Committer: fruworg <im@fruw.org>

On branch main Your branch is up to date with 'origin/main'. Changes to be committed: new file: .gitmodules new file: archetypes/default.md new file: config.toml new file: content/posts/ald-pro.md new file: content/posts/astra-fly.md new file: content/posts/astra-freeipa.md new file: content/posts/bareos-install.md new file: content/posts/cifs-automount.md new file: content/posts/create-user-keytab.md new file: content/posts/create-user-keytab.md.save new file: content/posts/dhcp-resolv.md new file: content/posts/github-ssh-auth.md new file: content/posts/ip-command.md new file: content/posts/linux-krb5.md new file: content/posts/linux-network.md new file: content/posts/linux-nfs.md.save new file: content/posts/linux-packages-rebuild.md new file: content/posts/lvm-base-commands.md new file: content/posts/pfx-to-pem.md new file: content/posts/pg-probackup-setup.md.save new file: content/posts/pg-probackup-setup.md.save.1 new file: content/posts/postgres-drop-db.md new file: content/posts/postgres-krb5.md new file: content/posts/postgres-ldaps.md new file: content/posts/postgres-pro-astra-se.md new file: content/posts/postgres-replication.md new file: content/posts/postgres-simple-backup.md new file: content/posts/postgres-tls.md new file: content/posts/reverse-shell-nc.md new file: content/posts/run-nologin.md new file: content/posts/security-solutions.md new file: content/posts/selfsigned-to-trusted.md new file: content/posts/ssh-2fa-totp.md new file: content/posts/ssh-auth-by-key.md new file: content/posts/ssh-fail2ban.md new file: content/posts/vmware-clipboard.md new file: content/posts/vmware-restart-date.md new file: content/posts/windows-disable-shutdown.md new file: static/0x952C15AB751A65F6 new file: static/favicon.ico new file: static/fruworg.png new file: themes/archie Changes not staged for commit: modified: themes/archie (modified content)
2025-06-26 04:53:59 +03:00 · 2023-07-26 20:55:24 +05:00
parent f4f05d0ce3
commit 9c4706e826
42 changed files with 1323 additions and 0 deletions
--- a/content/posts/postgres-krb5.md
+++ b/content/posts/postgres-krb5.md
@ -0,0 +1,77 @@
+---
+title: Аутентификация в Postgres Pro с помощью Kerberos
+description: Используя протокол GSSAPI
+date: 2022-11-29T16:21:00+05:00
+tags: [linux, postgres, krb5]
+---
+## Установка Kerberos и Postgres Pro
+Для начала, необходимо установить [Postgres Pro](//fruw.org/posts/postgres-pro-astra-se) и [Kerberos](//fruw.org/posts/linux-krb5).
+На машину с Postgres Pro Kerberos устанавливается также, как и на клиента.
+
+## Конфигурация сервера Kerberos
+
+### Добавление принципиала Postgres Pro
+```shell
+kadmin.local
+addprinc <username>
+addprinc postgres
+addprinc postgres/<pg-hostname>
+q
+```
+
+### Экспорт субъекта-службы
+```shell
+ktutil
+add_entry -password -p postgres/<pg-hostname>@<DOMAIN.NAME> -k 1 -e aes256-cts-hmac-sha1-96
+wkt postgres.keytab
+q
+```
+
+### Перенос субъекта-службы на сервер Postgres Pro
+Перенести keytab можно как угодно, главное, чтобы он находился в папке с конфигурационными файлами Postgres Pro.
+Я перенесу с помощью команды scp:
+```shell
+scp postgres.keytab postgres@<pg-hostname>:/var/lib/pgpro/std-13/data/
+```
+
+## Конфигурация сервера Postgres Pro
+
+### Включение ранее перенесённого keytab
+```shell
+ktutil
+read_kt postgres.keytab
+q
+```
+
+### Изменение конфигруационного файла Postgres Pro
+```shell
+krb_server_keyfile = 'postgres.keytab'
+listen_addresses = 'localhost, <pg-ip>'
+
+# /var/lib/pgpro/std-13/data/postgresql.conf
+```
+
+### Разрешение подключения 
+```shell
+hostgssenc all        postgres	 localhost/32   gss include_realm=0
+hostgssenc <database> <username> <client-ip>/32 gss include_realm=0
+
+# /var/lib/pgpro/std-13/data/pg_hba.conf
+```
+
+### Получение тикета от Kerberos
+```shell
+kinit postgres
+```
+
+## Конфигурация клиента
+
+### Получение тикета от Kerberos
+```shell
+kinit <username>
+```
+
+### Подключение к Postgres Pro
+```shell
+psql -d <database> -h <pg-hostname> -U <username>
+```