# # PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE # # # This file controls: # o which hosts are allowed to connect # o how users are authenticated on each host # o databases accessible by each host # # It is read on postmaster startup and when the postmaster receives a SIGHUP. # If you edit the file on a running system, you have to SIGHUP the postmaster # for the changes to take effect, or use "pg_ctl reload". # # Each line is a new record. Records cannot span multiple lines. # Comments begin with # and continue to the end of the line. # Blank lines are ignored. A record consists of tokens separated by # spaces or tabs. # # Each record specifies a connection type and authentication method. Most # records also can restrict based on database name or IP address. # # When reading this file, the postmaster finds the first record that # matches the connection type, client address, and database name, and uses # that record to perform client authentication. If no record matches, the # connection is rejected. # # The first token of a record indicates the connection type. The # remainder of the record is interpreted based on that type. # # Record Types # ============ # # There are three record types: # o host # o hostssl # o local # # host # ---- # # This record identifies hosts that are permitted to connect via TCP/IP. # # Format: # # host DATABASE USER IP_ADDRESS MASK AUTH_TYPE # # DATABASE can be: # o a database name # o "sameuser", which means a user can only access a database with the # same name as their user name # o "samegroup", which means a user can only access databases when they # are members of a group with the same name as the database name # o "all", which matches all databases # o a list of database names, separated by commas # o a file name containing database names, starting with '@' # # USER can be: # o a user name # o "all", which matches all users # o a list of user names, separated by commas # o a group name, starting with '+' # o a file name containing user names, starting with '@' # # Files read using '@' can contain comma-separated database/user names, # or one name per line. The files can also contain comments using '#'. # # IP_ADDRESS and MASK are standard dotted decimal IP address and # mask values. IP addresses can only be specified numerically, not as # domain or host names. # # Do not prevent the superuser from accessing the template1 database. # Various utility commands need access to template1. # # AUTH_TYPE is described below. # # # hostssl # ------- # # The format of this record is identical to "host". # # It specifies hosts that require connection via secure SSL. "host" # allows SSL connections too, but "hostssl" requires SSL-secured # connections. # # This keyword is only available if the server was compiled with SSL # support. # # # local # ----- # # This record identifies the authentication for local UNIX domain socket # connections. Without this record, UNIX-socket connections are disallowed # # Format: # local DATABASE USER AUTH_TYPE # # This format is identical to the "host" record type except there are no # IP_ADDRESS and MASK fields. # # # # Authentication Types (AUTH_TYPE) # ================================ # # AUTH_TYPE indicates the method used to authenticate users. Each record # has an AUTH_TYPE. # # trust: # No authentication is done. Any valid user name is accepted, # including the PostgreSQL superuser. This option should # be used only for hosts where all users are trusted. # # md5: # Requires the client to supply an MD5 encrypted password for # authentication. This is the only method that allows encrypted # passwords to be stored in pg_shadow. # # crypt: # Same as "md5", but uses crypt for pre-7.2 clients. # # password: # Same as "md5", but the password is sent in cleartext over # the network. This should not be used on untrusted # networks. # # ident: # For TCP/IP connections, authentication is done by contacting the # ident server on the client host. This is only as secure as the # client machine. You must specify the map name after the 'ident' # keyword. It determines how to map remote user names to # PostgreSQL user names. If you use "sameuser", the user names are # assumed to be identical. If not, the map name is looked up # in the $PGDATA/pg_ident.conf file. The connection is accepted if # that file contains an entry for this map name with the # ident-supplied username and the requested PostgreSQL username. # # On machines that support unix-domain socket credentials # (currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows # reliable authentication of 'local' connections without ident # running on the local machine. # # krb4: # Kerberos V4 authentication is used. Allowed only for # TCP/IP connections, not for local UNIX-domain sockets. # # krb5: # Kerberos V5 authentication is used. Allowed only for # TCP/IP connections, not for local UNIX-domain sockets. # # pam: # Authentication is done by PAM using the default service name # "postgresql". You can specify your own service name by adding # the service name after the 'pam' keyword. To use this option, # PostgreSQL must be configured --with-pam. # # reject: # Reject the connection. This is used to reject certain hosts # that are part of a network specified later in the file. # To be effective, "reject" must appear before the later # entries. # # # # Examples # ======== # # # Allow any user on the local system to connect to any database under any # username using Unix-domain sockets (the default for local connections): # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE # local all all trust # # The same using local loopback TCP/IP connections: # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE # host all all 127.0.0.1 255.255.255.255 trust # # Allow any user from any host with IP address 192.168.93.x to # connect to database "template1" as the same username that ident reports # for the connection (typically his Unix username): # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE # host template1 all 192.168.93.0 255.255.255.0 ident sameuser # # Allow a user from host 192.168.12.10 to connect to database "template1" # if the user's password is correctly supplied: # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE # host template1 all 192.168.12.10 255.255.255.255 md5 # # In the absence of preceding "host" lines, these two lines will reject # all connection from 192.168.54.1 (since that entry will be matched # first), but allow Kerberos V5 connections from anywhere else on the # Internet. The zero mask means that no bits of the host IP address are # considered so it matches any host: # # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE # host all all 192.168.54.1 255.255.255.255 reject # host all all 0.0.0.0 0.0.0.0 krb5 # # Allow users from 192.168.x.x hosts to connect to any database if they # pass the ident check. For example, if ident says the user is "james" and # he requests to connect as PostgreSQL user "guest", the connection is # allowed if there is an entry in $PGDATA/pg_ident.conf with map name # "phoenix" that says "james" is allowed to connect as "guest": # See $PGDATA/pg_ident.conf for more information on Ident maps. # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE # host all all 192.168.0.0 255.255.0.0 ident phoenix # # If these are the only three lines for local connections, they will # allow local users to connect only to their own databases (databases # with the same name as their user name) except for administrators and # members of group 'support' who may connect to all databases . The file # $PGDATA/admins contains a list of user names. Passwords are required in # all cases. # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE # local sameuser all md5 # local all @admins md5 # local all +support md5 # # The last two lines above can be combined into a single line: # # local all @admins,+support md5 # # The database column can also use lists and file names, but not groups: # # local db1,db2,@demodbs all md5 # # # # # # # Put your actual configuration here # ================================== # # The default configuration allows any local user to connect using any # PostgreSQL username, including the superuser, over either UNIX domain # sockets or TCP/IP. # # If you want to allow non-local connections, you need to add more "host" # records. Also, remember TCP/IP connections are only enabled if you # start the postmaster with the -i flag, or enable "tcpip_socket" in # $PGDATA/postgresql.conf. # # CAUTION: if you are on a multiple-user machine, the default # configuration is probably too liberal for you. Change it to use # something other than "trust" authentication. # # TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE local all all trust host all all 127.0.0.1 255.255.255.255 trust