</variablelist>
</sect2>
- <sect2 id="runtime-config-connection-security">
- <title>Security and Authentication</title>
+
+ <sect2 id="runtime-config-connection-authentication">
+ <title>Authentication</title>
<variablelist>
<varlistentry id="guc-authentication-timeout" xreflabel="authentication_timeout">
</listitem>
</varlistentry>
+ <varlistentry id="guc-password-encryption" xreflabel="password_encryption">
+ <term><varname>password_encryption</varname> (<type>enum</type>)
+ <indexterm>
+ <primary><varname>password_encryption</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ When a password is specified in <xref linkend="sql-createrole"/> or
+ <xref linkend="sql-alterrole"/>, this parameter determines the algorithm
+ to use to encrypt the password. The default value is <literal>md5</literal>,
+ which stores the password as an MD5 hash (<literal>on</literal> is also
+ accepted, as alias for <literal>md5</literal>). Setting this parameter to
+ <literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256.
+ </para>
+ <para>
+ Note that older clients might lack support for the SCRAM authentication
+ mechanism, and hence not work with passwords encrypted with
+ SCRAM-SHA-256. See <xref linkend="auth-password"/> for more details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
+ <term><varname>krb_server_keyfile</varname> (<type>string</type>)
+ <indexterm>
+ <primary><varname>krb_server_keyfile</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Sets the location of the Kerberos server key file. See
+ <xref linkend="gssapi-auth"/>
+ for details. This parameter can only be set in the
+ <filename>postgresql.conf</filename> file or on the server command line.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
+ <term><varname>krb_caseins_users</varname> (<type>boolean</type>)
+ <indexterm>
+ <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Sets whether GSSAPI user names should be treated
+ case-insensitively.
+ The default is <literal>off</literal> (case sensitive). This parameter can only be
+ set in the <filename>postgresql.conf</filename> file or on the server command line.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
+ <term><varname>db_user_namespace</varname> (<type>boolean</type>)
+ <indexterm>
+ <primary><varname>db_user_namespace</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ This parameter enables per-database user names. It is off by default.
+ This parameter can only be set in the <filename>postgresql.conf</filename>
+ file or on the server command line.
+ </para>
+
+ <para>
+ If this is on, you should create users as <replaceable>username@dbname</replaceable>.
+ When <replaceable>username</replaceable> is passed by a connecting client,
+ <literal>@</literal> and the database name are appended to the user
+ name and that database-specific user name is looked up by the
+ server. Note that when you create users with names containing
+ <literal>@</literal> within the SQL environment, you will need to
+ quote the user name.
+ </para>
+
+ <para>
+ With this parameter enabled, you can still create ordinary global
+ users. Simply append <literal>@</literal> when specifying the user
+ name in the client, e.g. <literal>joe@</literal>. The <literal>@</literal>
+ will be stripped off before the user name is looked up by the
+ server.
+ </para>
+
+ <para>
+ <varname>db_user_namespace</varname> causes the client's and
+ server's user name representation to differ.
+ Authentication checks are always done with the server's user name
+ so authentication methods must be configured for the
+ server's user name, not the client's. Because
+ <literal>md5</literal> uses the user name as salt on both the
+ client and server, <literal>md5</literal> cannot be used with
+ <varname>db_user_namespace</varname>.
+ </para>
+
+ <note>
+ <para>
+ This feature is intended as a temporary measure until a
+ complete solution is found. At that time, this option will
+ be removed.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect2>
+
+ <sect2 id="runtime-config-connection-ssl">
+ <title>SSL</title>
+
+ <para>
+ See <xref linkend="ssl-tcp"/> for more information about setting up SSL.
+ </para>
+
+ <variablelist>
<varlistentry id="guc-ssl" xreflabel="ssl">
<term><varname>ssl</varname> (<type>boolean</type>)
<indexterm>
</term>
<listitem>
<para>
- Enables <acronym>SSL</acronym> connections. Please read
- <xref linkend="ssl-tcp"/> before using this.
+ Enables <acronym>SSL</acronym> connections.
This parameter can only be set in the <filename>postgresql.conf</filename>
file or on the server command line.
The default is <literal>off</literal>.
</listitem>
</varlistentry>
- <varlistentry id="guc-password-encryption" xreflabel="password_encryption">
- <term><varname>password_encryption</varname> (<type>enum</type>)
- <indexterm>
- <primary><varname>password_encryption</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- When a password is specified in <xref linkend="sql-createrole"/> or
- <xref linkend="sql-alterrole"/>, this parameter determines the algorithm
- to use to encrypt the password. The default value is <literal>md5</literal>,
- which stores the password as an MD5 hash (<literal>on</literal> is also
- accepted, as alias for <literal>md5</literal>). Setting this parameter to
- <literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256.
- </para>
- <para>
- Note that older clients might lack support for the SCRAM authentication
- mechanism, and hence not work with passwords encrypted with
- SCRAM-SHA-256. See <xref linkend="auth-password"/> for more details.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry id="guc-ssl-dh-params-file" xreflabel="ssl_dh_params_file">
<term><varname>ssl_dh_params_file</varname> (<type>string</type>)
<indexterm>
</para>
</listitem>
</varlistentry>
-
- <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
- <term><varname>krb_server_keyfile</varname> (<type>string</type>)
- <indexterm>
- <primary><varname>krb_server_keyfile</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- Sets the location of the Kerberos server key file. See
- <xref linkend="gssapi-auth"/>
- for details. This parameter can only be set in the
- <filename>postgresql.conf</filename> file or on the server command line.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
- <term><varname>krb_caseins_users</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- Sets whether GSSAPI user names should be treated
- case-insensitively.
- The default is <literal>off</literal> (case sensitive). This parameter can only be
- set in the <filename>postgresql.conf</filename> file or on the server command line.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
- <term><varname>db_user_namespace</varname> (<type>boolean</type>)
- <indexterm>
- <primary><varname>db_user_namespace</varname> configuration parameter</primary>
- </indexterm>
- </term>
- <listitem>
- <para>
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the <filename>postgresql.conf</filename>
- file or on the server command line.
- </para>
-
- <para>
- If this is on, you should create users as <replaceable>username@dbname</replaceable>.
- When <replaceable>username</replaceable> is passed by a connecting client,
- <literal>@</literal> and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- <literal>@</literal> within the SQL environment, you will need to
- quote the user name.
- </para>
-
- <para>
- With this parameter enabled, you can still create ordinary global
- users. Simply append <literal>@</literal> when specifying the user
- name in the client, e.g. <literal>joe@</literal>. The <literal>@</literal>
- will be stripped off before the user name is looked up by the
- server.
- </para>
-
- <para>
- <varname>db_user_namespace</varname> causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- <literal>md5</literal> uses the user name as salt on both the
- client and server, <literal>md5</literal> cannot be used with
- <varname>db_user_namespace</varname>.
- </para>
-
- <note>
- <para>
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
- </para>
- </note>
- </listitem>
- </varlistentry>
-
</variablelist>
</sect2>
</sect1>
gettext_noop("Connections and Authentication"),
/* CONN_AUTH_SETTINGS */
gettext_noop("Connections and Authentication / Connection Settings"),
- /* CONN_AUTH_SECURITY */
- gettext_noop("Connections and Authentication / Security and Authentication"),
+ /* CONN_AUTH_AUTH */
+ gettext_noop("Connections and Authentication / Authentication"),
+ /* CONN_AUTH_SSL */
+ gettext_noop("Connections and Authentication / SSL"),
/* RESOURCES */
gettext_noop("Resource Usage"),
/* RESOURCES_MEM */
NULL, NULL, NULL
},
{
- {"ssl", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Enables SSL connections."),
NULL
},
check_ssl, NULL, NULL
},
{
- {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Give priority to server ciphersuite order."),
NULL
},
NULL, NULL, NULL
},
{
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Enables per-database user names."),
NULL
},
check_transaction_deferrable, NULL, NULL
},
{
- {"row_security", PGC_USERSET, CONN_AUTH_SECURITY,
+ {"row_security", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Enable row security."),
gettext_noop("When enabled, row security will be applied to all users.")
},
},
{
- {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets whether Kerberos and GSSAPI user names should be treated as case-insensitive."),
NULL
},
},
{
- {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets the maximum allowed time to complete client authentication."),
NULL,
GUC_UNIT_S
},
{
- {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY,
+ {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SSL,
gettext_noop("SSL renegotiation is no longer supported; this can only be 0."),
NULL,
GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE,
},
{
- {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets the location of the Kerberos server key file."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL server certificate file."),
NULL
},
},
{
- {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL server private key file."),
NULL
},
},
{
- {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL certificate authority file."),
NULL
},
},
{
- {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL certificate revocation list file."),
NULL
},
},
{
- {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Sets the list of allowed SSL ciphers."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Sets the curve to use for ECDH."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL DH parameters file."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"password_encryption", PGC_USERSET, CONN_AUTH_SECURITY,
+ {"password_encryption", PGC_USERSET, CONN_AUTH_AUTH,
gettext_noop("Encrypt passwords."),
gettext_noop("When a password is specified in CREATE USER or "
"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
-# - Security and Authentication -
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
+ # 0 selects the system default
+#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
+ # 0 selects the system default
+#tcp_keepalives_count = 0 # TCP_KEEPCNT;
+ # 0 selects the system default
+
+# - Authentication -
#authentication_timeout = 1min # 1s-600s
-#ssl = off
-#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
-#ssl_prefer_server_ciphers = on
-#ssl_ecdh_curve = 'prime256v1'
-#ssl_dh_params_file = ''
-#ssl_cert_file = 'server.crt'
-#ssl_key_file = 'server.key'
-#ssl_ca_file = ''
-#ssl_crl_file = ''
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
-#row_security = on
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
-# - TCP Keepalives -
-# see "man 7 tcp" for details
+# - SSL -
-#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
- # 0 selects the system default
-#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
- # 0 selects the system default
-#tcp_keepalives_count = 0 # TCP_KEEPCNT;
- # 0 selects the system default
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_dh_params_file = ''
#------------------------------------------------------------------------------
# - Statement Behavior -
#search_path = '"$user", public' # schema names
+#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
FILE_LOCATIONS,
CONN_AUTH,
CONN_AUTH_SETTINGS,
- CONN_AUTH_SECURITY,
+ CONN_AUTH_AUTH,
+ CONN_AUTH_SSL,
RESOURCES,
RESOURCES_MEM,
RESOURCES_DISK,
projects / users / rhaas / postgres.git / commitdiff