1 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.8. Ident Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="sspi-auth.html" title="20.7. SSPI Authentication" /><link rel="next" href="auth-peer.html" title="20.9. Peer Authentication" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.8. Ident Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sspi-auth.html" title="20.7. SSPI Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-peer.html" title="20.9. Peer Authentication">Next</a></td></tr></table><hr /></div><div class="sect1" id="AUTH-IDENT"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.8. Ident Authentication <a href="#AUTH-IDENT" class="id_link">#</a></h2></div></div></div><a id="id-1.6.7.15.2" class="indexterm"></a><p>
3 The ident authentication method works by obtaining the client's
4 operating system user name from an ident server and using it as
5 the allowed database user name (with an optional user name mapping).
6 This is only supported on TCP/IP connections.
7 </p><div class="note"><h3 class="title">Note</h3><p>
8 When ident is specified for a local (non-TCP/IP) connection,
9 peer authentication (see <a class="xref" href="auth-peer.html" title="20.9. Peer Authentication">Section 20.9</a>) will be
12 The following configuration options are supported for <code class="literal">ident</code>:
13 </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>
14 Allows for mapping between system and database user names. See
15 <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a> for details.
16 </p></dd></dl></div><p>
18 The <span class="quote">“<span class="quote">Identification Protocol</span>”</span> is described in
19 <a class="ulink" href="https://datatracker.ietf.org/doc/html/rfc1413" target="_top">RFC 1413</a>.
20 Virtually every Unix-like
21 operating system ships with an ident server that listens on TCP
22 port 113 by default. The basic functionality of an ident server
23 is to answer questions like <span class="quote">“<span class="quote">What user initiated the
24 connection that goes out of your port <em class="replaceable"><code>X</code></em>
25 and connects to my port <em class="replaceable"><code>Y</code></em>?</span>”</span>.
26 Since <span class="productname">PostgreSQL</span> knows both <em class="replaceable"><code>X</code></em> and
27 <em class="replaceable"><code>Y</code></em> when a physical connection is established, it
28 can interrogate the ident server on the host of the connecting
29 client and can theoretically determine the operating system user
30 for any given connection.
32 The drawback of this procedure is that it depends on the integrity
33 of the client: if the client machine is untrusted or compromised,
34 an attacker could run just about any program on port 113 and
35 return any user name they choose. This authentication method is
36 therefore only appropriate for closed networks where each client
37 machine is under tight control and where the database and system
38 administrators operate in close contact. In other words, you must
39 trust the machine running the ident server.
41 </p><div class="blockquote"><table border="0" class="blockquote" style="width: 100%; cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>
42 The Identification Protocol is not intended as an authorization
43 or access control protocol.
44 </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">RFC 1413</span></td></tr></table></div><p>
46 Some ident servers have a nonstandard option that causes the returned
47 user name to be encrypted, using a key that only the originating
48 machine's administrator knows. This option <span class="emphasis"><em>must not</em></span> be
49 used when using the ident server with <span class="productname">PostgreSQL</span>,
50 since <span class="productname">PostgreSQL</span> does not have any way to decrypt the
51 returned string to determine the actual user name.
52 </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sspi-auth.html" title="20.7. SSPI Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-peer.html" title="20.9. Peer Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.7. SSPI Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 18.0 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 20.9. Peer Authentication</td></tr></table></div></body></html>
begriffs.com / projects / ai-pg / blob