1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
#
#
# PostgreSQL HOST ACCESS CONTROL FILE
#
#
# This file controls what hosts are allowed to connect to what databases
# and specifies some options on how users on a particular host are
# identified. It is read each time a host tries to make a connection to a
# database.
#
# Each line (terminated by a newline character) is a record. A record
# cannot be continued across two lines.
#
# There are 3 kinds of records:
#
# 1) comment: Starts with #.
#
# 2) empty: Contains nothing excepting spaces and tabs.
#
# 3) record: anything else.
#
# Only record lines are significant.
#
# A record consists of tokens separated by spaces or tabs. Spaces and
# tabs at the beginning and end of a record are ignored as are extra
# spaces and tabs between two tokens.
#
# The first token in a record is the record type. The interpretation of
# the rest of the record depends on the record type.
# Record type "host"
# ------------------
#
# This record identifies a set of network hosts that are permitted to
# connect to databases. No network hosts are permitted to connect except
# as specified by a "host" record. See the record type "local" to specify
# permitted connections for local users via UNIX domain sockets.
#
# Format:
#
# host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT]
#
# DBNAME is the name of a PostgreSQL database, "all" to indicate all
# databases, or "sameuser" to restrict a user's access to a database with
# the same user name.
#
# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address
# and mask to identify a set of hosts. These hosts are allowed to connect
# to Database DBNAME. There is a separate section about AUTHTYPE below.
# Record type "hostssl"
# ---------------------
#
# The format of this record is identical to that of "host".
#
# This record identifies the authentication to use when connecting to a
# particular database via TCP/IP sockets over SSL. Note that normal
# "host" records are also matched - "hostssl" records can be used to
# require a SSL connection. This keyword is only available if the server
# is compiled with SSL support enabled.
# Record type "local"
# ------------------
#
# This record identifies the authentication to use when connecting to a
# particular database via a local UNIX socket.
#
# Format:
#
# local DBNAME AUTHTYPE [AUTH_ARGUMENT]
#
# The format is the same as that of the "host" record type except that
# the IP_ADDRESS and ADDRESS_MASK are omitted. Local supports only
# AUTHTYPEs "trust", "password", "crypt", and "reject".
# Authentication Types (AUTHTYPE)
# -------------------------------
#
# AUTHTYPE is a keyword indicating the method used to authenticate the
# user, i.e. to determine that the user is authorized to connect under
# the PostgreSQL username supplied in his connection parameters.
#
# trust: No authentication is done. Trust that the user has the
# authority to use whatever username he specifies.
#
# password: Authentication is done by matching a password supplied
# in clear by the host. If AUTH_ARGUMENT is specified then
# the password is compared with the user's entry in that
# file (in the $PGDATA directory). See pg_passwd(1). If it
# is omitted then the password is compared with the user's
# entry in the pg_shadow table.
#
# crypt: Same as 'password', but authentication is done by
# encrypting the password sent over the network.
#
# ident: Authentication is done by the ident server on the remote
# host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT,
# if specified, is a map name to be found in the
# pg_ident.conf file. That table maps from ident usernames
# to PostgreSQL usernames. The special map name "sameuser"
# indicates an implied map (not found in pg_ident.conf)
# that maps every ident username to the identical
# PostgreSQL username.
#
# krb4: Kerberos V4 authentication is used.
#
# krb5: Kerberos V5 authentication is used.
#
# reject: Reject the connection.
# Examples
# --------
#
# TYPE DATABASE IP_ADDRESS MASK AUTHTYPE MAP
#
#host all 127.0.0.1 255.255.255.255 trust
#
# The above allows any user on the local system to connect to any
# database under any username.
#
#host template1 192.168.93.0 255.255.255.0 ident sameuser
#
# The above allows any user from any host with IP address 192.168.93.x to
# connect to database template1 as the same username that ident on that
# host identifies him as (typically his Unix username).
#
#host template1 192.168.12.10 255.255.255.255 crypt
#
# The above allows a user from host 192.168.12.10 to connect to
# database template1 if the password assigned to that user is
# supplied. User passwords are optionally assigned when a
# user is created.
#
#host all 192.168.54.1 255.255.255.255 reject
#host all 0.0.0.0 0.0.0.0 trust
#
# The above would allow anyone anywhere except from 192.168.54.1 to
# connect to any database under any username.
#
#host all 192.168.77.0 255.255.255.0 ident omicron
#
# The above would allow users from 192.168.77.x hosts to connect to any
# database, but if Ident says the user is "bryanh" and he requests to
# connect as PostgreSQL user "guest1", the connection is only allowed if
# there is an entry for map "omicron" in pg_ident.conf that says "bryanh"
# is allowed to connect as "guest1".
#
# By default, allow anything over UNIX domain sockets and localhost.
local all trust
host all 127.0.0.1 255.255.255.255 trust
|
