| 19.10. Secure TCP/IP Connections with GSSAPI Encryption | ||||
|---|---|---|---|---|
| Prev | Up | Chapter 19. Server Setup and Operation | Home | Next |
19.10. Secure TCP/IP Connections with GSSAPI Encryption
PostgreSQL also has native support for usingGSSAPI to encrypt client/server communications for increased security. Support requires that aGSSAPI implementation (such as MIT Kerberos) is installed on both client and server systems, and that support inPostgreSQL is enabled at build time (seeChapter 17).
19.10.1. Basic Setup
ThePostgreSQL server will listen for both normal andGSSAPI-encrypted connections on the same TCP port, and will negotiate with any connecting client whether to useGSSAPI for encryption (and for authentication). By default, this decision is up to the client (which means it can be downgraded by an attacker); seeSection 21.1 about setting up the server to require the use ofGSSAPI for some or all connections. When usingGSSAPI for encryption, it is common to useGSSAPI for authentication as well, since the underlying mechanism will determine both client and server identities (according to theGSSAPI implementation) in any case. But this is not required; anotherPostgreSQL authentication method can be chosen to perform additional verification. Other than configuration of the negotiation behavior,GSSAPI encryption requires no setup beyond that which is necessary for GSSAPI authentication. (For more information on configuring that, seeSection 21.6.)