1
- <!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.2 2000/07/04 16:31:51 petere Exp $ -->
1
+ <!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.3 2000/07/15 21:35:47 petere Exp $ -->
2
2
3
3
<chapter id="client-authentication">
4
4
<title>Client Authentication</title>
@@ -295,7 +295,8 @@ host all 192.168.2.0 255.255.255.0 ident othermap
295
295
file after the <literal>password</> or <literal>crypt</> keyword,
296
296
respectively, in <filename>pg_hba.conf</>. If you do not use this
297
297
feature, then any user that is known to the database system can
298
- connect (as long as he passes password authentication, of course).
298
+ connect to any database (as long as he passes password
299
+ authentication, of course).
299
300
</para>
300
301
301
302
<para>
@@ -316,7 +317,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
316
317
317
318
<para>
318
319
Lines with and without passwords can be mixed in secondary
319
- password files. Lines without password indicate use the main
320
+ password files. Lines without password indicate useof the main
320
321
password in <literal>pg_shadow</> that is managed by
321
322
<command>CREATE USER</> and <command>ALTER USER</>. Lines with
322
323
passwords will cause that password to be used. A password entry of
@@ -348,14 +349,20 @@ host all 192.168.2.0 255.255.255.0 ident othermap
348
349
authentication system suitable for distributed computing over a
349
350
public network. A description of the
350
351
<productname>Kerberos</productname> system is far beyond the scope
351
- of this document; in all generality it can be quite complex. The
352
- <ulink url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerberos <acronym>FAQ</></ulink>
353
- can be a good starting point for exploration.
352
+ of this document; in all generality it can be quite complex (yet
353
+ powerful). The <ulink
354
+ url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerberos
355
+ <acronym>FAQ</></ulink> or <ulink
356
+ url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink> can be
357
+ a good starting point for exploration. Several sources for
358
+ <productname>Kerberos</> distributions exist.
354
359
</para>
355
360
356
361
<para>
357
362
In order to use <productname>Kerberos</>, support for it must be
358
- enable at build time. Both Kerberos 4 and 5 are supported.
363
+ enable at build time. Both Kerberos 4 and 5 are supported
364
+ (<literal>./configure --with-krb4</> or <literal>./configure
365
+ --with-krb5</> respectively).
359
366
</para>
360
367
361
368
<para>
@@ -365,14 +372,74 @@ host all 192.168.2.0 255.255.255.0 ident othermap
365
372
build. Make sure that your server keytab file is readable (and
366
373
preferrably only readable) by the Postgres server account (see
367
374
<xref linkend="postgres-user">). The location of the keytab file
368
- is specified at build time. By default it is
375
+ is specified at build time; by default it is
369
376
<filename>/etc/srvtab</filename> in Kerberos 4 and
370
- <filename>FILE:/usr/local/postgres /krb5.keytab</filename> in
377
+ <filename>FILE:/usr/local/pgsql/etc /krb5.keytab</filename> in
371
378
Kerberos 5.
372
379
</para>
373
- <!-- Note from Peter E.: Some of the Kerberos usage information is
374
- still in config.sgml and some in doc/README.kerberos. It should be
375
- integrated here. -->
380
+
381
+ <para>
382
+ To generate the keytab file, use for example (with version 5)
383
+ <screen>
384
+ kadmin% <userinput>ank -randkey postgres/server.my.domain.org</>
385
+ kadmin% <userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
386
+ </screen>
387
+ Read the <productname>Kerberos</> documentation for defails.
388
+ </para>
389
+
390
+ <para>
391
+ In the <productname>Kerberos</> 5 hooks, the following assumptions
392
+ are made about user and service naming:
393
+
394
+ <itemizedlist>
395
+ <listitem>
396
+ <para>
397
+ User principal names (anames) are assumed to contain the actual
398
+ Unix/<productname>Postgres</> user name in the first component.
399
+ </para>
400
+ </listitem>
401
+ <listitem>
402
+ <para>
403
+ The <productname>Postgres</> service is assumed to be have two
404
+ components, the service name and a hostname, canonicalized as
405
+ in Version 4 (i.e., with all domain suffixes removed).
406
+ </para>
407
+ </listitem>
408
+ </itemizedlist>
409
+
410
+ <informaltable>
411
+ <tgroup cols="2">
412
+ <thead>
413
+ <row>
414
+ <entry>Parameter</>
415
+ <entry>Example</>
416
+ </row>
417
+ </thead>
418
+ <tbody>
419
+ <row>
420
+ <entry>user</>
421
+ <entry>frew@S2K.ORG</>
422
+ </row>
423
+ <row>
424
+ <entry>user</>
425
+ <entry>aoki/HOST=miyu.S2K.Berkeley.EDU@S2K.ORG</>
426
+ </row>
427
+ <row>
428
+ <entry>host</>
429
+ <entry>postgres_dbms/ucbvax@S2K.ORG</>
430
+ </row>
431
+ </tbody>
432
+ </tgroup>
433
+ </informaltable>
434
+ </para>
435
+
436
+ <para>
437
+ If you use mod_auth_krb and mod_perl on your Apache web server,
438
+ you can use AuthType KerberosV5SaveCredentials with a mod_perl
439
+ script. This gives secure database access over the web, no extra
440
+ passwords required.
441
+ </para>
442
+
376
443
</sect2>
377
444
378
445
<sect2>