Postgresql 中文操作指南

21.8. Ident Authentication #

ident 验证方法的作用是从 ident 服务器获取客户端的操作系统用户名,并将其用作允许的数据库用户名(带可选的用户名映射)。这仅受 TCP/IP 连接支持。

The ident authentication method works by obtaining the client’s operating system user name from an ident server and using it as the allowed database user name (with an optional user name mapping). This is only supported on TCP/IP connections.

Note

当为本地(非 TCP/IP)连接指定 id 时,将使用对等身份验证(参见 Section 21.9)来代替。

When ident is specified for a local (non-TCP/IP) connection, peer authentication (see Section 21.9) will be used instead.

支持 ident 的以下配置选项:

The following configuration options are supported for ident:

  • map

    • Allows for mapping between system and database user names. See Section 21.2 for details.

“识别协议”在 RFC 1413中进行了描述。实际上,每个类似 Unix 的操作系统都带有 ident 服务器,它在默认情况下监听 TCP 端口 113。ident 服务器的基本功能是回答“哪个用户发起了从端口 X_发出并连接到我的端口 _Y_的连接?”这样的问题。由于 PostgreSQL 在建立物理连接时同时知道 _X_和 _Y,因此它可以在连接客户端的主机上询问 ident 服务器,并且理论上可以确定任意给定连接的操作系统用户。

The “Identification Protocol” is described in RFC 1413. Virtually every Unix-like operating system ships with an ident server that listens on TCP port 113 by default. The basic functionality of an ident server is to answer questions like “What user initiated the connection that goes out of your port X and connects to my port Y?”. Since PostgreSQL knows both X and Y when a physical connection is established, it can interrogate the ident server on the host of the connecting client and can theoretically determine the operating system user for any given connection.

此过程的缺点是,它依赖于客户端的完整性:如果客户端机器不受信任或遭到入侵,攻击者可以在端口 113 上运行任何程序并返回他们选择的任何用户名。因此,此验证方法仅适合受严格控制的封闭网络,其中数据库和系统管理员密切配合。换句话说,您必须信任运行 ident 服务器的机器。遵循警告:

The drawback of this procedure is that it depends on the integrity of the client: if the client machine is untrusted or compromised, an attacker could run just about any program on port 113 and return any user name they choose. This authentication method is therefore only appropriate for closed networks where each client machine is under tight control and where the database and system administrators operate in close contact. In other words, you must trust the machine running the ident server. Heed the warning:

某些 ident 服务器具有一个非常规选项,该选项会导致使用仅源计算机管理员知道的密钥来加密返回的用户名。与 PostgreSQL 结合使用 ident 服务器时 must not 可使用此选项,因为 PostgreSQL 没有任何方法可以解密返回的字符串以确定实际用户名。

Some ident servers have a nonstandard option that causes the returned user name to be encrypted, using a key that only the originating machine’s administrator knows. This option must not be used when using the ident server with PostgreSQL, since PostgreSQL does not have any way to decrypt the returned string to determine the actual user name.