Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to achieve client-side verification in PostgreSQL database. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Authentication is the process by which the database server establishes the client identity and determines through extension whether the client application (or the user running the client application) is allowed to connect to the requested database user name.

The method used to authenticate a specific client connection can be selected based on the host address, database, and user.

-1.pg_hba.conf file:

Client authentication is controlled by the pg_hba.conf profile. Stored in the data directory of the database.

Recording method: connection type database name user name client IP address range authentication method for connections that match these parameters connection type: local: matches connection attempts using Unix domain sockets. Host: matches connection attempts made using TCP/IP, and host records match SSL or non-SSL connection attempts. Hostssl: matches connection attempts using TCP/IP, only when connecting using SSL encryption. Hostnossl: only match connection attempts over TCP/IP that do not use SSL database: record the matching database name. All specifies that all databases are matched. Multiple database names can be provided by separating them with commas. User: matching database user name. Provide multiple user names separated by commas. Address: the matching client computer address. Can include a host name or a range of IP addresses. 0.0.0.0 IPv4 0 for all IPv6 addresses, and:: 0 for all IPv6 addresses. METHOD: record the authentication method to be used when matching. Trust: unconditional connections are allowed. All connections are allowed without password and other authentication. Reject: unconditionally deny the connection. Scram-sha-256: performs SCRAM-SHA-256 authentication to verify the user's password. MD5: performs SCRAM-SHA-256 or MD5 authentication to verify the user's password. Password: requires the client to provide an unencrypted password for authentication. It is not safe to send plaintext on the network. Gss: use GSSAPI to authenticate users. This applies only to TCP/IP connections. Ident: get the user name of the client host with the client's ident server. And check that it matches the requested database user name. Ident authentication can only be used for TCP/IP connections. Peer: get the hostname from the operating system, only for local connection cert: use the SSL client certificate for authentication. Pam: authenticates using the pluggable Authentication Module (PAM) service provided by the operating system.

-2. Ident user name: configuration file: pg_ident.conf

Record format: MAPNAME SYSTEM-USERNAME PG-USERNAME username mapping is defined in the ident mapping file.

-3. Authentication method:

Trust authentication: should be used only if there is adequate operating system-level protection on the connection to the server. Trust can be used on multi-user computers if you use file system permissions to restrict access to the server's Unix domain socket files. Password authentication: scram-sha-256 authentication: prevents passwords from sniffing untrusted connections and supports storing passwords on the server in an encrypted hash. Md5: prevent password sniffing and avoid storing passwords on the server in clear text. Preferably, SCRAM-based authentication is selected. Send the password in clear text in password, and the password can only be used if it is protected by SSL encryption. Each database user's password is stored in the pg_authid system directory

-4. GSSAPI authentication:

GSSAPI provides a system automatic authentication (single sign-on) to support it. Authentication itself is secure. Unless you use SSL. GSSAPI support must be enabled when building PostgreSQL. Authentication: the ident authentication method works by getting the client's operating system user name from the identity server and using it as the allowed database user name, which is supported on TCP / IP connections. Peer-to-peer authentication: the peer-to-peer authentication method works by getting the client's operating system user name from the kernel and using it as the allowed database user name. Supported only when connecting locally. Certificate authentication: use SSL client certificates to perform authentication. For SSL connections only. When using this authentication method, the server requires the client to provide a valid trusted certificate. No password prompt will be sent to the client. The (public name) property of the cn certificate is compared with the requested database user name and, if matched, login is allowed. This is the end of the article on "how to implement client-side verification in PostgreSQL database". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.