Postgresql 中文操作指南
19.7. Preventing Server Spoofing #
服务器运行时,恶意用户无法取代正常的数据库服务器。但是,当服务器关闭时,本地用户可以通过启动自己的服务器来欺骗正常的服务器。欺骗服务器可以读取客户端发送的密码和查询,但无法返回任何数据,因为目录权限_PGDATA_目录仍然是安全的。欺骗之所以可能,是因为任何用户都可以启动数据库服务器;除非客户端经过特殊配置,否则无法识别无效的服务器。
While the server is running, it is not possible for a malicious user to take the place of the normal database server. However, when the server is down, it is possible for a local user to spoof the normal server by starting their own server. The spoof server could read passwords and queries sent by clients, but could not return any data because the PGDATA directory would still be secure because of directory permissions. Spoofing is possible because any user can start a database server; a client cannot identify an invalid server unless it is specially configured.
防止欺骗 local_连接的一种方法是使用只有受信本地用户具有写权限的 Unix 域套接字目录 ( unix_socket_directories)。这会阻止恶意用户在该目录中创建自己的套接字文件。如果您担心某些应用程序仍可能会引用 _/tmp_以获取套接字文件并因此容易受到欺骗,请在操作系统启动期间创建一个符号链接 _/tmp/.s.PGSQL.5432,该符号链接指向重新定位的套接字文件。您可能还需要修改 _/tmp_清除脚本以防止删除符号链接。
One way to prevent spoofing of local connections is to use a Unix domain socket directory (unix_socket_directories) that has write permission only for a trusted local user. This prevents a malicious user from creating their own socket file in that directory. If you are concerned that some applications might still reference /tmp for the socket file and hence be vulnerable to spoofing, during operating system startup create a symbolic link /tmp/.s.PGSQL.5432 that points to the relocated socket file. You also might need to modify your /tmp cleanup script to prevent removal of the symbolic link.
对于 local 连接,另一个选项是客户端使用 requirepeer 指定连接到套接字的服务器进程所需的拥有者。
Another option for local connections is for clients to use requirepeer to specify the required owner of the server process connected to the socket.
要防止 TCP 连接欺骗,请使用 SSL 证书并确保客户端检查服务器的证书,或使用 GSSAPI 加密(或两者,如果它们在单独的连接上)。
To prevent spoofing on TCP connections, either use SSL certificates and make sure that clients check the server’s certificate, or use GSSAPI encryption (or both, if they’re on separate connections).
要防止使用 SSL 欺骗,必须将服务器配置为仅接受 hostssl_连接 ( Section 21.1)并具有 SSL 密钥和证书文件 ( Section 19.9)。TCP 客户端必须使用 _sslmode=verify-ca_或 _verify-full_连接并安装适当的根证书文件 ( Section 34.19.1)。或者,可以使用系统 CA 池使用 _sslrootcert=system;在这种情况下,会强制使用 _sslmode=verify-full_以确保安全性,因为通常都很容易获得由公有 CA 签名的证书。
To prevent spoofing with SSL, the server must be configured to accept only hostssl connections (Section 21.1) and have SSL key and certificate files (Section 19.9). The TCP client must connect using sslmode=verify-ca or verify-full and have the appropriate root certificate file installed (Section 34.19.1). Alternatively the system CA pool can be used using sslrootcert=system; in this case, sslmode=verify-full is forced for safety, since it is generally trivial to obtain certificates which are signed by a public CA.
要想在通过网络使用 scram-sha-256密码验证时防止服务器欺骗,您应该确保使用 SSL 连接到服务器并使用前一段中描述的反欺骗方法之一。此外,libpq 中的 SCRAM 实施不能保护整个验证交换,但使用 _channel_binding=require_连接参数可以缓解服务器欺骗。使用流氓服务器截获 SCRAM 交换的攻击者可以使用离线分析从客户端潜在确定哈希密码。
To prevent server spoofing from occurring when using scram-sha-256 password authentication over a network, you should ensure that you connect to the server using SSL and with one of the anti-spoofing methods described in the previous paragraph. Additionally, the SCRAM implementation in libpq cannot protect the entire authentication exchange, but using the channel_binding=require connection parameter provides a mitigation against server spoofing. An attacker that uses a rogue server to intercept a SCRAM exchange can use offline analysis to potentially determine the hashed password from the client.
要防止使用 GSSAPI 欺骗,必须将服务器配置为仅接受 _hostgssenc_连接 ( Section 21.1)并使用 _gss_验证与这些连接。TCP 客户端必须使用 _gssencmode=require_连接。
To prevent spoofing with GSSAPI, the server must be configured to accept only hostgssenc connections (Section 21.1) and use gss authentication with them. The TCP client must connect using gssencmode=require.