fruworg.github.io/content/posts/postgres-krb5.md
root 9c4706e826 Committer: fruworg <im@fruw.org>
On branch main
Your branch is up to date with 'origin/main'.

Changes to be committed:
	new file:   .gitmodules
	new file:   archetypes/default.md
	new file:   config.toml
	new file:   content/posts/ald-pro.md
	new file:   content/posts/astra-fly.md
	new file:   content/posts/astra-freeipa.md
	new file:   content/posts/bareos-install.md
	new file:   content/posts/cifs-automount.md
	new file:   content/posts/create-user-keytab.md
	new file:   content/posts/create-user-keytab.md.save
	new file:   content/posts/dhcp-resolv.md
	new file:   content/posts/github-ssh-auth.md
	new file:   content/posts/ip-command.md
	new file:   content/posts/linux-krb5.md
	new file:   content/posts/linux-network.md
	new file:   content/posts/linux-nfs.md.save
	new file:   content/posts/linux-packages-rebuild.md
	new file:   content/posts/lvm-base-commands.md
	new file:   content/posts/pfx-to-pem.md
	new file:   content/posts/pg-probackup-setup.md.save
	new file:   content/posts/pg-probackup-setup.md.save.1
	new file:   content/posts/postgres-drop-db.md
	new file:   content/posts/postgres-krb5.md
	new file:   content/posts/postgres-ldaps.md
	new file:   content/posts/postgres-pro-astra-se.md
	new file:   content/posts/postgres-replication.md
	new file:   content/posts/postgres-simple-backup.md
	new file:   content/posts/postgres-tls.md
	new file:   content/posts/reverse-shell-nc.md
	new file:   content/posts/run-nologin.md
	new file:   content/posts/security-solutions.md
	new file:   content/posts/selfsigned-to-trusted.md
	new file:   content/posts/ssh-2fa-totp.md
	new file:   content/posts/ssh-auth-by-key.md
	new file:   content/posts/ssh-fail2ban.md
	new file:   content/posts/vmware-clipboard.md
	new file:   content/posts/vmware-restart-date.md
	new file:   content/posts/windows-disable-shutdown.md
	new file:   static/0x952C15AB751A65F6
	new file:   static/favicon.ico
	new file:   static/fruworg.png
	new file:   themes/archie

 Changes not staged for commit:
	modified:   themes/archie (modified content)
2023-07-26 20:55:24 +05:00

2.2 KiB
Raw Blame History

title description date tags
Аутентификация в Postgres Pro с помощью Kerberos Используя протокол GSSAPI 2022-11-29T16:21:00+05:00
linux
postgres
krb5

Установка Kerberos и Postgres Pro

Для начала, необходимо установить Postgres Pro и Kerberos. На машину с Postgres Pro Kerberos устанавливается также, как и на клиента.

Конфигурация сервера Kerberos

Добавление принципиала Postgres Pro

kadmin.local
addprinc <username>
addprinc postgres
addprinc postgres/<pg-hostname>
q

Экспорт субъекта-службы

ktutil
add_entry -password -p postgres/<pg-hostname>@<DOMAIN.NAME> -k 1 -e aes256-cts-hmac-sha1-96
wkt postgres.keytab
q

Перенос субъекта-службы на сервер Postgres Pro

Перенести keytab можно как угодно, главное, чтобы он находился в папке с конфигурационными файлами Postgres Pro. Я перенесу с помощью команды scp:

scp postgres.keytab postgres@<pg-hostname>:/var/lib/pgpro/std-13/data/

Конфигурация сервера Postgres Pro

Включение ранее перенесённого keytab

ktutil
read_kt postgres.keytab
q

Изменение конфигруационного файла Postgres Pro

krb_server_keyfile = 'postgres.keytab'
listen_addresses = 'localhost, <pg-ip>'

# /var/lib/pgpro/std-13/data/postgresql.conf

Разрешение подключения

hostgssenc all        postgres	 localhost/32   gss include_realm=0
hostgssenc <database> <username> <client-ip>/32 gss include_realm=0

# /var/lib/pgpro/std-13/data/pg_hba.conf

Получение тикета от Kerberos

kinit postgres

Конфигурация клиента

Получение тикета от Kerberos

kinit <username>

Подключение к Postgres Pro

psql -d <database> -h <pg-hostname> -U <username>