Commit ffd9aaa0 authored by Peter Eisentraut's avatar Peter Eisentraut

A bit of cleanup after SSL patch. Add it to config file, improve

documentation.
parent 6dc24961
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.5 2000/08/29 04:15:43 momjian Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.6 2000/09/06 19:54:45 petere Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
......@@ -45,11 +45,11 @@
of a set of records, one per line. Blank lines and lines beginning
with a hash character (<quote>#</quote>) are ignored. A record is
made up of a number of fields which are separated by spaces and/or
tabs.
tabs and cannot be continued across several lines.
</para>
<para>
A record may have one of the two formats
A record may have one of the three formats
<synopsis>
local <replaceable>database</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
host <replaceable>database</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> [ <replaceable>authentication-option</replaceable> ]
......@@ -85,11 +85,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<listitem>
<para>
This record pertains to connection attemps with SSL over
TCP/IP. Note that SSL connections are completely disabled
unless the server is started with the <option>-i</option>,
and also require ordinary TCP/IP connections to be enabled.
SSL connections also require SSL support to be enabled in
the backend at compile time.
TCP/IP. To make use of this option the server must be
built with SSL support enabled. Furthermore, SSL must be
enabled with the <option>-l</> option or equivalent configuration
setting when the server is started.
</para>
</listitem>
</varlistentry>
......@@ -100,7 +99,8 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<para>
Specifies the database that this record applies to. The value
<literal>all</literal> specifies that it applies to all
databases.
databases, the value <literal>sameuser</> identifies the
database with the same name as the connecting user.
</para>
</listitem>
</varlistentry>
......@@ -129,104 +129,48 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
<term><replaceable>authentication method</replaceable></term>
<listitem>
<para>
Specifies the method a user must use to authenticate themselves
when connecting to that database.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>authentication option</replaceable></term>
<listitem>
<para>
This field is interpreted differently depending on the
authentication method.
</para>
</listitem>
</varlistentry>
</variablelist>
The first record that matches a connection attempt is used. Note
that there is no <quote>fall-through</quote> or
<quote>backup</quote>, that is, if one record is chosen and the
authentication fails, the following records are not considered. If
no record matches, the access will be denied.
</para>
<para>
The <filename>pg_hba.conf</filename> file is re-read before each
connection attempt. It is therefore easily possible to modify
access permissions while the server is running.
</para>
<para>
An example of a <filename>pg_hba.conf</filename> file is shown in
<xref linkend="example-pg-hba.conf">. See below for details on the
different authentication methods.
<example id="example-pg-hba.conf">
<title>An example <filename>pg_hba.conf</filename> file</title>
<programlisting>
# Trust any connection via Unix domain sockets.
local trust
# Trust any connection via TCP/IP from this machine.
host all 127.0.0.1 255.255.255.255 trust
# We don't like this machine.
host all 192.168.0.10 255.255.255.0 reject
# This machine can't encrypt so we ask for passwords in clear.
host all 192.168.0.3 255.255.255.0 password
# The rest of this group of machines should provide encrypted passwords.
host all 192.168.0.0 255.255.255.0 crypt
# Authenticate these networks using ident
host all 192.168.1.0 255.255.255.0 ident usermap
host all 192.168.2.0 255.255.255.0 ident othermap
</programlisting>
</example>
</para>
</sect1>
<sect1 id="auth-methods">
<title>Authentication methods</title>
<para>
The following authentication methods are supported. They are
descibed in detail below.
Specifies the method that users must use to authenticate themselves
when connecting to that database. The possible choices follow,
details are in <xref linkend="auth-methods">.
<variablelist>
<varlistentry>
<term>trust</term>
<term>trust</>
<listitem>
<para>
The connection is allowed unconditionally. This method allows
any user that has login access to the client host to connect as
any user whatsoever. Use with care.
any user whatsoever.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>reject</term>
<term>reject</>
<listitem>
<para>
The connection is rejected unconditionally. This is mostly
useful to <quote>filter out</quote> certain hosts from a group.
useful to <quote>filter out</> certain hosts from a group.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>password</term>
<term>password</>
<listitem>
<para>
The client is required to supply a password with the connection
attempt which is required to match the password that was set up
for the user.
</para>
<para>
An optional file name may be specified after the
<literal>password</literal> keyword. This file is expected to
contain a list of users that this record pertains to, and
optionally alternative passwords.
</para>
<para>
The password is sent over the wire in clear text. For better
protection, use the <literal>crypt</literal> method.
......@@ -235,7 +179,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
</varlistentry>
<varlistentry>
<term>crypt</term>
<term>crypt</>
<listitem>
<para>
Like the <literal>password</literal> method, but the password
......@@ -250,7 +194,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
</varlistentry>
<varlistentry>
<term>krb4</term>
<term>krb4</>
<listitem>
<para>
Kerberos V4 is used to authenticate the user. This is only
......@@ -286,6 +230,88 @@ host all 192.168.2.0 255.255.255.0 ident othermap
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>authentication option</replaceable></term>
<listitem>
<para>
This field is interpreted differently depending on the
authentication method, as described there.
</para>
</listitem>
</varlistentry>
</variablelist>
The first record that matches a connection attempt is used. There
is no <quote>fall-through</> or <quote>backup</>, that means, if
one record is chosen and the
authentication fails, the following records are not considered. If
no record matches, the access will be denied.
</para>
<para>
The <filename>pg_hba.conf</filename> file is re-read before each
connection attempt. It is therefore easily possible to modify
access permissions while the server is running.
</para>
<para>
An example of a <filename>pg_hba.conf</filename> file is shown in
<xref linkend="example-pg-hba.conf">. See below for details on the
different authentication methods.
<example id="example-pg-hba.conf">
<title>An example <filename>pg_hba.conf</filename> file</title>
<programlisting>
#TYPE DATABASE IP-ADDRESS MASK AUTHTYPE ARG
# Allow any user on the local system to connect to any database under
# any user name.
#
host all 127.0.0.1 255.255.255.255 trust
# Allow any user from any host with IP address 192.168.93.x to connect
# to database "template1" as the same user name that ident on that
# host identifies him as (typically his Unix user name).
#
host template1 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database
# "template1" if the user's password in pg_shadow is supplied.
#
host template1 192.168.12.10 255.255.255.255 crypt
# In absence of the other records, this would allow anyone anywhere
# except from 192.168.54.1 to connect to any database under any user
# name.
#
host all 192.168.54.1 255.255.255.255 reject
host all 0.0.0.0 0.0.0.0 trust
# Allow users from 192.168.77.x hosts to connect to any database, but if,
# for example, ident says the user is "bryanh" and he requests to
# connect as PostgreSQL user "guest1", the connection is only allowed if
# there is an entry for map "omicron" in `pg_ident.conf' that says
# "bryanh" is allowed to connect as "guest1".
#
host all 192.168.77.0 255.255.255.0 ident omicron
# Allow all users to connect to all databases via Unix sockets.
#
local all trust
</programlisting>
</example>
</para>
</sect1>
<sect1 id="auth-methods">
<title>Authentication methods</title>
<para>
The following describes the authentication methods in detail.
</para>
<sect2>
......@@ -398,8 +424,8 @@ host all 192.168.2.0 255.255.255.0 ident othermap
<para>
To generate the keytab file, use for example (with version 5)
<screen>
kadmin% <userinput>ank -randkey postgres/server.my.domain.org</>
kadmin% <userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
<prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</>
<prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
</screen>
Read the <productname>Kerberos</> documentation for defails.
</para>
......@@ -528,29 +554,26 @@ kadmin% <userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
conjunction with the <filename>pg_hba.conf</> file in <xref
linkend="example-pg-hba.conf"> is shown in <xref
linkend="example-pg-ident.conf">. In that example setup, anyone
logged in to a machine on the 192.168.1 network that does not have
the a user name joe, robert, or ann would not be granted access.
logged in to a machine on the 192.168.77 network that does not have
the a user name bryanh, ann, or robert would not be granted access.
Unix user robert would only be allowed access when he tries to
connect as <quote>bob</quote>, not as <quote>robert</quote> or
anyone else. <quote>ann</quote> and <quote>joe</quote> would only
be allowed to connect <quote>as themselves</quote>. On the
192.168.2 network, however, a user <quote>ann</quote> would not be
allowed to connect at all, only the user <quote>bob</> can connect
as <quote>bob</> and some user <quote>karl</> can connect as
<quote>joe</> as well.
anyone else. <quote>ann</quote> would only be allowed to connect
<quote>as herself</>. User bryanh would be allowed to connect as either
<quote>bryanh</> himself or as <quote>guest1</>.
</para>
<example id="example-pg-ident.conf">
<title>An example <filename>pg_ident.conf</> file</title>
<programlisting>
usermap joe joe
# bob has username robert on these machines
usermap robert bob
usermap ann ann
#MAP IDENT-NAME POSTGRESQL-NAME
othermap joe joe
othermap bob bob
othermap karl joe
omicron bryanh bryanh
omicron ann ann
# bob has username robert on these machines
omicron robert bob
# bryanh can also connect as guest1
omicron bryanh guest1
</programlisting>
</example>
</sect2>
......@@ -605,4 +628,3 @@ FATAL 1: Database testdb does not exist in pg_database
</sect1>
</chapter>
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.16 2000/08/29 20:02:07 momjian Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.17 2000/09/06 19:54:45 petere Exp $ -->
<chapter id="installation">
<title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title>
......@@ -354,7 +354,7 @@ su - postgres
The man pages that come with <productname>PostgreSQL</> will be installed under
this directory, in their respective
<filename>man<replaceable>x</></> subdirectories.
<filename><replaceable>PREFIX</>/man</>.
The default is <filename><replaceable>PREFIX</>/man</>.
</para>
</listitem>
</varlistentry>
......@@ -581,15 +581,16 @@ su - postgres
<term>--with-openssl=<replaceable>DIRECTORY</></term>
<listitem>
<para>
Build with support for SSL (encrypted) connections.
This requires the OpenSSL library to be installed.
Build with support for <acronym>SSL</> (encrypted) connections.
This requires the <productname>OpenSSL</> package to be installed.
The <replaceable>DIRECTORY</> argument specifies the
root directory of the OpenSSL installation.
root directory of the <productname>OpenSSL</> installation; the
default is <filename>/usr/local/ssl</>.
</para>
<para>
<filename>configure</> will check for the required header
files and libraries to make sure that your OpenSSL
files and libraries to make sure that your <productname>OpenSSL</>
installation is sufficient before proceeding.
</para>
</listitem>
......@@ -601,7 +602,7 @@ su - postgres
<para>
Enables the <productname>PostgreSQL</> server to use the
syslog logging facility. (Using this option does not mean
that you will have to log with syslog or even that it will be done
that you must log with syslog or even that it will be done
by default, it simply makes it possible to turn this option
on at run time.)
</para>
......
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.23 2000/08/29 20:02:07 momjian Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.24 2000/09/06 19:54:45 petere Exp $
-->
<Chapter Id="runtime">
......@@ -941,18 +941,6 @@ env PGOPTIONS='--geqo=off' psql
</listitem>
</varlistentry>
<varlistentry>
<term>TCPIP_SOCKET (<type>boolean</type>)</term>
<listitem>
<para>
If this is true, then the server will accept TCP/IP
connections. Otherwise only local Unix domain socket
connections are accepted. It is off by default. This option
can only be set at server start.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PORT (<type>integer</type>)</term>
<listitem>
......@@ -1005,6 +993,29 @@ env PGOPTIONS='--geqo=off' psql
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL (<type>boolean</type>)</term>
<listitem>
<para>
Enables <acronym>SSL</> connections. Please read
<xref linkend="ssl"> before using this. The default
is off.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>TCPIP_SOCKET (<type>boolean</type>)</term>
<listitem>
<para>
If this is true, then the server will accept TCP/IP
connections. Otherwise only local Unix domain socket
connections are accepted. It is off by default. This option
can only be set at server start.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</sect2>
......@@ -1048,6 +1059,11 @@ env PGOPTIONS='--geqo=off' psql
<entry>tcpip_socket = on</entry>
<entry></entry>
</row>
<row>
<entry>-l</entry>
<entry>ssl = on</entry>
<entry></entry>
</row>
<row>
<entry>-N <replaceable>x</replaceable></entry>
<entry>max_connections = <replaceable>x</replaceable></entry>
......@@ -1726,64 +1742,66 @@ perl: warning: Falling back to the standard locale ("C").
</para>
</sect1>
<sect1>
<title>Secure TCP/IP Connection with SSL</title>
<sect1 id="ssl">
<title>Secure TCP/IP Connections with SSL</title>
<para>
PostgreSQL has native support for connections over SSL to encrypt
<productname>PostgreSQL</> has native support for connections over
<acronym>SSL</> to encrypt
client/server communications for increased security. This requires
<productname>OpenSSL</productname> to be installed on both client
and server systems and support enabled at compile-time using
the configure script.
and server systems and support enabled at build-time (see <xref
linkend="installation">).
</para>
<para>
With SSL support compiled in, the Postgres backend can be
started with argument -l to enable SSL connections.
When starting in SSL mode, the postmaster will look for the
files <filename>server.key</filename> and
<filename>server.cert</filename> in the <envar>PGDATA</envar>
directory. These files should contain the server private key and
certificate respectively. If the private key is protected with a
passphrase, the postmaster will prompt for the passphrase and not
start until it has been provided.
With SSL support compiled in, the <productname>PostgreSQL</> server
can be started with the argument <option>-l</> (ell) to enable
SSL connections. When starting in SSL mode, the postmaster will look
for the files <filename>server.key</> and <filename>server.crt</> in
the data directory. These files should contain the server private key
and certificate respectively. These files must be set up correctly
before an SSL-enabled server can start. If the private key is protected
with a passphrase, the postmaster will prompt for the passphrase and will
not start until it has been provided.
</para>
<para>
The postmaster will listen for both standard and SSL connections
on the same TCP/IP port, and will negotiate with any connecting
client wether to use SSL or not. Use the <filename>pg_hba.conf</filename>
file to optionally require SSL in order to accept a connection.
client wether to use SSL or not. See <xref linkend="client-authentication">
about how to force on the server side the use of SSL for certain
connections.
</para>
<para>
For details on how to create your server private key and certificate,
refer to the OpenSSL documentation. A simple self-signed certificate
can be used to get started testing, but a certificate signed by a CA
(either one of the global CAs or a local one) should be used in
refer to the <productname>OpenSSL</> documentation. A simple self-signed
certificate can be used to get started testing, but a certificate signed
by a CA (either one of the global CAs or a local one) should be used in
production so the client can verify the servers identity. To create
a quick self-signed certificate, use the <filename>CA.pl</filename>
script included in OpenSSL:
<programlisting>
CA.pl -newcert
CA.pl -newcert
</programlisting>
Fill out the information the script asks for. Make sure to enter
the local hostname as Common Name. The script will generate a key
which is passphrase protected. To remove the passphrase (required
the local host name as Common Name. The script will generate a key
that is passphrase protected. To remove the passphrase (required
if you want automatic start-up of the postmaster), run the command
<programlisting>
openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
openssl x509 -inform PEM -outform PEM -in newreq.pem -out newkey_no_passphrase.pem
</programlisting>
Enter the old passphrase to unlock the existing key. Copy the file
<filename>newreq.pem</filename> to <filename>PGDATA/server.cert</filename>
and <filename>newkey_no_passphrase.pem</filename> to
<filename>PGDATA/server.key</filename>. Remove the PRIVATE KEY part
from the <filename>server.cert</filename> using any text editor.
<filename>newreq.pem</> to <filename><replaceable>PGDATA</>/server.crt</>
and <filename>newkey_no_passphrase.pem</> to
<filename><replaceable>PGDATA</>/server.key</>. Remove the PRIVATE KEY part
from the <filename>server.crt</filename> using any text editor.
</para>
</sect1>
<sect1>
<title>Secure TCP/IP Connection with SSH</title>
<title>Secure TCP/IP Connections with SSH tunnels</title>
<note>
<title>Acknowledgement</title>
......@@ -1828,6 +1846,13 @@ psql -h localhost -p 3333 template1
terminal session.
</para>
<tip>
<para>
Several other products exist that can provide secure tunnels using
a procedure similar in concept to the one just described.
</para>
</tip>
</sect1>
</Chapter>
......
......@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.165 2000/09/06 14:15:19 petere Exp $
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.166 2000/09/06 19:54:46 petere Exp $
*
* NOTES
*
......@@ -193,10 +193,8 @@ static bool Reinit = true;
static int SendStop = false;
bool NetServer = false; /* listen on TCP/IP */
bool EnableSSL = false;
#ifdef USE_SSL
static bool DisableSSL = false; /* Completely disable SSL, even if compiled in */
#endif
static pid_t StartupPID = 0,
ShutdownPID = 0;
......@@ -452,7 +450,7 @@ PostmasterMain(int argc, char *argv[])
break;
#ifdef USE_SSL
case 'l':
DisableSSL = true;
EnableSSL = true;
break;
#endif
case 'm':
......@@ -563,13 +561,13 @@ PostmasterMain(int argc, char *argv[])
}
#ifdef USE_SSL
if (!NetServer && !DisableSSL)
if (EnableSSL && !NetServer)
{
fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections. Use -l to disable SSL\n",
fprintf(stderr, "%s: For SSL, TCP/IP connections must be enabled. See -? for help.\n",
progname);
exit(1);
}
if (!DisableSSL)
if (EnableSSL)
InitSSL();
#endif
......@@ -750,9 +748,9 @@ usage(const char *progname)
printf(" -d 1-5 debugging level\n");
printf(" -D <directory> database directory\n");
printf(" -F turn fsync off\n");
printf(" -i listen on TCP/IP sockets\n");
printf(" -i enable TCP/IP connections\n");
#ifdef USE_SSL
printf(" -l disable SSL\n");
printf(" -l enable SSL connections\n");
#endif
printf(" -N <number> maximum number of allowed connections (1..%d, default %d)\n",
MAXBACKENDS, DEF_MAXBACKENDS);
......@@ -1060,7 +1058,7 @@ readStartupPacket(void *arg, PacketLen len, void *pkt)
char SSLok;
#ifdef USE_SSL
if (DisableSSL || port->laddr.sa.sa_family != AF_INET)
if (!EnableSSL || port->laddr.sa.sa_family != AF_INET)
/* No SSL when disabled or on Unix sockets */
SSLok = 'N';
else
......
......@@ -4,7 +4,7 @@
* Support for grand unified configuration scheme, including SET
* command, configuration file, and command line options.
*
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.10 2000/08/28 11:57:41 petere Exp $
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.11 2000/09/06 19:54:47 petere Exp $
*
* Copyright 2000 by PostgreSQL Global Development Group
* Written by Peter Eisentraut <peter_e@gmx.net>.
......@@ -160,6 +160,7 @@ ConfigureNamesBool[] =
{"geqo", PGC_USERSET, &enable_geqo, true},
{"tcpip_socket", PGC_POSTMASTER, &NetServer, false},
{"ssl", PGC_POSTMASTER, &EnableSSL, false},
{"fsync", PGC_USERSET, &enableFsync, true},
{"log_connections", PGC_SIGHUP, &Log_connections, false},
......
......@@ -3,7 +3,7 @@
*
* Copyright 2000 by PostgreSQL Global Development Group
*
* $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.35 2000/08/30 14:54:23 momjian Exp $
* $Header: /cvsroot/pgsql/src/bin/psql/startup.c,v 1.36 2000/09/06 19:54:48 petere Exp $
*/
#include "postgres.h"
......@@ -266,10 +266,11 @@ main(int argc, char *argv[])
" \\? for help on internal slash commands\n"
" \\g or terminate with semicolon to execute query\n"
" \\q to quit\n\n", pset.progname);
}
#ifdef USE_SSL
printSSLInfo();
#endif
}
SetVariable(pset.vars, "PROMPT1", DEFAULT_PROMPT1);
SetVariable(pset.vars, "PROMPT2", DEFAULT_PROMPT2);
SetVariable(pset.vars, "PROMPT3", DEFAULT_PROMPT3);
......
......@@ -12,7 +12,7 @@
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
* Portions Copyright (c) 1994, Regents of the University of California
*
* $Id: miscadmin.h,v 1.65 2000/09/06 14:15:24 petere Exp $
* $Id: miscadmin.h,v 1.66 2000/09/06 19:54:52 petere Exp $
*
* NOTES
* some of the information in this file will be moved to
......@@ -107,6 +107,7 @@ extern int SortMem;
configuration file processor has access to them */
extern bool NetServer;
extern bool EnableSSL;
extern int MaxBackends;
extern int NBuffers;
extern int PostPortName;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment