with
1218 a fixed username and password, specified with <replaceable>ldapbinduser</>
1219 and <replaceable>ldapbinddn</>, and performs a search for the user trying
1220 to log in to the database. If no user and password is configured, an
1221 anonymous bind will be attempted to the directory. The search will be
1222 performed over the subtree at <replaceable>ldapbasedn</>, and will try to
1223 do an exact match of the attribute specified in
1224 <replaceable>ldapsearchattribute</>. If no attribute is specified, the
1225 <literal>uid</> attribute will be used. Once the user has been found in
1226 this search, the server disconnects and re-binds to the directory as
1227 this user, using the password specified by the client, to verify that the
1228 login is correct. This method allows for significantly more flexibility
1229 in where the user objects are located in the directory, but will cause
1230 two separate connections to the LDAP server to be made.
1234 The following configuration options are supported for LDAP:
1237 <term><literal>ldapserver</literal></term>
1240 Name or IP of LDAP server to connect to.
1245 <term><literal>ldapport</literal></term>
1248 Port number on LDAP server to connect to. If no port is specified,
1249 the default port in the LDAP library will be used.
1254 <term><literal>ldaptls</literal></term>
1257 Set to <literal>1</> to make the connection between PostgreSQL and the
1258 LDAP server use TLS encryption. Note that this only encrypts
1259 the traffic to the LDAP server — the connection to the client
1260 will still be unencrypted unless SSL is used.
1265 <term><literal>ldapprefix</literal></term>
1268 String to prepend to the username when forming the DN to bind as,
1269 when doing simple bind authentication.
1274 <term><literal>ldapsuffix</literal></term>
1277 String to append to the username when forming the DN to bind as,
1278 when doing simple bind authentication.
1283 <term><literal>ldapbasedn</literal></term>
1286 DN to root the search for the user in, when doing search+bind
1292 <term><literal>ldapbinddn</literal></term>
1295 DN of user to bind to the directory with to perform the search when
1296 doing search+bind authentication.
1301 <term><literal>ldapbindpasswd</literal></term>
1304 Password for user to bind to the directory with to perform the search
1305 when doing search+bind authentication.
1310 <term><literal>ldapsearchattribute</literal></term>
1313 Attribute to match against the username in the search when doing
1314 search+bind authentication.
1323 Since LDAP often uses commas and spaces to separate the different
1324 parts of a DN, it is often necessary to use double-quoted parameter
1325 values when configuring LDAP options, for example:
1329 ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
1334 <sect2 id="auth-cert">
1335 <title>Certificate authentication</title>
1337 <indexterm zone="auth-cert">
1338 <primary>Certificate</primary>
1342 This authentication method uses SSL client certificates to perform
1343 authentication. It is therefore only available for SSL connections.
1344 When using this authentication method, the server will require that
1345 the client provide a valid certificate. No password prompt will be sent
1346 to the client. The <literal>cn</literal> attribute of the certificate
1347 will be compared to the requested database username, and if they match
1348 the login will be allowed. Username mapping can be used to allow
1349 <literal>cn</literal> to be different from the database username.
1353 The following configuration options are supported for SSL certificate
1357 <term><literal>map</literal></term>
1360 Allows for mapping between system and database usernames. See
1361 <xref linkend="auth-username-maps"> for details.
1369 <sect2 id="auth-pam">
1370 <title>PAM authentication</title>
1372 <indexterm zone="auth-pam">
1373 <primary>PAM</primary>
1377 This authentication method operates similarly to
1378 <literal>password</literal> except that it uses PAM (Pluggable
1379 Authentication Modules) as the authentication mechanism. The
1380 default PAM service name is <literal>postgresql</literal>.
1381 PAM is used only to validate user name/password pairs.
1382 Therefore the user must already exist in the database before PAM
1383 can be used for authentication. For more information about
1384 PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
1385 <productname>Linux-PAM</> Page</ulink>
1386 and the <ulink url="http://www.sun.com/software/solaris/pam/">
1387 <systemitem class="osname">Solaris</> PAM Page</ulink>.
1391 The following configuration options are supported for PAM:
1394 <term><literal>pamservice</literal></term>
1406 If PAM is set up to read <filename>/etc/shadow</>, authentication
1407 will fail because the PostgreSQL server is started by a non-root
1408 user. However, this is not an issue when PAM is configured to use
1409 LDAP or other authentication methods.
1415 <sect1 id="client-authentication-problems">
1416 <title>Authentication problems</title>
1419 Authentication failures and related problems generally
1420 manifest themselves through error messages like the following:
1425 FATAL: no pg_hba.conf entry for host "123.123.123.123", user "andym", database "testdb"
1427 This is what you are most likely to get if you succeed in contacting
1428 the server, but it does not want to talk to you. As the message
1429 suggests, the server refused the connection request because it found
1430 no matching entry in its <filename>pg_hba.conf</filename>
1436 FATAL: Password authentication failed for user "andym"
1438 Messages like this indicate that you contacted the server, and it is
1439 willing to talk to you, but not until you pass the authorization
1440 method specified in the <filename>pg_hba.conf</filename> file. Check
1441 the password you are providing, or check your Kerberos or ident
1442 software if the complaint mentions one of those authentication
1448 FATAL: user "andym" does not exist
1450 The indicated database user name was not found.
1455 FATAL: database "testdb" does not exist
1457 The database you are trying to connect to does not exist. Note that
1458 if you do not specify a database name, it defaults to the database
1459 user name, which might or might not be the right thing.
1464 The server log might contain more information about an
1465 authentication failure than is reported to the client. If you are
1466 confused about the reason for a failure, check the log.