1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
#
# Example PostgreSQL host access control file.
#
#
# This file controls what hosts are allowed to connect to what databases
# and specifies some options on how users on a particular host are identified.
# It is read each time a host tries to make a connection to a database.
#
# Each line (terminated by a newline character) is a record. A record cannot
# be continued across two lines.
#
# There are 3 kinds of records:
#
# 1) comment: Starts with #.
#
# 2) empty: Contains nothing excepting spaces and tabs.
#
# 3) content: anything else.
#
# Unless specified otherwise, "record" from here on means a content
# record.
#
# A record consists of tokens separated by spaces or tabs. Spaces and
# tabs at the beginning and end of a record are ignored as are extra
# spaces and tabs between two tokens.
#
# The first token in a record is the record type. The interpretation of the
# rest of the record depends on the record type.
#
# Record type "host"
# ------------------
#
# This record identifies a set of network hosts that are permitted to connect
# to databases. No network hosts are permitted to connect except as specified
# by a "host" record. See the record type "local" to specify permitted
# connections using UNIX sockets.
#
# Format:
#
# host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
#
# DBNAME is the name of a PostgreSQL database, "all" to indicate all
# databases, or "sameuser" to restrict a user's access to a database
# with the same user name.
#
# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
# mask to identify a set of hosts. These hosts are allowed to connect to
# Database DBNAME.
#
# USERAUTH is a keyword indicating the method used to authenticate the
# user, i.e. to determine that the principal is authorized to connect
# under the PostgreSQL username he supplies in his connection parameters.
#
# ident: Authentication is done by the ident server on the remote
# host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, if
# specified, is a map name to be found in the pg_ident.conf file.
# That table maps from ident usernames to PostgreSQL usernames. The
# special map name "sameuser" indicates an implied map (not found
# in pg_ident.conf) that maps every ident username to the identical
# PostgreSQL username.
#
# trust: No authentication is done. Trust that the user has the
# authority to use whatever username he specifies. Before
# PostgreSQL version 6, all authentication was done this way.
#
# reject: Reject the connection.
#
# password: Authentication is done by matching a password supplied in clear
# by the host. If AUTH_ARGUMENT is specified then the password
# is compared with the user's entry in that file (in the $PGDATA
# directory). See pg_passwd(1). If it is omitted then the
# password is compared with the user's entry in the pg_shadow
# table.
#
# crypt: Authentication is done by matching an encrypted password supplied
# by the host with that held for the user in the pg_shadow table.
#
# krb4: Kerberos V4 authentication is used.
#
# krb5: Kerberos V5 authentication is used.
# Record type "local"
# ------------------
#
# This record identifies the authentication to use when connecting to a
# particular database via a local UNIX socket.
#
# Format:
#
# local DBNAME USERAUTH [AUTH_ARGUMENT]
#
# The format is the same as that of the "host" record type except that the
# IP_ADDRESS and ADDRESS_MASK are omitted and the "ident", "krb4" and "krb5"
# values of USERAUTH are not allowed.
# For backwards compatibility, PostgreSQL also accepts pre-version 6 records,
# which look like:
#
# all 127.0.0.1 0.0.0.0
# TYPE DATABASE IP_ADDRESS MASK USERAUTH MAP
#host all 127.0.0.1 255.255.255.255 trust
# The above allows any user on the local system to connect to any database
# under any username.
#host template1 192.168.0.0 255.255.255.0 ident sameuser
# The above allows any user from any host with IP address 192.168.0.x to
# connect to database template1 as the same username that ident on that host
# identifies him as (typically his Unix username).
#host all 192.168.0.1 255.255.255.255 reject
#host all 0.0.0.0 0.0.0.0 trust
# The above would allow anyone anywhere except from 192.168.0.1 to connect to
# any database under any username.
#host all 192.168.0.0 255.255.255.0 ident omicron
#
# The above would allow users from 192.168.0.x hosts to connect to any
# database, but if Ident says the user is "bryanh" and he requests to
# connect as PostgreSQL user "guest1", the connection is only allowed if
# there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is
# allowed to connect as "guest1".
# By default, allow anything over UNIX domain sockets and localhost.
local all trust
host all 127.0.0.1 255.255.255.255 trust
|
