|The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide
by The PostgreSQL Global Development Group
Paperback (6"x9"), 274 pages
RRP £9.95 ($14.95)
Sales of this book support the PostgreSQL project! Get a printed copy>>>
4.3.2 Security and Authentication
Maximum time to complete client authentication, in seconds. If a
would-be client has not completed the authentication protocol in
this much time, the server closes the connection. This prevents
hung clients from occupying a connection indefinitely.
The default is one minute (
1m). This parameter can only be set in the ‘postgresql.conf’ file or on the server command line.
Enables SSL connections. Please read
section 3.8 Secure TCP/IP Connections with SSL before using this. The default
off. This parameter can only be set at server start. SSL communication is only possible with TCP/IP connections.
Specifies how much data can flow over an SSL-encrypted
connection before renegotiation of the session keys will take
place. Renegotiation decreases an attacker's chances of doing
cryptanalysis when large amounts of traffic can be examined, but it
also carries a large performance penalty. The sum of sent and received
traffic is used to check the limit. If this parameter is set to 0,
renegotiation is disabled. The default is
Note: SSL libraries from before November 2009 are insecure when using SSL renegotiation, due to a vulnerability in the SSL protocol. As a stop-gap fix for this vulnerability, some vendors shipped SSL libraries incapable of doing renegotiation. If any such libraries are in use on the client or server, SSL renegotiation should be disabled.
- Specifies a list of SSL ciphers that are allowed to be used on secure connections. See the openssl manual page for a list of supported ciphers.
When a password is specified in
ALTER USERwithout writing either
UNENCRYPTED, this parameter determines whether the password is to be encrypted. The default is
on(encrypt the password).
- Sets the location of the Kerberos server key file. See section 5.3.5 Kerberos authentication or section 5.3.3 GSSAPI authentication for details. This parameter can only be set in the ‘postgresql.conf’ file or on the server command line.
- Sets the Kerberos service name. See section 5.3.5 Kerberos authentication for details. This parameter can only be set in the ‘postgresql.conf’ file or on the server command line.
Sets whether Kerberos and GSSAPI user names should be treated
The default is
off(case sensitive). This parameter can only be set in the ‘postgresql.conf’ file or on the server command line.
This parameter enables per-database user names. It is off by default.
This parameter can only be set in the ‘postgresql.conf’
file or on the server command line.
If this is on, you should create users as
usernameis passed by a connecting client,
@and the database name are appended to the user name and that database-specific user name is looked up by the server. Note that when you create users with names containing
@within the SQL environment, you will need to quote the user name. With this parameter enabled, you can still create ordinary global users. Simply append
@when specifying the user name in the client, e.g.
@will be stripped off before the user name is looked up by the server.
db_user_namespacecauses the client's and server's user name representation to differ. Authentication checks are always done with the server's user name so authentication methods must be configured for the server's user name, not the client's. Because
md5uses the user name as salt on both the client and server,
md5cannot be used with
Note: This feature is intended as a temporary measure until a complete solution is found. At that time, this option will be removed.
|ISBN 9781906966072||The PostgreSQL 9.0 Reference Manual - Volume 3 - Server Administration Guide||See the print edition|