diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 6cf5aef377d..b4895746bc5 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-
+
Client Authentication
@@ -45,14 +45,14 @@
of a set of records, one per line. Blank lines and lines beginning
with a hash character (#) are ignored. A record is
made up of a number of fields which are separated by spaces and/or
- tabs.
+ tabs and cannot be continued across several lines.
- A record may have one of the two formats
+ A record may have one of the three formats
-local databaseauthentication-method [ authentication-option ]
-host databaseIP-addressIP-maskauthentication-method [ authentication-option ]
+local databaseauthentication-method [ authentication-option ]
+host databaseIP-addressIP-maskauthentication-method [ authentication-option ]
hostssl databaseIP-addressIP-maskauthentication-method [ authentication-option ]
The meaning of the fields is as follows:
@@ -85,11 +85,10 @@ hostssl databaseIP-address
This record pertains to connection attemps with SSL over
- TCP/IP. Note that SSL connections are completely disabled
- unless the server is started with the ,
- and also require ordinary TCP/IP connections to be enabled.
- SSL connections also require SSL support to be enabled in
- the backend at compile time.
+ TCP/IP. To make use of this option the server must be
+ built with SSL support enabled. Furthermore, SSL must be
+ enabled with the
@@ -100,7 +99,8 @@ hostssl databaseIP-address
Specifies the database that this record applies to. The value
all specifies that it applies to all
- databases.
+ databases, the value sameuser identifies the
+ database with the same name as the connecting user.
@@ -129,8 +129,108 @@ hostssl databaseIP-addressauthentication method
- Specifies the method a user must use to authenticate themselves
- when connecting to that database.
+ Specifies the method that users must use to authenticate themselves
+ when connecting to that database. The possible choices follow,
+ details are in .
+
+
+
+ trust
+
+
+ The connection is allowed unconditionally. This method allows
+ any user that has login access to the client host to connect as
+ any user whatsoever.
+
+
+
+
+
+ reject
+
+
+ The connection is rejected unconditionally. This is mostly
+ useful to filter out certain hosts from a group.
+
+
+
+
+
+ password
+
+
+ The client is required to supply a password with the connection
+ attempt which is required to match the password that was set up
+ for the user.
+
+
+
+ An optional file name may be specified after the
+ password keyword. This file is expected to
+ contain a list of users that this record pertains to, and
+ optionally alternative passwords.
+
+
+
+ The password is sent over the wire in clear text. For better
+ protection, use the crypt method.
+
+
+
+
+
+ crypt
+
+
+ Like the password method, but the password
+ is sent over the wire encrypted using a simple
+ challenge-response protocol. This is still not
+ cryptographically secure but it protects against incidental
+ wire-sniffing. The name of a file may follow the
+ crypt keyword that contains a list of users
+ that this record pertains to.
+
+
+
+
+
+ krb4
+
+
+ Kerberos V4 is used to authenticate the user. This is only
+ available for TCP/IP connections.
+
+
+
+
+
+ krb5
+
+
+ Kerberos V5 is used to authenticate the user. This is only
+ available for TCP/IP connections.
+
+
+
+
+
+ ident
+
+
+ The ident server on the client host is asked for the identity
+ of the connecting user. Postgres
+ then verifies whether the so identified operating system user
+ is allowed to connect as the database user that is requested.
+ The authentication option following
+ the ident keyword specifies the name of an
+ ident map that specifies which operating
+ system users equate with which database users. See below for
+ details.
+
+
+
+
+
@@ -140,15 +240,15 @@ hostssl databaseIP-address
This field is interpreted differently depending on the
- authentication method.
+ authentication method, as described there.
- The first record that matches a connection attempt is used. Note
- that there is no fall-through or
- backup, that is, if one record is chosen and the
+ The first record that matches a connection attempt is used. There
+ is no fall-through or backup, that means, if
+ one record is chosen and the
authentication fails, the following records are not considered. If
no record matches, the access will be denied.
@@ -167,19 +267,42 @@ hostssl databaseIP-addressAn example <filename>pg_hba.conf</filename> file
-# Trust any connection via Unix domain sockets.
-local trust
-# Trust any connection via TCP/IP from this machine.
-host all 127.0.0.1 255.255.255.255 trust
-# We don't like this machine.
-host all 192.168.0.10 255.255.255.0 reject
-# This machine can't encrypt so we ask for passwords in clear.
-host all 192.168.0.3 255.255.255.0 password
-# The rest of this group of machines should provide encrypted passwords.
-host all 192.168.0.0 255.255.255.0 crypt
-# Authenticate these networks using ident
-host all 192.168.1.0 255.255.255.0 ident usermap
-host all 192.168.2.0 255.255.255.0 ident othermap
+#TYPE DATABASE IP-ADDRESS MASK AUTHTYPE ARG
+
+# Allow any user on the local system to connect to any database under
+# any user name.
+#
+host all 127.0.0.1 255.255.255.255 trust
+
+# Allow any user from any host with IP address 192.168.93.x to connect
+# to database "template1" as the same user name that ident on that
+# host identifies him as (typically his Unix user name).
+#
+host template1 192.168.93.0 255.255.255.0 ident sameuser
+
+# Allow a user from host 192.168.12.10 to connect to database
+# "template1" if the user's password in pg_shadow is supplied.
+#
+host template1 192.168.12.10 255.255.255.255 crypt
+
+# In absence of the other records, this would allow anyone anywhere
+# except from 192.168.54.1 to connect to any database under any user
+# name.
+#
+host all 192.168.54.1 255.255.255.255 reject
+host all 0.0.0.0 0.0.0.0 trust
+
+# Allow users from 192.168.77.x hosts to connect to any database, but if,
+# for example, ident says the user is "bryanh" and he requests to
+# connect as PostgreSQL user "guest1", the connection is only allowed if
+# there is an entry for map "omicron" in `pg_ident.conf' that says
+# "bryanh" is allowed to connect as "guest1".
+#
+host all 192.168.77.0 255.255.255.0 ident omicron
+
+# Allow all users to connect to all databases via Unix sockets.
+#
+local all trust
@@ -188,104 +311,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
Authentication methods
- The following authentication methods are supported. They are
- descibed in detail below.
-
-
-
- trust
-
-
- The connection is allowed unconditionally. This method allows
- any user that has login access to the client host to connect as
- any user whatsoever. Use with care.
-
-
-
-
-
- reject
-
-
- The connection is rejected unconditionally. This is mostly
- useful to filter out certain hosts from a group.
-
-
-
-
-
- password
-
-
- The client is required to supply a password with the connection
- attempt which is required to match the password that was set up
- for the user.
-
-
- An optional file name may be specified after the
- password keyword. This file is expected to
- contain a list of users that this record pertains to, and
- optionally alternative passwords.
-
-
- The password is sent over the wire in clear text. For better
- protection, use the crypt method.
-
-
-
-
-
- crypt
-
-
- Like the password method, but the password
- is sent over the wire encrypted using a simple
- challenge-response protocol. This is still not
- cryptographically secure but it protects against incidental
- wire-sniffing. The name of a file may follow the
- crypt keyword that contains a list of users
- that this record pertains to.
-
-
-
-
-
- krb4
-
-
- Kerberos V4 is used to authenticate the user. This is only
- available for TCP/IP connections.
-
-
-
-
-
- krb5
-
-
- Kerberos V5 is used to authenticate the user. This is only
- available for TCP/IP connections.
-
-
-
-
-
- ident
-
-
- The ident server on the client host is asked for the identity
- of the connecting user. Postgres
- then verifies whether the so identified operating system user
- is allowed to connect as the database user that is requested.
- The authentication option following
- the ident keyword specifies the name of an
- ident map that specifies which operating
- system users equate with which database users. See below for
- details.
-
-
-
-
+ The following describes the authentication methods in detail.
@@ -398,8 +424,8 @@ host all 192.168.2.0 255.255.255.0 ident othermap
To generate the keytab file, use for example (with version 5)
-kadmin% ank -randkey postgres/server.my.domain.org
-kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
+kadmin% ank -randkey postgres/server.my.domain.org
+kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
Read the Kerberos documentation for defails.
@@ -528,29 +554,26 @@ kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
conjunction with the pg_hba.conf file in is shown in . In that example setup, anyone
- logged in to a machine on the 192.168.1 network that does not have
- the a user name joe, robert, or ann would not be granted access.
+ logged in to a machine on the 192.168.77 network that does not have
+ the a user name bryanh, ann, or robert would not be granted access.
Unix user robert would only be allowed access when he tries to
connect as bob, not as robert or
- anyone else. ann and joe would only
- be allowed to connect as themselves. On the
- 192.168.2 network, however, a user ann would not be
- allowed to connect at all, only the user bob can connect
- as bob and some user karl can connect as
- joe as well.
+ anyone else. ann would only be allowed to connect
+ as herself. User bryanh would be allowed to connect as either
+ bryanh himself or as guest1.
An example <filename>pg_ident.conf</> file
-usermap joe joe
-# bob has username robert on these machines
-usermap robert bob
-usermap ann ann
+#MAP IDENT-NAME POSTGRESQL-NAME
-othermap joe joe
-othermap bob bob
-othermap karl joe
+omicron bryanh bryanh
+omicron ann ann
+# bob has username robert on these machines
+omicron robert bob
+# bryanh can also connect as guest1
+omicron bryanh guest1
@@ -605,4 +628,3 @@ FATAL 1: Database testdb does not exist in pg_database
-
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index 038175eafcc..2133b89bdbd 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -1,4 +1,4 @@
-
+
<![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions
@@ -354,7 +354,7 @@ su - postgres
The man pages that come with PostgreSQL will be installed under
this directory, in their respective
manx subdirectories.
- PREFIX/man.
+ The default is PREFIX/man.
@@ -581,15 +581,16 @@ su - postgres
--with-openssl=DIRECTORY
- Build with support for SSL (encrypted) connections.
- This requires the OpenSSL library to be installed.
+ Build with support for SSL (encrypted) connections.
+ This requires the OpenSSL package to be installed.
The DIRECTORY argument specifies the
- root directory of the OpenSSL installation.
+ root directory of the OpenSSL installation; the
+ default is /usr/local/ssl.
configure will check for the required header
- files and libraries to make sure that your OpenSSL
+ files and libraries to make sure that your OpenSSL
installation is sufficient before proceeding.
@@ -601,7 +602,7 @@ su - postgres
Enables the PostgreSQL server to use the
syslog logging facility. (Using this option does not mean
- that you will have to log with syslog or even that it will be done
+ that you must log with syslog or even that it will be done
by default, it simply makes it possible to turn this option
on at run time.)
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index fd15984556d..01a9c6c5474 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,5 +1,5 @@
@@ -941,18 +941,6 @@ env PGOPTIONS='--geqo=off' psql
-
- TCPIP_SOCKET (boolean)
-
-
- If this is true, then the server will accept TCP/IP
- connections. Otherwise only local Unix domain socket
- connections are accepted. It is off by default. This option
- can only be set at server start.
-
-
-
-
PORT (integer)
@@ -1005,6 +993,29 @@ env PGOPTIONS='--geqo=off' psql
+
+
+ SSL (boolean)
+
+
+ Enables SSL connections. Please read
+ before using this. The default
+ is off.
+
+
+
+
+
+ TCPIP_SOCKET (boolean)
+
+
+ If this is true, then the server will accept TCP/IP
+ connections. Otherwise only local Unix domain socket
+ connections are accepted. It is off by default. This option
+ can only be set at server start.
+
+
+
@@ -1048,6 +1059,11 @@ env PGOPTIONS='--geqo=off' psql
tcpip_socket = on
+
+ -l
+ ssl = on
+
+ -N xmax_connections = x
@@ -1726,64 +1742,66 @@ perl: warning: Falling back to the standard locale ("C").
-
- Secure TCP/IP Connection with SSL
+
+ Secure TCP/IP Connections with SSL
- PostgreSQL has native support for connections over SSL to encrypt
+ PostgreSQL has native support for connections over
+ SSL to encrypt
client/server communications for increased security. This requires
OpenSSL to be installed on both client
- and server systems and support enabled at compile-time using
- the configure script.
+ and server systems and support enabled at build-time (see ).
- With SSL support compiled in, the Postgres backend can be
- started with argument -l to enable SSL connections.
- When starting in SSL mode, the postmaster will look for the
- files server.key and
- server.cert in the PGDATA
- directory. These files should contain the server private key and
- certificate respectively. If the private key is protected with a
- passphrase, the postmaster will prompt for the passphrase and not
- start until it has been provided.
+ With SSL support compiled in, the PostgreSQL server
+ can be started with the argument
The postmaster will listen for both standard and SSL connections
on the same TCP/IP port, and will negotiate with any connecting
- client wether to use SSL or not. Use the pg_hba.conf
- file to optionally require SSL in order to accept a connection.
+ client wether to use SSL or not. See
+ about how to force on the server side the use of SSL for certain
+ connections.
For details on how to create your server private key and certificate,
- refer to the OpenSSL documentation. A simple self-signed certificate
- can be used to get started testing, but a certificate signed by a CA
- (either one of the global CAs or a local one) should be used in
+ refer to the OpenSSL documentation. A simple self-signed
+ certificate can be used to get started testing, but a certificate signed
+ by a CA (either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create
a quick self-signed certificate, use the CA.pl
script included in OpenSSL:
- CA.pl -newcert
+CA.pl -newcert
Fill out the information the script asks for. Make sure to enter
- the local hostname as Common Name. The script will generate a key
- which is passphrase protected. To remove the passphrase (required
+ the local host name as Common Name. The script will generate a key
+ that is passphrase protected. To remove the passphrase (required
if you want automatic start-up of the postmaster), run the command
- openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
+openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
Enter the old passphrase to unlock the existing key. Copy the file
- newreq.pem to PGDATA/server.cert
- and newkey_no_passphrase.pem to
- PGDATA/server.key. Remove the PRIVATE KEY part
- from the server.cert using any text editor.
+ newreq.pem to PGDATA/server.crt
+ and newkey_no_passphrase.pem to
+ PGDATA/server.key. Remove the PRIVATE KEY part
+ from the server.crt using any text editor.
- Secure TCP/IP Connection with SSH
+ Secure TCP/IP Connections with SSH tunnelsAcknowledgement
@@ -1828,6 +1846,13 @@ psql -h localhost -p 3333 template1
terminal session.
+
+
+ Several other products exist that can provide secure tunnels using
+ a procedure similar in concept to the one just described.
+
+
+
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 59a42cd915e..748d8dbf787 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.165 2000/09/06 14:15:19 petere Exp $
+ * $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.166 2000/09/06 19:54:46 petere Exp $
*
* NOTES
*
@@ -193,10 +193,8 @@ static bool Reinit = true;
static int SendStop = false;
bool NetServer = false; /* listen on TCP/IP */
+bool EnableSSL = false;
-#ifdef USE_SSL
-static bool DisableSSL = false; /* Completely disable SSL, even if compiled in */
-#endif
static pid_t StartupPID = 0,
ShutdownPID = 0;
@@ -452,7 +450,7 @@ PostmasterMain(int argc, char *argv[])
break;
#ifdef USE_SSL
case 'l':
- DisableSSL = true;
+ EnableSSL = true;
break;
#endif
case 'm':
@@ -563,13 +561,13 @@ PostmasterMain(int argc, char *argv[])
}
#ifdef USE_SSL
- if (!NetServer && !DisableSSL)
+ if (EnableSSL && !NetServer)
{
- fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections. Use -l to disable SSL\n",
+ fprintf(stderr, "%s: For SSL, TCP/IP connections must be enabled. See -? for help.\n",
progname);
exit(1);
}
- if (!DisableSSL)
+ if (EnableSSL)
InitSSL();
#endif
@@ -750,9 +748,9 @@ usage(const char *progname)
printf(" -d 1-5 debugging level\n");
printf(" -D database directory\n");
printf(" -F turn fsync off\n");
- printf(" -i listen on TCP/IP sockets\n");
+ printf(" -i enable TCP/IP connections\n");
#ifdef USE_SSL
- printf(" -l disable SSL\n");
+ printf(" -l enable SSL connections\n");
#endif
printf(" -N maximum number of allowed connections (1..%d, default %d)\n",
MAXBACKENDS, DEF_MAXBACKENDS);
@@ -1060,7 +1058,7 @@ readStartupPacket(void *arg, PacketLen len, void *pkt)
char SSLok;
#ifdef USE_SSL
- if (DisableSSL || port->laddr.sa.sa_family != AF_INET)
+ if (!EnableSSL || port->laddr.sa.sa_family != AF_INET)
/* No SSL when disabled or on Unix sockets */
SSLok = 'N';
else
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 09b236e25bb..1cbc4121a06 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -4,7 +4,7 @@
* Support for grand unified configuration scheme, including SET
* command, configuration file, and command line options.
*
- * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.10 2000/08/28 11:57:41 petere Exp $
+ * $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.11 2000/09/06 19:54:47 petere Exp $
*
* Copyright 2000 by PostgreSQL Global Development Group
* Written by Peter Eisentraut .
@@ -160,6 +160,7 @@ ConfigureNamesBool[] =
{"geqo", PGC_USERSET, &enable_geqo, true},
{"tcpip_socket", PGC_POSTMASTER, &NetServer, false},
+ {"ssl", PGC_POSTMASTER, &EnableSSL, false},
{"fsync", PGC_USERSET, &enableFsync, true},
{"log_connections", PGC_SIGHUP, &Log_connections, false},
diff --git a/src/bin/psql/startup.c b/src/bin/psql/startup.c
index 0f36e30ef8c..288c60d3108 100644
--- a/src/bin/psql/startup.c
+++ b/src/bin/psql/startup.c
@@ -3,7 +3,7 @@
*
* Copyright 2000 by PostgreSQL Global Development Group
*
- * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.35 2000/08/30 14:54:23 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.36 2000/09/06 19:54:48 petere Exp $
*/
#include "postgres.h"
@@ -264,12 +264,13 @@ main(int argc, char *argv[])
"Type: \\copyright for distribution terms\n"
" \\h for help with SQL commands\n"
" \\? for help on internal slash commands\n"
- " \\g or terminate with semicolon to execute query\n"
+ " \\g or terminate with semicolon to execute query\n"
" \\q to quit\n\n", pset.progname);
- }
#ifdef USE_SSL
- printSSLInfo();
+ printSSLInfo();
#endif
+ }
+
SetVariable(pset.vars, "PROMPT1", DEFAULT_PROMPT1);
SetVariable(pset.vars, "PROMPT2", DEFAULT_PROMPT2);
SetVariable(pset.vars, "PROMPT3", DEFAULT_PROMPT3);
diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
index 187f6f91b7f..540b7266682 100644
--- a/src/include/miscadmin.h
+++ b/src/include/miscadmin.h
@@ -12,7 +12,7 @@
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $Id: miscadmin.h,v 1.65 2000/09/06 14:15:24 petere Exp $
+ * $Id: miscadmin.h,v 1.66 2000/09/06 19:54:52 petere Exp $
*
* NOTES
* some of the information in this file will be moved to
@@ -107,6 +107,7 @@ extern int SortMem;
configuration file processor has access to them */
extern bool NetServer;
+extern bool EnableSSL;
extern int MaxBackends;
extern int NBuffers;
extern int PostPortName;