Next Previous Contents

11. Security of Database

Database security is addressed at several levels:

11.1 User Authentication

Authentication is the process by which the backend server and postmaster ensure that the user requesting access to data is in fact who he/she claims to be. All users who invoke Postgres are checked against the contents of the pg_user class to ensure that they are authorized to do so. However, verification of the user's actual identity is performed in a variety of ways:

11.2 Host-Based Access Control

Host-based access control is the name for the basic controls PostgreSQL exercises on what clients are allowed to access a database and how the users on those clients must authenticate themselves. Each database system contains a file named pg_hba.conf, in its $PGDATA directory, which controls who can connect to each database. Every client accessing a database must be covered by one of the entries in pg_hba.conf. Otherwise all attempted connections from that client will be rejected with a "User authentication failed" error message.

See online man page of pg_hba.conf(5) (man 5 pg_hba.conf).

The general format of the pg_hba.conf file is of a set of records, one per line. Blank lines and lines beginning with a hash character ("#") are ignored. A record is made up of a number of fields which are separated by spaces and/or tabs.

Connections from clients can be made using Unix domain sockets or Internet domain sockets (ie. TCP/IP). Connections made using Unix domain sockets are controlled using records of the following format:


local database authentication method

where

database specifies the database that this record applies to. The value all specifies that it applies to all databases.

authentication method specifies the method an user must use to authenticate themselves when connecting to that database using Unix domain sockets. The different methods are described below.

Connections made using Internet domain sockets are controlled using records of the following format.


host database TCP/IP-address TCP/IP-mask authentication method

The TCP/IP address is logically and'ed to both the specified TCP/IP mask and the TCP/IP address of the connecting client. If the two resulting values are equal then the record is used for this connection. If a connection matches more than one record then the earliest one in the file is used. Both the TCP/IP address and the TCP/IP mask are specified in dotted decimal notation. If a connection fails to match any record then the reject authentication method is applied (see Authentication Methods).

11.3 Authentication Methods

The following authentication methods are supported for both Unix and TCP/IP domain sockets:

The following authentication methods are supported for TCP/IP domain sockets only:

Here are some examples:


# Trust any connection via Unix domain sockets.
local   trust
# Trust any connection via TCP/IP from this machine.
host    all 127.0.0.1   255.255.255.255     trust
# We don't like this machine.
host    all 192.168.0.10    255.255.255.0       reject
# This machine can't encrypt so we ask for passwords in clear.
host    all 192.168.0.3 255.255.255.0       password
# The rest of this group of machines should provide encrypted passwords.
host    all 192.168.0.0 255.255.255.0       crypt

11.4 Access Control

Postgres provides mechanisms to allow users to limit the access to their data that is provided to other users.

11.5 Secure TCP/IP Connection via SSH

You can use ssh to encrypt the network connection between clients and a Postgres server. Done properly, this should lead to an adequately secure network connection.

The documentation for ssh provides most of the information to get started. Please refer to http://www.heimhardt.de/htdocs/ssh.html for better insight. A step-by-step explanation can be done in just two steps.

Running a secure tunnel via ssh: A step-by-step explanation can be done in just two steps.

11.6 Kerberos Authentication

Kerberos is an industry-standard secure authentication system suitable for distributed computing over a public network.

Availability: The Kerberos authentication system is not distributed with Postgres. Versions of Kerberos are typically available as optional software from operating system vendors. In addition, a source code distribution may be obtained through MIT Project Athena.


Note: You may wish to obtain the MIT version even if your vendor provides a version, since
some vendor ports have been deliberately crippled or rendered non-interoperable with the MIT
version.

Inquiries regarding your Kerberos should be directed to your vendor or MIT Project Athena. Note that FAQLs (Frequently-Asked Questions Lists) are periodically posted to the Kerberos mailing list (send mail to subscribe), and USENET news group.

Installation: Installation of Kerberos itself is covered in detail in the Kerberos Installation Notes . Make sure that the server key file (the srvtab or keytab) is somehow readable by the Postgres account. Postgres and its clients can be compiled to use either Version 4 or Version 5 of the MIT Kerberos protocols by setting the KRBVERS variable in the file src/Makefile.global to the appropriate value. You can also change the location where Postgres expects to find the associated libraries, header files and its own server key file. After compilation is complete, Postgres must be registered as a Kerberos service. See the Kerberos Operations Notes and related manual pages for more details on registering services.

Operation: After initial installation, Postgres should operate in all ways as a normal Kerberos service. For details on the use of authentication, see the PostgreSQL User's Guide reference sections for postmaster and psql.

In the Kerberos Version 5 hooks, the following assumptions are made about user and service naming(also, see Table below):


                Table: Kerberos Parameter Examples
 ------------------------------------------------------
 Parameter      Example
 ------------------------------------------------------
 user           frew@S2K.ORG
 user           aoki/HOST=miyu.S2K.Berkeley.EDU@S2K.ORG
 host           postgres_dbms/ucbvax@S2K.ORG 
 ------------------------------------------------------


Next Previous Contents