This authentication method operates similarly to
password except that it uses PAM (Pluggable
Authentication Modules) as the authentication mechanism. The
default PAM service name is
postgresql. PAM is used only to validate user
name/password pairs and optionally the connected remote host name
or IP address. Therefore the user must already exist in the
database before PAM can be used for authentication. For more
information about PAM, please read the Linux-PAM Page.
The following configuration options are supported for PAM:
PAM service name.
Determines whether the remote IP address or the host
name is provided to PAM modules through the
PAM_RHOST item. By default, the IP address
is used. Set this option to 1 to use the resolved host name
instead. Host name resolution can lead to login delays.
(Most PAM configurations don't use this information, so it
is only necessary to consider this setting if a PAM
configuration was specifically created to make use of
If PAM is set up to read
/etc/shadow, authentication will fail because
the PostgreSQL server is started by a non-root user. However,
this is not an issue when PAM is configured to use LDAP or
other authentication methods.
If you see anything in the documentation that is not correct, does not match your experience with the particular feature or requires further clarification, please use this form to report a documentation issue.