From e5a37d958decfbc9dc650e66775db5896b7486ff Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 19 Dec 2019 09:42:46 -0500 Subject: [PATCH] Doc: add a short summary of available authentication methods. The "auth-methods" used to include descriptions of all our authentication methods. Commit 56811e573 promoted its child 's to 's, which has advantages but also created some issues: * The auth-methods page itself is essentially empty/useless. * Links that pointed to "auth-methods" as a placeholder for all auth methods were rendered a bit nonsensical. * DocBook no longer provides a subsection table-of-contents here, which formerly was a useful if terse summary of available auth methods. To improve matters, add a handwritten list of all the auth methods. Per gripe from Dave Cramer. Back-patch to v11 where the previous commit came in. Discussion: https://postgr.es/m/CADK3HH+xQLhcPgg=kWqfogtXGGZr-JdSo=x=WQC0PkAVyxUWyQ@mail.gmail.com --- doc/src/sgml/client-auth.sgml | 95 ++++++++++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 36e5a5d9a8..5f1eec78fb 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -911,8 +911,101 @@ omicron bryanh guest1 Authentication Methods + - The following sections describe the authentication methods in more detail. + PostgreSQL provides various methods for + authenticating users: + + + + + Trust authentication, which + simply trusts that users are who they say they are. + + + + + Password authentication, which + requires that users send a password. + + + + + GSSAPI authentication, which + relies on a GSSAPI-compatible security library. Typically this is + used to access an authentication server such as a Kerberos or + Microsoft Active Directory server. + + + + + SSPI authentication, which + uses a Windows-specific protocol similar to GSSAPI. + + + + + Ident authentication, which + relies on an Identification Protocol (RFC 1413) + service on the client's machine. (On local Unix-socket connections, + this is treated as peer authentication.) + + + + + Peer authentication, which + relies on operating system facilities to identify the process at the + other end of a local connection. This is not supported for remote + connections. + + + + + LDAP authentication, which + relies on an LDAP authentication server. + + + + + RADIUS authentication, which + relies on a RADIUS authentication server. + + + + + Certificate authentication, which + requires an SSL connection and authenticates users by checking the + SSL certificate they send. + + + + + PAM authentication, which + relies on a PAM (Pluggable Authentication Modules) library. + + + + + BSD authentication, which + relies on the BSD Authentication framework (currently available + only on OpenBSD). + + + + + + + Peer authentication is usually recommendable for local connections, + though trust authentication might be sufficient in some circumstances. + Password authentication is the easiest choice for remote connections. + All the other options require some kind of external security + infrastructure (usually an authentication server or a certificate + authority for issuing SSL certificates), or are platform-specific. + + + + The following sections describe each of these authentication methods + in more detail.