mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-25 13:17:41 +03:00 
			
		
		
		
	GSSAPI documentation
This commit is contained in:
		| @@ -1,4 +1,4 @@ | |||||||
| <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.98 2007/03/24 21:46:23 momjian Exp $ --> | <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.99 2007/07/18 12:00:47 mha Exp $ --> | ||||||
|  |  | ||||||
| <chapter id="client-authentication"> | <chapter id="client-authentication"> | ||||||
|  <title>Client Authentication</title> |  <title>Client Authentication</title> | ||||||
| @@ -347,6 +347,17 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable> | |||||||
|         </listitem> |         </listitem> | ||||||
|        </varlistentry> |        </varlistentry> | ||||||
|  |  | ||||||
|  |        <varlistentry> | ||||||
|  |         <term><literal>gss</></term> | ||||||
|  |         <listitem> | ||||||
|  |          <para> | ||||||
|  |           Use GSSAPI to authenticate the user. This is only  | ||||||
|  |           available for TCP/IP connections. See <xref | ||||||
|  |           linkend="gssapi-auth"> for details. | ||||||
|  |          </para> | ||||||
|  |         </listitem> | ||||||
|  |        </varlistentry> | ||||||
|  |  | ||||||
|        <varlistentry> |        <varlistentry> | ||||||
|         <term><literal>krb5</></term> |         <term><literal>krb5</></term> | ||||||
|         <listitem> |         <listitem> | ||||||
| @@ -635,6 +646,37 @@ local   db1,db2,@demodbs  all                         md5 | |||||||
|  |  | ||||||
|   </sect2> |   </sect2> | ||||||
|  |  | ||||||
|  |   <sect2 id="gssapi-auth"> | ||||||
|  |    <title>GSSAPI authentication</title> | ||||||
|  |  | ||||||
|  |    <indexterm zone="gssapi-auth"> | ||||||
|  |     <primary>GSSAPI</primary> | ||||||
|  |    </indexterm> | ||||||
|  |  | ||||||
|  |    <para> | ||||||
|  |     <productname>GSSAPI</productname> is an industry-standard protocol | ||||||
|  |     for secure authentication defined in RFC2743.  | ||||||
|  |     <productname>PostgreSQL</productname> supports | ||||||
|  |     <productname>GSSAPI</productname> with <productname>Kerberos</productname> | ||||||
|  |     authentication according to RFC1964. <productname>GSSAPI</productname> | ||||||
|  |     provides automatic authentication (single sign-on) for systems | ||||||
|  |     that support it. The authentication itself is secure, but the | ||||||
|  |     data sent over the connection will be in clear unless | ||||||
|  |     <acronym>SSL</acronym> is used. | ||||||
|  |    </para> | ||||||
|  |  | ||||||
|  |    <para> | ||||||
|  |     When <productname>GSSAPI</productname> uses | ||||||
|  |     <productname>Kerberos</productname>, it uses a standard principal | ||||||
|  |     in format | ||||||
|  |     <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. For information about the parts of the principal, and | ||||||
|  |     how to set up the required keys, see <xref linkend="kerberos-auth">. | ||||||
|  |     GSSAPI support has to be enabled when <productname>PostgreSQL</> is built; | ||||||
|  |     see <xref linkend="installation"> for more information. | ||||||
|  |    </para> | ||||||
|  |     | ||||||
|  |   </sect2> | ||||||
|  |  | ||||||
|   <sect2 id="kerberos-auth"> |   <sect2 id="kerberos-auth"> | ||||||
|    <title>Kerberos authentication</title> |    <title>Kerberos authentication</title> | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1,4 +1,4 @@ | |||||||
| <!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.130 2007/06/30 19:12:01 tgl Exp $ --> | <!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.131 2007/07/18 12:00:47 mha Exp $ --> | ||||||
|  |  | ||||||
| <chapter Id="runtime-config"> | <chapter Id="runtime-config"> | ||||||
|   <title>Server Configuration</title> |   <title>Server Configuration</title> | ||||||
| @@ -609,8 +609,8 @@ SET ENABLE_SEQSCAN TO OFF; | |||||||
|       <listitem> |       <listitem> | ||||||
|        <para> |        <para> | ||||||
|         Sets the location of the Kerberos server key file. See |         Sets the location of the Kerberos server key file. See | ||||||
|         <xref linkend="kerberos-auth"> for details. This parameter |         <xref linkend="kerberos-auth"> or <xref linkend="gssapi-auth">  | ||||||
|         can only be set at server start. |         for details. This parameter can only be set at server start. | ||||||
|        </para> |        </para> | ||||||
|       </listitem> |       </listitem> | ||||||
|      </varlistentry> |      </varlistentry> | ||||||
| @@ -652,7 +652,8 @@ SET ENABLE_SEQSCAN TO OFF; | |||||||
|       </indexterm> |       </indexterm> | ||||||
|       <listitem> |       <listitem> | ||||||
|        <para> |        <para> | ||||||
|         Sets whether Kerberos user names should be treated case-insensitively. |         Sets whether Kerberos and GSSAPI user names should be treated | ||||||
|  |         case-insensitively. | ||||||
|         The default is <literal>off</> (case sensitive). This parameter |         The default is <literal>off</> (case sensitive). This parameter | ||||||
|         can only be set at server start. |         can only be set at server start. | ||||||
|        </para> |        </para> | ||||||
|   | |||||||
| @@ -1,4 +1,4 @@ | |||||||
| <!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.289 2007/04/25 13:01:41 momjian Exp $ --> | <!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.290 2007/07/18 12:00:47 mha Exp $ --> | ||||||
|  |  | ||||||
| <chapter id="installation"> | <chapter id="installation"> | ||||||
|  <title><![%standalone-include[<productname>PostgreSQL</>]]> |  <title><![%standalone-include[<productname>PostgreSQL</>]]> | ||||||
| @@ -801,6 +801,23 @@ su - postgres | |||||||
|        </listitem> |        </listitem> | ||||||
|       </varlistentry> |       </varlistentry> | ||||||
|  |  | ||||||
|  |       <varlistentry> | ||||||
|  |        <term><option>--with-gssapi</option></term> | ||||||
|  |        <listitem> | ||||||
|  |         <para> | ||||||
|  |          Build with support for GSSAPI authentication. On many | ||||||
|  |          systems, the GSSAPI (usually a part of the Kerberos installation) | ||||||
|  |          system is not installed in a location | ||||||
|  |          that is searched by default (e.g., <filename>/usr/include</>, | ||||||
|  |          <filename>/usr/lib</>), so you must use the options | ||||||
|  |          <option>--with-includes</> and <option>--with-libraries</> in | ||||||
|  |          addition to this option.  <filename>configure</> will check | ||||||
|  |          for the required header files and libraries to make sure that | ||||||
|  |          your GSSAPI installation is sufficient before proceeding. | ||||||
|  |         </para> | ||||||
|  |        </listitem> | ||||||
|  |       </varlistentry> | ||||||
|  |  | ||||||
|       <varlistentry> |       <varlistentry> | ||||||
|        <term><option>--with-krb5</option></term> |        <term><option>--with-krb5</option></term> | ||||||
|        <listitem> |        <listitem> | ||||||
| @@ -821,9 +838,12 @@ su - postgres | |||||||
|        <term><option>--with-krb-srvnam=<replaceable>NAME</></option></term> |        <term><option>--with-krb-srvnam=<replaceable>NAME</></option></term> | ||||||
|        <listitem> |        <listitem> | ||||||
|         <para> |         <para> | ||||||
|          The default name of the Kerberos service principal. |          The default name of the Kerberos service principal (also used | ||||||
|  |          by GSSAPI). | ||||||
|          <literal>postgres</literal> is the default. There's usually no |          <literal>postgres</literal> is the default. There's usually no | ||||||
|          reason to change this. |          reason to change this unless you have a Windows environment, | ||||||
|  |          in which case it must be set to uppercase | ||||||
|  |          <literal>POSTGRES</literal>. | ||||||
|         </para> |         </para> | ||||||
|        </listitem> |        </listitem> | ||||||
|       </varlistentry> |       </varlistentry> | ||||||
|   | |||||||
| @@ -1,4 +1,4 @@ | |||||||
| <!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.237 2007/07/08 18:28:55 tgl Exp $ --> | <!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.238 2007/07/18 12:00:47 mha Exp $ --> | ||||||
|  |  | ||||||
|  <chapter id="libpq"> |  <chapter id="libpq"> | ||||||
|   <title><application>libpq</application> - C Library</title> |   <title><application>libpq</application> - C Library</title> | ||||||
| @@ -131,7 +131,7 @@ PGconn *PQconnectdb(const char *conninfo); | |||||||
|      <para> |      <para> | ||||||
|       Using <literal>hostaddr</> instead of <literal>host</> allows the |       Using <literal>hostaddr</> instead of <literal>host</> allows the | ||||||
|       application to avoid a host name look-up, which might be important in |       application to avoid a host name look-up, which might be important in | ||||||
|       applications with time constraints. However, Kerberos authentication |       applications with time constraints. However, Kerberos and GSSAPI authentication | ||||||
|       requires the host name. The following therefore applies: If |       requires the host name. The following therefore applies: If | ||||||
|       <literal>host</> is specified without <literal>hostaddr</>, a host name |       <literal>host</> is specified without <literal>hostaddr</>, a host name | ||||||
|       lookup occurs. If <literal>hostaddr</> is specified without |       lookup occurs. If <literal>hostaddr</> is specified without | ||||||
| @@ -281,10 +281,11 @@ PGconn *PQconnectdb(const char *conninfo); | |||||||
|      <term><literal>krbsrvname</literal></term> |      <term><literal>krbsrvname</literal></term> | ||||||
|      <listitem> |      <listitem> | ||||||
|       <para> |       <para> | ||||||
|        Kerberos service name to use when authenticating with Kerberos 5. |        Kerberos service name to use when authenticating with Kerberos 5 | ||||||
|  |        or GSSAPI. | ||||||
|        This must match the service name specified in the server |        This must match the service name specified in the server | ||||||
|        configuration for Kerberos authentication to succeed. (See also |        configuration for Kerberos authentication to succeed. (See also | ||||||
|        <xref linkend="kerberos-auth">.) |        <xref linkend="kerberos-auth"> and <xref linkend="gssapi-auth">.) | ||||||
|       </para> |       </para> | ||||||
|      </listitem> |      </listitem> | ||||||
|     </varlistentry> |     </varlistentry> | ||||||
| @@ -4214,7 +4215,7 @@ set, the secret key must be kept in a file. | |||||||
|  <primary><envar>PGKRBSRVNAME</envar></primary> |  <primary><envar>PGKRBSRVNAME</envar></primary> | ||||||
| </indexterm> | </indexterm> | ||||||
| <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when | <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when | ||||||
| authenticating with Kerberos 5. | authenticating with Kerberos 5 or GSSAPI. | ||||||
| </para> | </para> | ||||||
| </listitem> | </listitem> | ||||||
| <listitem> | <listitem> | ||||||
|   | |||||||
| @@ -1,4 +1,4 @@ | |||||||
| <!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.67 2007/01/31 20:56:18 momjian Exp $ --> | <!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.68 2007/07/18 12:00:47 mha Exp $ --> | ||||||
|  |  | ||||||
| <chapter id="protocol"> | <chapter id="protocol"> | ||||||
|  <title>Frontend/Backend Protocol</title> |  <title>Frontend/Backend Protocol</title> | ||||||
| @@ -230,11 +230,11 @@ | |||||||
|     The server then sends an appropriate authentication request message, |     The server then sends an appropriate authentication request message, | ||||||
|     to which the frontend must reply with an appropriate authentication |     to which the frontend must reply with an appropriate authentication | ||||||
|     response message (such as a password). |     response message (such as a password). | ||||||
|     In principle the authentication request/response cycle could require |     For all authentication methods except GSSAPI, there is at most | ||||||
|     multiple iterations, but none of the present authentication methods |     one request and one response. In some methods, no response | ||||||
|     use more than one request and response.  In some methods, no response |  | ||||||
|     at all is needed from the frontend, and so no authentication request |     at all is needed from the frontend, and so no authentication request | ||||||
|     occurs. |     occurs. For GSSAPI, multiple iterations of packets may be needed to  | ||||||
|  |     complete the authentication. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
| @@ -332,6 +332,34 @@ | |||||||
|       </listitem> |       </listitem> | ||||||
|      </varlistentry> |      </varlistentry> | ||||||
|  |  | ||||||
|  |      <varlistentry> | ||||||
|  |       <term>AuthenticationGSS</term> | ||||||
|  |       <listitem> | ||||||
|  |        <para> | ||||||
|  |         The frontend must now initiate a GSSAPI negotiation. The frontend | ||||||
|  |         will send a PasswordMessage with the first part of the GSSAPI | ||||||
|  |         data stream in response to this. If further messages are needed, | ||||||
|  |         the server will respond with AuthenticationGSSContinue. | ||||||
|  |        </para> | ||||||
|  |       </listitem> | ||||||
|  |      </varlistentry> | ||||||
|  |  | ||||||
|  |      <varlistentry> | ||||||
|  |       <term>AuthenticationGSSContinue</term> | ||||||
|  |       <listitem> | ||||||
|  |        <para> | ||||||
|  |         This message contains the response data from the previous step | ||||||
|  |         of GSSAPI negotiation (AuthenticationGSS or a previous | ||||||
|  |         AuthenticationGSSContinue). If the GSSAPI data in this message | ||||||
|  |         indicates more data is needed to complete the authentication, | ||||||
|  |         the frontend must send this data as another PasswordMessage. If | ||||||
|  |         GSSAPI authentication is completed by this message, the server | ||||||
|  |         will also send AuthenticationOk to indicate successful authentication | ||||||
|  |         or ErrorResponse to indicate failure. | ||||||
|  |        </para> | ||||||
|  |       </listitem> | ||||||
|  |      </varlistentry> | ||||||
|  |  | ||||||
|     </variablelist> |     </variablelist> | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
| @@ -1633,6 +1661,106 @@ AuthenticationSCMCredential (B) | |||||||
| </varlistentry> | </varlistentry> | ||||||
|  |  | ||||||
|  |  | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  | AuthenticationGSS (B) | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |  | ||||||
|  | <variablelist> | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  |         Byte1('R') | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |                 Identifies the message as an authentication request. | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  |         Int32(8) | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |                 Length of message contents in bytes, including self. | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  |         Int32(7) | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |                 Specifies that GSSAPI authentication is required. | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  | </variablelist> | ||||||
|  |  | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  |  | ||||||
|  |  | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  | AuthenticationGSSContinue (B) | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |  | ||||||
|  | <variablelist> | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  |         Byte1('R') | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |                 Identifies the message as an authentication request. | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  |         Int32 | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |                 Length of message contents in bytes, including self. | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  |         Int32(8) | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |                 Specifies that this message contains GSSAPI data. | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  | <varlistentry> | ||||||
|  | <term> | ||||||
|  |         Byte<replaceable>n</replaceable> | ||||||
|  | </term> | ||||||
|  | <listitem> | ||||||
|  | <para> | ||||||
|  |                 GSSAPI authentication data. | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  | </variablelist> | ||||||
|  |  | ||||||
|  | </para> | ||||||
|  | </listitem> | ||||||
|  | </varlistentry> | ||||||
|  |  | ||||||
|  |  | ||||||
| <varlistentry> | <varlistentry> | ||||||
| <term> | <term> | ||||||
| BackendKeyData (B) | BackendKeyData (B) | ||||||
| @@ -3317,7 +3445,8 @@ PasswordMessage (F) | |||||||
| </term> | </term> | ||||||
| <listitem> | <listitem> | ||||||
| <para> | <para> | ||||||
|                 Identifies the message as a password response. |                 Identifies the message as a password response. Note that | ||||||
|  |                 this is also used by GSSAPI response messages. | ||||||
| </para> | </para> | ||||||
| </listitem> | </listitem> | ||||||
| </varlistentry> | </varlistentry> | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user