auth methods

От:

David Bear <David.Bear@asu.edu>

Дата:

8 февраля 2006 г. в 17:37:13

after reading through
http://www.postgresql.org/docs/8.0/static/auth-methods.html

I'm still left wondering how to solve something that should be simple.

Ident method looks like it might work.

All I really want to do is prevent user jack, who is logged in and
properly authenticated to the system as jack, from connecting to pg as
user joe. I have kerb authentication working for all ssh connections
to the data base server. I don't want another layer of authentication
for postgresql.

I'm currently using the trust method, but any user can connect to pg
as any other pg user.

the trouble is that ident seems to be non existent in suse linux (at
least, it doesn't seem to be installed )

any pointers would be appreciated.

-- 
David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, everyone will be suspect of trespassing"

Re: auth methods

От:

Stephen Frost <sfrost@snowman.net>

Дата:

8 февраля 2006 г. в 17:46:50

* David Bear (David.Bear@asu.edu) wrote:
> after reading through
> http://www.postgresql.org/docs/8.0/static/auth-methods.html
> 
> I'm still left wondering how to solve something that should be simple.
> 
> Ident method looks like it might work.
> 
> All I really want to do is prevent user jack, who is logged in and
> properly authenticated to the system as jack, from connecting to pg as
> user joe. I have kerb authentication working for all ssh connections
> to the data base server. I don't want another layer of authentication
> for postgresql.
> 
> I'm currently using the trust method, but any user can connect to pg
> as any other pg user.
> 
> the trouble is that ident seems to be non existent in suse linux (at
> least, it doesn't seem to be installed )
> 
> any pointers would be appreciated.

You don't need identd to be installed to use ident over local unix
sockets.  Also, PostgreSQL supports Kerberos, so you could use krb5
instead of ident or trust.  Trust isn't really an authentication
mechanism, it's the lack of one.

If you're only connecting locally over local unix domain sockets then
you'd probably want ident.  If you want to be able to authenticate over
the network and you've already got Kerberos set up then you should
probably use Kerberos to auth to Postgres too.  Note that if you want to
connect to Postgres locally using Kerberos you'll (of course) need to
have an appropriate TGT on the box you're ssh'ing to.

Kerberos is also supported by the ODBC driver and psql on Windows (if
you use those).  You can also get Kerberos authenticating working with
PhpPgAdmin through Apache with a bit of hacking.

	Enjoy,

		Stephen