From 98de86e4221a418d670db86bf28ff15e880beadc Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Wed, 15 Jan 2014 17:24:01 +0100 Subject: Remove support for native krb5 authentication krb5 has been deprecated since 8.3, and the recommended way to do Kerberos authentication is using the GSSAPI authentication method (which is still fully supported). libpq retains the ability to identify krb5 authentication, but only gives an error message about it being unsupported. Since all authentication is initiated from the backend, there is no need to keep it at all in the backend. --- doc/src/sgml/client-auth.sgml | 253 ++++++++++---------------------------- doc/src/sgml/config.sgml | 6 +- doc/src/sgml/install-windows.sgml | 2 +- doc/src/sgml/installation.sgml | 20 +-- doc/src/sgml/libpq.sgml | 9 +- doc/src/sgml/passwordcheck.sgml | 2 +- doc/src/sgml/protocol.sgml | 3 +- 7 files changed, 77 insertions(+), 218 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 9fc583ce574..14870401fb8 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -450,17 +450,6 @@ hostnossl database user - - krb5 - - - Use Kerberos V5 to authenticate the user. This is only - available for TCP/IP connections. See for details. - - - - ident @@ -650,13 +639,13 @@ host all all .example.com md5 # In the absence of preceding "host" lines, these two lines will # reject all connections from 192.168.54.1 (since that entry will be -# matched first), but allow Kerberos 5 connections from anywhere else +# matched first), but allow GSSAPI connections from anywhere else # on the Internet. The zero mask causes no bits of the host IP # address to be considered, so it matches any host. # # TYPE DATABASE USER ADDRESS METHOD host all all 192.168.54.1/32 reject -host all all 0.0.0.0/0 krb5 +host all all 0.0.0.0/0 gss # Allow users from 192.168.x.x hosts to connect to any database, if # they pass the ident check. If, for example, ident says the user is @@ -924,17 +913,75 @@ omicron bryanh guest1 SSL is used. + + GSSAPI support has to be enabled when PostgreSQL is built; + see for more information. + + When GSSAPI uses Kerberos, it uses a standard principal in the format - servicename/hostname@realm. For information about the parts of the principal, and - how to set up the required keys, see . + servicename/hostname@realm. + servicename can be set on the server side using the + configuration parameter, and on the + client side using the krbsrvname connection parameter. (See + also .) The installation default can be + changed from the default postgres at build time using + ./configure --with-krb-srvnam=whatever. + In most environments, + this parameter never needs to be changed. However, it is necessary + when supporting multiple PostgreSQL installations + on the same host. + Some Kerberos implementations might also require a different service name, + such as Microsoft Active Directory which requires the service name + to be in upper case (POSTGRES). + + + hostname is the fully qualified host name of the + server machine. The service principal's realm is the preferred realm + of the server machine. - GSSAPI support has to be enabled when PostgreSQL is built; - see for more information. + Client principals must have their PostgreSQL database user + name as their first component, for example + pgusername@realm. Alternatively, you can use a user name + mapping to map from the first component of the principal name to the + database user name. By default, the realm of the client is + not checked by PostgreSQL. If you have cross-realm + authentication enabled and need to verify the realm, use the + krb_realm parameter, or enable include_realm + and use user name mapping to check the realm. + + + + Make sure that your server keytab file is readable (and preferably + only readable) by the PostgreSQL server + account. (See also .) The location + of the key file is specified by the configuration + parameter. The default is + /usr/local/pgsql/etc/krb5.keytab (or whatever + directory was specified as sysconfdir at build time). + + + The keytab file is generated by the Kerberos software; see the + Kerberos documentation for details. The following example is + for MIT-compatible Kerberos 5 implementations: + +kadmin% ank -randkey postgres/server.my.domain.org +kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org + + + + + When connecting to the database make sure you have a ticket for a + principal matching the requested database user name. For example, for + database user name fred, principal + fred@EXAMPLE.COM would be able to connect. To also allow + principal fred/users.example.com@EXAMPLE.COM, use a user name + map, as described in . @@ -1050,178 +1097,6 @@ omicron bryanh guest1 - - Kerberos Authentication - - - Kerberos - - - - - Native Kerberos authentication has been deprecated and should be used - only for backward compatibility. New and upgraded installations are - encouraged to use the industry-standard GSSAPI - authentication method (see ) instead. - - - - - Kerberos is an industry-standard secure - authentication system suitable for distributed computing over a public - network. A description of the Kerberos system - is beyond the scope of this document; in full generality it can be - quite complex (yet powerful). The - - Kerberos FAQ or - MIT Kerberos page - can be good starting points for exploration. - Several sources for Kerberos distributions exist. - Kerberos provides secure authentication but - does not encrypt queries or data passed over the network; for that - use SSL. - - - - PostgreSQL supports Kerberos version 5. Kerberos - support has to be enabled when PostgreSQL is built; - see for more information. - - - - PostgreSQL operates like a normal Kerberos service. - The name of the service principal is - servicename/hostname@realm. - - - - servicename can be set on the server side using the - configuration parameter, and on the - client side using the krbsrvname connection parameter. (See - also .) The installation default can be - changed from the default postgres at build time using - ./configure --with-krb-srvnam=whatever. - In most environments, - this parameter never needs to be changed. However, it is necessary - when supporting multiple PostgreSQL installations - on the same host. - Some Kerberos implementations might also require a different service name, - such as Microsoft Active Directory which requires the service name - to be in upper case (POSTGRES). - - - - hostname is the fully qualified host name of the - server machine. The service principal's realm is the preferred realm - of the server machine. - - - - Client principals must have their PostgreSQL database user - name as their first component, for example - pgusername@realm. Alternatively, you can use a user name - mapping to map from the first component of the principal name to the - database user name. By default, the realm of the client is - not checked by PostgreSQL. If you have cross-realm - authentication enabled and need to verify the realm, use the - krb_realm parameter, or enable include_realm - and use user name mapping to check the realm. - - - - Make sure that your server keytab file is readable (and preferably - only readable) by the PostgreSQL server - account. (See also .) The location - of the key file is specified by the configuration - parameter. The default is - /usr/local/pgsql/etc/krb5.keytab (or whatever - directory was specified as sysconfdir at build time). - - - - The keytab file is generated by the Kerberos software; see the - Kerberos documentation for details. The following example is - for MIT-compatible Kerberos 5 implementations: - -kadmin% ank -randkey postgres/server.my.domain.org -kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org - - - - - When connecting to the database make sure you have a ticket for a - principal matching the requested database user name. For example, for - database user name fred, principal - fred@EXAMPLE.COM would be able to connect. To also allow - principal fred/users.example.com@EXAMPLE.COM, use a user name - map, as described in . - - - - If you use - mod_auth_kerb - and mod_perl on your - Apache web server, you can use - AuthType KerberosV5SaveCredentials with a - mod_perl script. This gives secure - database access over the web, with no additional passwords required. - - - - The following configuration options are supported for - Kerberos: - - - map - - - Allows for mapping between system and database user names. See - for details. - - - - - - include_realm - - - If set to 1, the realm name from the authenticated user - principal is included in the system user name that's passed through - user name mapping (). This is - useful for handling users from multiple realms. - - - - - - krb_realm - - - Sets the realm to match user principal names against. If this parameter - is set, only users of that realm will be accepted. If it is not set, - users of any realm can connect, subject to whatever user name mapping - is done. - - - - - - krb_server_hostname - - - Sets the host name part of the service principal. - This, combined with krb_srvname, is used to generate - the complete service principal, that is - krb_srvname/krb_server_hostname@REALM. - If not set, the default is the server host name. - - - - - - - Ident Authentication diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 0f2f2bf925b..3c4bb9becaa 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -964,7 +964,7 @@ include 'filename' Sets the location of the Kerberos server key file. See - or + for details. This parameter can only be set in the postgresql.conf file or on the server command line. @@ -978,7 +978,7 @@ include 'filename' - Sets the Kerberos service name. See + Sets the Kerberos service name. See for details. This parameter can only be set in the postgresql.conf file or on the server command line. @@ -992,7 +992,7 @@ include 'filename' - Sets whether Kerberos and GSSAPI user names should be treated + Sets whether GSSAPI user names should be treated case-insensitively. The default is off (case sensitive). This parameter can only be set in the postgresql.conf file or on the server command line. diff --git a/doc/src/sgml/install-windows.sgml b/doc/src/sgml/install-windows.sgml index 4c9ce5b1455..f3b1a12b05f 100644 --- a/doc/src/sgml/install-windows.sgml +++ b/doc/src/sgml/install-windows.sgml @@ -269,7 +269,7 @@ $ENV{PATH}=$ENV{PATH} . ';c:\some\where\bison\bin'; MIT Kerberos - Required for Kerberos authentication support. MIT Kerberos can be + Required for GSSAPI authentication support. MIT Kerberos can be downloaded from . diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index fc6559d7084..a4cdf5f1042 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -771,28 +771,12 @@ su - postgres - - - - - Build with support for Kerberos 5 authentication. On many - systems, the Kerberos system is not installed in a location - that is searched by default (e.g., /usr/include, - /usr/lib), so you must use the options - - - - - The default name of the Kerberos service principal (also used - by GSSAPI). + The default name of the Kerberos service principal used + by GSSAPI. postgres is the default. There's usually no reason to change this unless you have a Windows environment, in which case it must be set to upper case diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 15bc42cd61c..3ab06a1a1b7 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -896,7 +896,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname Using hostaddr instead of host allows the application to avoid a host name look-up, which might be important in applications with time constraints. However, a host name is - required for Kerberos, GSSAPI, or SSPI authentication + required for GSSAPI or SSPI authentication methods, as well as for verify-full SSL certificate verification. The following rules are used: @@ -1331,11 +1331,10 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname krbsrvname - Kerberos service name to use when authenticating with Kerberos 5 - or GSSAPI. + Kerberos service name to use when authenticating with GSSAPI. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See also - and .) + .) @@ -6652,7 +6651,7 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) libpq applications will attempt authentication with servers for this realm and use separate ticket files to avoid conflicts with local ticket files. This - environment variable is only used if Kerberos authentication is + environment variable is only used if GSSAPI authentication is selected by the server. diff --git a/doc/src/sgml/passwordcheck.sgml b/doc/src/sgml/passwordcheck.sgml index 415749d5424..6e6e4ef4356 100644 --- a/doc/src/sgml/passwordcheck.sgml +++ b/doc/src/sgml/passwordcheck.sgml @@ -48,7 +48,7 @@ module, because in that case it can only try to guess the password. For this reason, passwordcheck is not recommended if your security requirements are high. - It is more secure to use an external authentication method such as Kerberos + It is more secure to use an external authentication method such as GSSAPI (see ) than to rely on passwords within the database. diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 0b2e60eeb13..7d99976a49c 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -271,7 +271,8 @@ authentication dialog (not described here, part of the Kerberos specification) with the server. If this is successful, the server responds with an AuthenticationOk, - otherwise it responds with an ErrorResponse. + otherwise it responds with an ErrorResponse. This is no + longer supported. This is not supported any more. -- cgit v1.2.3