Postgresql 中文操作指南

21.13. PAM Authentication #

此身份验证方法的操作与此类似 password 处,不同在于它使用 PAM(可插入身份验证模块)作为身份验证机制。默认的 PAM 服务名称是 postgresql 。PAM 仅用于验证用户名/密码对以及可选的已连接远程主机名或 IP 地址。因此,用户必须已在数据库中存在,才能使用 PAM 进行身份验证。有关 PAM 的详细信息,请阅读 Linux-PAM Page

This authentication method operates similarly to password except that it uses PAM (Pluggable Authentication Modules) as the authentication mechanism. The default PAM service name is postgresql. PAM is used only to validate user name/password pairs and optionally the connected remote host name or IP address. Therefore the user must already exist in the database before PAM can be used for authentication. For more information about PAM, please read the Linux-PAM Page.

PAM 支持以下配置选项:

The following configuration options are supported for PAM:

  • pamservice

    • PAM service name.

  • pam_use_hostname

    • Determines whether the remote IP address or the host name is provided to PAM modules through the PAM_RHOST item. By default, the IP address is used. Set this option to 1 to use the resolved host name instead. Host name resolution can lead to login delays. (Most PAM configurations don’t use this information, so it is only necessary to consider this setting if a PAM configuration was specifically created to make use of it.)

Note

如果将 PAM 设置为读取 /etc/shadow,则身份验证将会失败,因为 PostgreSQL 服务器是由非 root 用户启动的。但是,在将 PAM 配置为使用 LDAP 或其他身份验证方法时,这不是问题。

If PAM is set up to read /etc/shadow, authentication will fail because the PostgreSQL server is started by a non-root user. However, this is not an issue when PAM is configured to use LDAP or other authentication methods.