-
-
Security and Authentication
+
+
+
Authentication
+
+ password_encryption (enum)
+
+
password_encryption configuration parameter+
+
+
+ When a password is specified in or
+ , this parameter determines the algorithm
+ to use to encrypt the password. The default value is md5,
+ which stores the password as an MD5 hash (on is also
+ accepted, as alias for md5). Setting this parameter to
+ scram-sha-256 will encrypt the password with SCRAM-SHA-256.
+
+ Note that older clients might lack support for the SCRAM authentication
+ mechanism, and hence not work with passwords encrypted with
+ SCRAM-SHA-256. See for more details.
+
+
+
+
+
+ krb_server_keyfile (string)
+
+
krb_server_keyfile configuration parameter+
+
+
+ Sets the location of the Kerberos server key file. See
+
+ for details. This parameter can only be set in the
+ postgresql.conf file or on the server command line.
+
+
+
+
+
+ krb_caseins_users (boolean)
+
+
krb_caseins_users configuration parameter+
+
+
+ Sets whether GSSAPI user names should be treated
+ case-insensitively.
+ The default is off (case sensitive). This parameter can only be
+ set in the postgresql.conf file or on the server command line.
+
+
+
+
+
+ db_user_namespace (boolean)
+
+
db_user_namespace configuration parameter+
+
+
+ This parameter enables per-database user names. It is off by default.
+ This parameter can only be set in the postgresql.conf
+ file or on the server command line.
+
+
+ If this is on, you should create users as username@dbname.
+ When username is passed by a connecting client,
+ @ and the database name are appended to the user
+ name and that database-specific user name is looked up by the
+ server. Note that when you create users with names containing
+ @ within the SQL environment, you will need to
+ quote the user name.
+
+
+ With this parameter enabled, you can still create ordinary global
+ users. Simply append @ when specifying the user
+ name in the client, e.g. joe@. The @
+ will be stripped off before the user name is looked up by the
+ server.
+
+
+ db_user_namespace causes the client's and
+ server's user name representation to differ.
+ Authentication checks are always done with the server's user name
+ so authentication methods must be configured for the
+ server's user name, not the client's. Because
+ md5 uses the user name as salt on both the
+ client and server, md5 cannot be used with
+ db_user_namespace.
+
+
+
+ This feature is intended as a temporary measure until a
+ complete solution is found. At that time, this option will
+ be removed.
+
+
+
+
+
+
+
+
+
SSL
+
+ See for more information about setting up SSL.
+
+
+
ssl (boolean)
- Enables
SSL connections. Please read
- before using this.
+ Enables
SSL connections.
This parameter can only be set in the postgresql.conf
file or on the server command line.
The default is off.
-
- password_encryption (enum)
-
-
password_encryption configuration parameter-
-
-
- When a password is specified in or
- , this parameter determines the algorithm
- to use to encrypt the password. The default value is md5,
- which stores the password as an MD5 hash (on is also
- accepted, as alias for md5). Setting this parameter to
- scram-sha-256 will encrypt the password with SCRAM-SHA-256.
-
- Note that older clients might lack support for the SCRAM authentication
- mechanism, and hence not work with passwords encrypted with
- SCRAM-SHA-256. See for more details.
-
-
-
-
ssl_dh_params_file (string)
-
-
- krb_server_keyfile (string)
-
-
krb_server_keyfile configuration parameter-
-
-
- Sets the location of the Kerberos server key file. See
-
- for details. This parameter can only be set in the
- postgresql.conf file or on the server command line.
-
-
-
-
-
- krb_caseins_users (boolean)
-
-
krb_caseins_users configuration parameter-
-
-
- Sets whether GSSAPI user names should be treated
- case-insensitively.
- The default is off (case sensitive). This parameter can only be
- set in the postgresql.conf file or on the server command line.
-
-
-
-
-
- db_user_namespace (boolean)
-
-
db_user_namespace configuration parameter-
-
-
- This parameter enables per-database user names. It is off by default.
- This parameter can only be set in the postgresql.conf
- file or on the server command line.
-
-
- If this is on, you should create users as username@dbname.
- When username is passed by a connecting client,
- @ and the database name are appended to the user
- name and that database-specific user name is looked up by the
- server. Note that when you create users with names containing
- @ within the SQL environment, you will need to
- quote the user name.
-
-
- With this parameter enabled, you can still create ordinary global
- users. Simply append @ when specifying the user
- name in the client, e.g. joe@. The @
- will be stripped off before the user name is looked up by the
- server.
-
-
- db_user_namespace causes the client's and
- server's user name representation to differ.
- Authentication checks are always done with the server's user name
- so authentication methods must be configured for the
- server's user name, not the client's. Because
- md5 uses the user name as salt on both the
- client and server, md5 cannot be used with
- db_user_namespace.
-
-
-
- This feature is intended as a temporary measure until a
- complete solution is found. At that time, this option will
- be removed.
-
-
-
-
-
gettext_noop("Connections and Authentication"),
/* CONN_AUTH_SETTINGS */
gettext_noop("Connections and Authentication / Connection Settings"),
- /* CONN_AUTH_SECURITY */
- gettext_noop("Connections and Authentication / Security and Authentication"),
+ /* CONN_AUTH_AUTH */
+ gettext_noop("Connections and Authentication / Authentication"),
+ /* CONN_AUTH_SSL */
+ gettext_noop("Connections and Authentication / SSL"),
/* RESOURCES */
gettext_noop("Resource Usage"),
/* RESOURCES_MEM */
NULL, NULL, NULL
},
{
- {"ssl", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Enables SSL connections."),
NULL
},
check_ssl, NULL, NULL
},
{
- {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_prefer_server_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Give priority to server ciphersuite order."),
NULL
},
NULL, NULL, NULL
},
{
- {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"db_user_namespace", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Enables per-database user names."),
NULL
},
check_transaction_deferrable, NULL, NULL
},
{
- {"row_security", PGC_USERSET, CONN_AUTH_SECURITY,
+ {"row_security", PGC_USERSET, CLIENT_CONN_STATEMENT,
gettext_noop("Enable row security."),
gettext_noop("When enabled, row security will be applied to all users.")
},
},
{
- {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"krb_caseins_users", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets whether Kerberos and GSSAPI user names should be treated as case-insensitive."),
NULL
},
},
{
- {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"authentication_timeout", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets the maximum allowed time to complete client authentication."),
NULL,
GUC_UNIT_S
},
{
- {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SECURITY,
+ {"ssl_renegotiation_limit", PGC_USERSET, CONN_AUTH_SSL,
gettext_noop("SSL renegotiation is no longer supported; this can only be 0."),
NULL,
GUC_NO_SHOW_ALL | GUC_NOT_IN_SAMPLE | GUC_DISALLOW_IN_FILE,
},
{
- {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_AUTH,
gettext_noop("Sets the location of the Kerberos server key file."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_cert_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL server certificate file."),
NULL
},
},
{
- {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_key_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL server private key file."),
NULL
},
},
{
- {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_ca_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL certificate authority file."),
NULL
},
},
{
- {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_crl_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL certificate revocation list file."),
NULL
},
},
{
- {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Sets the list of allowed SSL ciphers."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Sets the curve to use for ECDH."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SECURITY,
+ {"ssl_dh_params_file", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Location of the SSL DH parameters file."),
NULL,
GUC_SUPERUSER_ONLY
},
{
- {"password_encryption", PGC_USERSET, CONN_AUTH_SECURITY,
+ {"password_encryption", PGC_USERSET, CONN_AUTH_AUTH,
gettext_noop("Encrypt passwords."),
gettext_noop("When a password is specified in CREATE USER or "
"ALTER USER without writing either ENCRYPTED or UNENCRYPTED, "
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
-# - Security and Authentication -
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
+ # 0 selects the system default
+#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
+ # 0 selects the system default
+#tcp_keepalives_count = 0 # TCP_KEEPCNT;
+ # 0 selects the system default
+
+# - Authentication -
#authentication_timeout = 1min # 1s-600s
-#ssl = off
-#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
-#ssl_prefer_server_ciphers = on
-#ssl_ecdh_curve = 'prime256v1'
-#ssl_dh_params_file = ''
-#ssl_cert_file = 'server.crt'
-#ssl_key_file = 'server.key'
-#ssl_ca_file = ''
-#ssl_crl_file = ''
#password_encryption = md5 # md5 or scram-sha-256
#db_user_namespace = off
-#row_security = on
# GSSAPI using Kerberos
#krb_server_keyfile = ''
#krb_caseins_users = off
-# - TCP Keepalives -
-# see "man 7 tcp" for details
+# - SSL -
-#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
- # 0 selects the system default
-#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
- # 0 selects the system default
-#tcp_keepalives_count = 0 # TCP_KEEPCNT;
- # 0 selects the system default
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_dh_params_file = ''
#------------------------------------------------------------------------------
# - Statement Behavior -
#search_path = '"$user", public' # schema names
+#row_security = on
#default_tablespace = '' # a tablespace name, '' uses the default
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
FILE_LOCATIONS,
CONN_AUTH,
CONN_AUTH_SETTINGS,
- CONN_AUTH_SECURITY,
+ CONN_AUTH_AUTH,
+ CONN_AUTH_SSL,
RESOURCES,
RESOURCES_MEM,
RESOURCES_DISK,
projects / postgresql.git / commitdiff