Postgresql 中文操作指南

21.11. RADIUS Authentication #

这种身份验证方法与_password_类似,只是它使用 RADIUS 作为密码验证方法。RADIUS 仅用于验证用户名/密码对。因此,在使用 RADIUS 进行身份验证之前,用户必须已经存在于数据库中。

This authentication method operates similarly to password except that it uses RADIUS as the password verification method. RADIUS is used only to validate the user name/password pairs. Therefore the user must already exist in the database before RADIUS can be used for authentication.

使用 RADIUS 身份验证时,将向配置的 RADIUS 服务器发送 Access Request 消息。此请求将为_Authenticate Only_类型,并包括_user name_、password(加密)和_NAS Identifier_的参数。该请求将使用与该服务器共享的密钥进行加密。RADIUS 服务器将通过_Access Accept_或_Access Reject_响应此请求。不支持 RADIUS 会计。

When using RADIUS authentication, an Access Request message will be sent to the configured RADIUS server. This request will be of type Authenticate Only, and include parameters for user name, password (encrypted) and NAS Identifier. The request will be encrypted using a secret shared with the server. The RADIUS server will respond to this request with either Access Accept or Access Reject. There is no support for RADIUS accounting.

可以指定多个 RADIUS 服务器,在这种情况下,它们将按顺序进行尝试。如果从服务器收到否定响应,则身份验证将失败。如果没有收到响应,将尝试列表中的下一个服务器。要指定多个服务器,请用逗号分隔服务器名称,并用双引号将列表括起来。如果指定了多个服务器,也可以将其他 RADIUS 选项指定为逗号分隔的列表,以提供每个服务器的单独值。它们还可以指定为单个值,在这种情况下,该值将应用于所有服务器。

Multiple RADIUS servers can be specified, in which case they will be tried sequentially. If a negative response is received from a server, the authentication will fail. If no response is received, the next server in the list will be tried. To specify multiple servers, separate the server names with commas and surround the list with double quotes. If multiple servers are specified, the other RADIUS options can also be given as comma-separated lists, to provide individual values for each server. They can also be specified as a single value, in which case that value will apply to all servers.

RADIUS 支持以下配置选项:

The following configuration options are supported for RADIUS:

  • radiusservers

    • The DNS names or IP addresses of the RADIUS servers to connect to. This parameter is required.

  • radiussecrets

    • The shared secrets used when talking securely to the RADIUS servers. This must have exactly the same value on the PostgreSQL and RADIUS servers. It is recommended that this be a string of at least 16 characters. This parameter is required.

  • radiusports

    • The port numbers to connect to on the RADIUS servers. If no port is specified, the default RADIUS port (1812) will be used.

  • radiusidentifiers

    • The strings to be used as NAS Identifier in the RADIUS requests. This parameter can be used, for example, to identify which database cluster the user is attempting to connect to, which can be useful for policy matching on the RADIUS server. If no identifier is specified, the default postgresql will be used.

Note

仅当 PostgreSQL 在构建时支持 OpenSSL 时,使用的加密矢量才具有较强的密码安全性。在其他情况下,向 RADIUS 服务器的传输应仅被视为混淆,而不是安全,如果有必要,应采取外部安全措施。

The encryption vector used will only be cryptographically strong if PostgreSQL is built with support for OpenSSL. In other cases, the transmission to the RADIUS server should only be considered obfuscated, not secured, and external security measures should be applied if necessary.

如果需要在 RADIUS 参数值中使用逗号或空格,可以通过将值加双引号来实现,但这很麻烦,因为现在需要双层双引号。将空格放入 RADIUS 机密字符串的示例:

If it is necessary to have a comma or whitespace in a RADIUS parameter value, that can be done by putting double quotes around the value, but it is tedious because two layers of double-quoting are now required. An example of putting whitespace into RADIUS secret strings is:

host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""secret two"""