diff options
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 6 | ||||
| -rw-r--r-- | doc/src/sgml/config.sgml | 12 |
2 files changed, 10 insertions, 8 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 92f474e8e6b..ccd748d264a 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1262,11 +1262,7 @@ omicron bryanh guest1 <para> The location of the server's keytab file is specified by the <xref - linkend="guc-krb-server-keyfile"/> configuration - parameter. The default is - <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> - (where the directory part is whatever was specified - as <varname>sysconfdir</varname> at build time). + linkend="guc-krb-server-keyfile"/> configuration parameter. For security reasons, it is recommended to use a separate keytab just for the <productname>PostgreSQL</productname> server rather than allowing the server to read the system keytab file. diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 8d72951dd09..97610de287d 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1035,10 +1035,16 @@ include_dir 'conf.d' </term> <listitem> <para> - Sets the location of the Kerberos server key file. See - <xref linkend="gssapi-auth"/> - for details. This parameter can only be set in the + Sets the location of the server's Kerberos key file. The default is + <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> + (where the directory part is whatever was specified + as <varname>sysconfdir</varname> at build time; use + <literal>pg_config --sysconfdir</literal> to determine that). + If this parameter is set to an empty string, it is ignored and a + system-dependent default is used. + This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. + See <xref linkend="gssapi-auth"/> for more information. </para> </listitem> </varlistentry> |