Postgresql 中文操作指南

19.10. Secure TCP/IP Connections with GSSAPI Encryption #

PostgreSQL 还本机支持使用 GSSAPI 为客户端/服务器通信加密,以提高安全性。支持要求在客户端和服务器系统上都安装了 GSSAPI 实现(如 MIT Kerberos),并且在构建时已启用 PostgreSQL 中的支持(请参阅 Chapter 17)。

PostgreSQL also has native support for using GSSAPI to encrypt client/server communications for increased security. Support requires that a GSSAPI implementation (such as MIT Kerberos) is installed on both client and server systems, and that support in PostgreSQL is enabled at build time (see Chapter 17).

19.10.1. Basic Setup #

PostgreSQL 服务器将在同一 TCP 端口上侦听普通和使用 GSSAPI 加密的连接,并将与所有连接的客户端协商是否使用 GSSAPI 进行加密(和认证)。默认情况下,该决定由客户端决定(这意味着攻击者可将其降级);有关配置服务器以要求某些或所有连接使用 GSSAPI 的信息,请参阅 Section 21.1

The PostgreSQL server will listen for both normal and GSSAPI-encrypted connections on the same TCP port, and will negotiate with any connecting client whether to use GSSAPI for encryption (and for authentication). By default, this decision is up to the client (which means it can be downgraded by an attacker); see Section 21.1 about setting up the server to require the use of GSSAPI for some or all connections.

在将 GSSAPI 用 于加密时,通常也会将 GSSAPI 用 于身份验证,因为底层机制将根据 GSSAPI 实现确定客户端和服务器的标识。但这并非必需;可以选择另一种 PostgreSQL 身份验证方法来执行额外验证。

When using GSSAPI for encryption, it is common to use GSSAPI for authentication as well, since the underlying mechanism will determine both client and server identities (according to the GSSAPI implementation) in any case. But this is not required; another PostgreSQL authentication method can be chosen to perform additional verification.

除了协商行为配置之外,GSSAPI 加密无需进行超出 GSSAPI 认证所需的设置。(有关如何配置的更多信息,请参阅 Section 21.6.)

Other than configuration of the negotiation behavior, GSSAPI encryption requires no setup beyond that which is necessary for GSSAPI authentication. (For more information on configuring that, see Section 21.6.)