1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5
>Connections and Authentication</TITLE
8
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
10
HREF="mailto:pgsql-docs@postgresql.org"><LINK
12
TITLE="PostgreSQL 9.1beta1 Documentation"
13
HREF="index.html"><LINK
15
TITLE="Server Configuration"
16
HREF="runtime-config.html"><LINK
18
TITLE="File Locations"
19
HREF="runtime-config-file-locations.html"><LINK
21
TITLE="Resource Consumption"
22
HREF="runtime-config-resource.html"><LINK
25
HREF="stylesheet.css"><META
26
HTTP-EQUIV="Content-Type"
27
CONTENT="text/html; charset=ISO-8859-1"><META
29
CONTENT="2011-04-27T21:20:33"></HEAD
35
SUMMARY="Header navigation table"
47
>PostgreSQL 9.1beta1 Documentation</A
56
TITLE="File Locations"
57
HREF="runtime-config-file-locations.html"
66
TITLE="Server Configuration"
67
HREF="runtime-config.html"
74
>Chapter 18. Server Configuration</TD
80
TITLE="Server Configuration"
81
HREF="runtime-config.html"
89
TITLE="Resource Consumption"
90
HREF="runtime-config-resource.html"
104
NAME="RUNTIME-CONFIG-CONNECTION"
105
>18.3. Connections and Authentication</A
112
NAME="RUNTIME-CONFIG-CONNECTION-SETTINGS"
113
>18.3.1. Connection Settings</A
122
NAME="GUC-LISTEN-ADDRESSES"
126
>listen_addresses</TT
133
> Specifies the TCP/IP address(es) on which the server is
134
to listen for connections from client applications.
135
The value takes the form of a comma-separated list of host names
136
and/or numeric IP addresses. The special entry <TT
140
corresponds to all available IP interfaces. The entry
144
> allows listening for all IPv4 addresses and
148
> allows listening for all IPv6 addresses.
149
If the list is empty, the server does not listen on any IP interface
150
at all, in which case only Unix-domain sockets can be used to connect
152
The default value is <SPAN
156
which allows only local TCP/IP <SPAN
160
made. While client authentication (<A
161
HREF="client-authentication.html"
163
>) allows fine-grained control
164
over who can access the server, <TT
166
>listen_addresses</TT
168
controls which interfaces accept connection attempts, which
169
can help prevent repeated malicious connection requests on
170
insecure network interfaces. This parameter can only be set
187
> The TCP port the server listens on; 5432 by default. Note that the
188
same port number is used for all IP addresses the server listens on.
189
This parameter can only be set at server start.
194
NAME="GUC-MAX-CONNECTIONS"
205
> Determines the maximum number of concurrent connections to the
206
database server. The default is typically 100 connections, but
207
might be less if your kernel settings will not support it (as
208
determined during <SPAN
211
>). This parameter can
212
only be set at server start.
215
> Increasing this parameter might cause <SPAN
219
to request more <SPAN
223
memory or semaphores than your operating system's default configuration
225
HREF="kernel-resources.html#SYSVIPC"
227
> for information on how to
228
adjust those parameters, if necessary.
231
> When running a standby server, you must set this parameter to the
232
same or higher value than on the master server. Otherwise, queries
233
will not be allowed in the standby server.
238
NAME="GUC-SUPERUSER-RESERVED-CONNECTIONS"
242
>superuser_reserved_connections</TT
250
> Determines the number of connection <SPAN
254
are reserved for connections by <SPAN
258
superusers. At most <A
259
HREF="runtime-config-connection.html#GUC-MAX-CONNECTIONS"
262
connections can ever be active simultaneously. Whenever the
263
number of active concurrent connections is at least
270
>superuser_reserved_connections</TT
272
connections will be accepted only for superusers, and no
273
new replication connections will be accepted.
276
> The default value is three connections. The value must be less
277
than the value of <TT
281
parameter can only be set at server start.
286
NAME="GUC-UNIX-SOCKET-DIRECTORY"
290
>unix_socket_directory</TT
297
> Specifies the directory of the Unix-domain socket on which the
298
server is to listen for
299
connections from client applications. The default is normally
303
>, but can be changed at build time.
304
This parameter can only be set at server start.
307
> In addition to the socket file itself, which is named
322
> is the server's port number, an ordinary file
334
>unix_socket_directory</TT
336
file should ever be removed manually.
339
> This parameter is irrelevant on Windows, which does not have
345
NAME="GUC-UNIX-SOCKET-GROUP"
349
>unix_socket_group</TT
356
> Sets the owning group of the Unix-domain socket. (The owning
357
user of the socket is always the user that starts the
358
server.) In combination with the parameter
361
>unix_socket_permissions</TT
362
> this can be used as
363
an additional access control mechanism for Unix-domain connections.
364
By default this is the empty string, which uses the default
365
group of the server user. This parameter can only be set at
369
> This parameter is irrelevant on Windows, which does not have
375
NAME="GUC-UNIX-SOCKET-PERMISSIONS"
379
>unix_socket_permissions</TT
386
> Sets the access permissions of the Unix-domain socket. Unix-domain
387
sockets use the usual Unix file system permission set.
388
The parameter value is expected to be a numeric mode
389
specified in the format accepted by the
397
system calls. (To use the customary octal format the number
398
must start with a <TT
404
> The default permissions are <TT
408
anyone can connect. Reasonable alternatives are
412
> (only user and group, see also
415
>unix_socket_group</TT
420
(only user). (Note that for a Unix-domain socket, only write
421
permission matters, so there is no point in setting or revoking
422
read or execute permissions.)
425
> This access control mechanism is independent of the one
427
HREF="client-authentication.html"
432
> This parameter can only be set at server start.
435
> This parameter is irrelevant on Windows, which does not have
452
> Enables advertising the server's existence via
456
>. The default is off.
457
This parameter can only be set at server start.
462
NAME="GUC-BONJOUR-NAME"
473
> Specifies the <SPAN
477
name. The computer name is used if this parameter is set to the
481
> (which is the default). This parameter is
482
ignored if the server was not compiled with
487
This parameter can only be set at server start.
492
NAME="GUC-TCP-KEEPALIVES-IDLE"
496
>tcp_keepalives_idle</TT
503
> Specifies the number of seconds before sending a keepalive packet on
504
an otherwise idle connection. A value of 0 uses the system default.
505
This parameter is supported only on systems that support the
513
Windows; on other systems, it must be zero. This parameter is ignored
514
for connections made via a Unix-domain socket.
523
> On Windows, a value of 0 will set this parameter to 2 hours,
524
since Windows does not provide a way to read the system default value.
531
NAME="GUC-TCP-KEEPALIVES-INTERVAL"
535
>tcp_keepalives_interval</TT
542
> Specifies the number of seconds between sending keepalives on an
543
otherwise idle connection. A value of 0 uses the system default.
544
This parameter is supported only on systems that support the
548
> symbol, and on Windows; on other systems, it
549
must be zero. This parameter is ignored for connections made via a
559
> On Windows, a value of 0 will set this parameter to 1 second,
560
since Windows does not provide a way to read the system default value.
567
NAME="GUC-TCP-KEEPALIVES-COUNT"
571
>tcp_keepalives_count</TT
578
> Specifies the number of keepalive packets to send on an otherwise idle
579
connection. A value of 0 uses the system default. This parameter is
580
supported only on systems that support the <TT
584
symbol; on other systems, it must be zero. This parameter is ignored
585
for connections made via a Unix-domain socket.
594
> This parameter is not supported on Windows, and must be zero.
607
NAME="RUNTIME-CONFIG-CONNECTION-SECURITY"
608
>18.3.2. Security and Authentication</A
617
NAME="GUC-AUTHENTICATION-TIMEOUT"
621
>authentication_timeout</TT
628
> Maximum time to complete client authentication, in seconds. If a
629
would-be client has not completed the authentication protocol in
630
this much time, the server closes the connection. This prevents
631
hung clients from occupying a connection indefinitely.
632
The default is one minute (<TT
636
This parameter can only be set in the <TT
640
file or on the server command line.
659
> connections. Please read
663
> before using this. The default
667
>. This parameter can only be set at server
671
> communication is only possible with
677
NAME="GUC-SSL-RENEGOTIATION-LIMIT"
681
>ssl_renegotiation_limit</TT
688
> Specifies how much data can flow over an <ACRONYM
692
connection before renegotiation of the session keys will take
693
place. Renegotiation decreases an attacker's chances of doing
694
cryptanalysis when large amounts of traffic can be examined, but it
695
also carries a large performance penalty. The sum of sent and received
696
traffic is used to check the limit. If this parameter is set to 0,
697
renegotiation is disabled. The default is <TT
709
> SSL libraries from before November 2009 are insecure when using SSL
710
renegotiation, due to a vulnerability in the SSL protocol. As a
711
stop-gap fix for this vulnerability, some vendors shipped SSL
712
libraries incapable of doing renegotiation. If any such libraries
713
are in use on the client or server, SSL renegotiation should be
721
NAME="GUC-SSL-CIPHERS"
732
> Specifies a list of <ACRONYM
735
> ciphers that are allowed to be
736
used on secure connections. See the <SPAN
740
manual page for a list of supported ciphers.
745
NAME="GUC-PASSWORD-ENCRYPTION"
749
>password_encryption</TT
756
> When a password is specified in <A
757
HREF="sql-createuser.html"
761
HREF="sql-alteruser.html"
764
without writing either <TT
771
>, this parameter determines whether the
772
password is to be encrypted. The default is <TT
776
(encrypt the password).
781
NAME="GUC-KRB-SERVER-KEYFILE"
785
>krb_server_keyfile</TT
792
> Sets the location of the Kerberos server key file. See
794
HREF="auth-methods.html#KERBEROS-AUTH"
797
HREF="auth-methods.html#GSSAPI-AUTH"
800
for details. This parameter can only be set in the
804
> file or on the server command line.
809
NAME="GUC-KRB-SRVNAME"
820
> Sets the Kerberos service name. See <A
821
HREF="auth-methods.html#KERBEROS-AUTH"
824
for details. This parameter can only be set in the
828
> file or on the server command line.
833
NAME="GUC-KRB-CASEINS-USERS"
837
>krb_caseins_users</TT
844
> Sets whether Kerberos and GSSAPI user names should be treated
849
> (case sensitive). This parameter can only be
853
> file or on the server command line.
858
NAME="GUC-DB-USER-NAMESPACE"
862
>db_user_namespace</TT
869
> This parameter enables per-database user names. It is off by default.
870
This parameter can only be set in the <TT
874
file or on the server command line.
877
> If this is on, you should create users as <TT
884
> is passed by a connecting client,
888
> and the database name are appended to the user
889
name and that database-specific user name is looked up by the
890
server. Note that when you create users with names containing
894
> within the SQL environment, you will need to
898
> With this parameter enabled, you can still create ordinary global
899
users. Simply append <TT
902
> when specifying the user
903
name in the client, e.g. <TT
910
will be stripped off before the user name is looked up by the
916
>db_user_namespace</TT
917
> causes the client's and
918
server's user name representation to differ.
919
Authentication checks are always done with the server's user name
920
so authentication methods must be configured for the
921
server's user name, not the client's. Because
925
> uses the user name as salt on both the
926
client and server, <TT
929
> cannot be used with
932
>db_user_namespace</TT
942
> This feature is intended as a temporary measure until a
943
complete solution is found. At that time, this option will
958
SUMMARY="Footer navigation table"
969
HREF="runtime-config-file-locations.html"
987
HREF="runtime-config-resource.html"
1003
HREF="runtime-config.html"
1011
>Resource Consumption</TD
b'\\ No newline at end of file'