1 <!-- doc/src/sgml/client-auth.sgml -->
3 <chapter id="client-authentication">
4 <title>Client Authentication</title>
6 <indexterm zone="client-authentication">
7 <primary>client authentication</primary>
11 When a client application connects to the database server, it
12 specifies which <productname>PostgreSQL</productname> database user name it
13 wants to connect as, much the same way one logs into a Unix computer
14 as a particular user. Within the SQL environment the active database
15 user name determines access privileges to database objects — see
16 <xref linkend="user-manag"> for more information. Therefore, it is
17 essential to restrict which database users can connect.
22 As explained in <xref linkend="user-manag">,
23 <productname>PostgreSQL</productname> actually does privilege
24 management in terms of <quote>roles</>. In this chapter, we
25 consistently use <firstterm>database user</> to mean <quote>role with the
26 <literal>LOGIN</> privilege</quote>.
31 <firstterm>Authentication</firstterm> is the process by which the
32 database server establishes the identity of the client, and by
33 extension determines whether the client application (or the user
34 who runs the client application) is permitted to connect with the
35 database user name that was requested.
39 <productname>PostgreSQL</productname> offers a number of different
40 client authentication methods. The method used to authenticate a
41 particular client connection can be selected on the basis of
42 (client) host address, database, and user.
46 <productname>PostgreSQL</productname> database user names are logically
47 separate from user names of the operating system in which the server
48 runs. If all the users of a particular server also have accounts on
49 the server's machine, it makes sense to assign database user names
50 that match their operating system user names. However, a server that
51 accepts remote connections might have many database users who have no local
53 account, and in such cases there need be no connection between
54 database user names and OS user names.
57 <sect1 id="auth-pg-hba-conf">
58 <title>The <filename>pg_hba.conf</filename> File</title>
60 <indexterm zone="auth-pg-hba-conf">
61 <primary>pg_hba.conf</primary>
65 Client authentication is controlled by a configuration file,
66 which traditionally is named
67 <filename>pg_hba.conf</filename> and is stored in the database
68 cluster's data directory.
69 (<acronym>HBA</> stands for host-based authentication.) A default
70 <filename>pg_hba.conf</filename> file is installed when the data
71 directory is initialized by <command>initdb</command>. It is
72 possible to place the authentication configuration file elsewhere,
73 however; see the <xref linkend="guc-hba-file"> configuration parameter.
77 The general format of the <filename>pg_hba.conf</filename> file is
78 a set of records, one per line. Blank lines are ignored, as is any
79 text after the <literal>#</literal> comment character.
80 Records cannot be continued across lines.
82 up of a number of fields which are separated by spaces and/or tabs.
83 Fields can contain white space if the field value is double-quoted.
84 Quoting one of the keywords in a database, user, or address field (e.g.,
85 <literal>all</> or <literal>replication</>) makes the word lose its special
86 character, and just match a database, user, or host with that name.
90 Each record specifies a connection type, a client IP address range
91 (if relevant for the connection type), a database name, a user name,
92 and the authentication method to be used for connections matching
93 these parameters. The first record with a matching connection type,
94 client address, requested database, and user name is used to perform
95 authentication. There is no <quote>fall-through</> or
96 <quote>backup</>: if one record is chosen and the authentication
97 fails, subsequent records are not considered. If no record matches,
102 A record can have one of the seven formats
104 local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
105 host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
106 hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
107 hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
108 host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
109 hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
110 hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
112 The meaning of the fields is as follows:
116 <term><literal>local</literal></term>
119 This record matches connection attempts using Unix-domain
120 sockets. Without a record of this type, Unix-domain socket
121 connections are disallowed.
127 <term><literal>host</literal></term>
130 This record matches connection attempts made using TCP/IP.
131 <literal>host</literal> records match either
132 <acronym>SSL</acronym> or non-<acronym>SSL</acronym> connection
137 Remote TCP/IP connections will not be possible unless
138 the server is started with an appropriate value for the
139 <xref linkend="guc-listen-addresses"> configuration parameter,
140 since the default behavior is to listen for TCP/IP connections
141 only on the local loopback address <literal>localhost</>.
148 <term><literal>hostssl</literal></term>
151 This record matches connection attempts made using TCP/IP,
152 but only when the connection is made with <acronym>SSL</acronym>
157 To make use of this option the server must be built with
158 <acronym>SSL</acronym> support. Furthermore,
159 <acronym>SSL</acronym> must be enabled at server start time
160 by setting the <xref linkend="guc-ssl"> configuration parameter (see
161 <xref linkend="ssl-tcp"> for more information).
167 <term><literal>hostnossl</literal></term>
170 This record type has the opposite behavior of <literal>hostssl</>;
171 it only matches connection attempts made over
172 TCP/IP that do not use <acronym>SSL</acronym>.
178 <term><replaceable>database</replaceable></term>
181 Specifies which database name(s) this record matches. The value
182 <literal>all</literal> specifies that it matches all databases.
183 The value <literal>sameuser</> specifies that the record
184 matches if the requested database has the same name as the
185 requested user. The value <literal>samerole</> specifies that
186 the requested user must be a member of the role with the same
187 name as the requested database. (<literal>samegroup</> is an
188 obsolete but still accepted spelling of <literal>samerole</>.)
189 Superusers are not considered to be members of a role for the
190 purposes of <literal>samerole</> unless they are explicitly
191 members of the role, directly or indirectly, and not just by
192 virtue of being a superuser.
193 The value <literal>replication</> specifies that the record
194 matches if a replication connection is requested (note that
195 replication connections do not specify any particular database).
196 Otherwise, this is the name of
197 a specific <productname>PostgreSQL</productname> database.
198 Multiple database names can be supplied by separating them with
199 commas. A separate file containing database names can be specified by
200 preceding the file name with <literal>@</>.
206 <term><replaceable>user</replaceable></term>
209 Specifies which database user name(s) this record
210 matches. The value <literal>all</literal> specifies that it
211 matches all users. Otherwise, this is either the name of a specific
212 database user, or a group name preceded by <literal>+</>.
213 (Recall that there is no real distinction between users and groups
214 in <productname>PostgreSQL</>; a <literal>+</> mark really means
215 <quote>match any of the roles that are directly or indirectly members
216 of this role</>, while a name without a <literal>+</> mark matches
217 only that specific role.) For this purpose, a superuser is only
218 considered to be a member of a role if they are explicitly a member
219 of the role, directly or indirectly, and not just by virtue of
221 Multiple user names can be supplied by separating them with commas.
222 A separate file containing user names can be specified by preceding the
223 file name with <literal>@</>.
229 <term><replaceable>address</replaceable></term>
232 Specifies the client machine addresses that this record
233 matches. This field can contain either a host name, an IP
234 address range, or one of the special key words mentioned below.
238 An IP address is specified in standard dotted decimal
239 notation with a <acronym>CIDR</> mask length. The mask
240 length indicates the number of high-order bits of the client
241 IP address that must match. Bits to the right of this should
242 be zero in the given IP address.
243 There must not be any white space between the IP address, the
244 <literal>/</literal>, and the CIDR mask length.
248 Typical examples of an IP address range specified this way are
249 <literal>172.20.143.89/32</literal> for a single host, or
250 <literal>172.20.143.0/24</literal> for a small network, or
251 <literal>10.6.0.0/16</literal> for a larger one.
252 <literal>0.0.0.0/0</literal> represents all
253 IPv4 addresses, and <literal>::/0</literal> represents
255 To specify a single host, use a CIDR mask of 32 for IPv4 or
256 128 for IPv6. In a network address, do not omit trailing zeroes.
260 An IP address given in IPv4 format will match IPv6 connections that
261 have the corresponding address, for example <literal>127.0.0.1</>
262 will match the IPv6 address <literal>::ffff:127.0.0.1</>. An entry
263 given in IPv6 format will match only IPv6 connections, even if the
264 represented address is in the IPv4-in-IPv6 range. Note that entries
265 in IPv6 format will be rejected if the system's C library does not have
266 support for IPv6 addresses.
270 You can also write <literal>all</literal> to match any IP address,
271 <literal>samehost</literal> to match any of the server's own IP
272 addresses, or <literal>samenet</literal> to match any address in any
273 subnet that the server is directly connected to.
277 If a host name is specified (anything that is not an IP address
278 or a special key word is processed as a potential host name),
279 that name is compared with the result of a reverse name
280 resolution of the client's IP address (e.g., reverse DNS
281 lookup, if DNS is used). Host name comparisons are case
282 insensitive. If there is a match, then a forward name
283 resolution (e.g., forward DNS lookup) is performed on the host
284 name to check whether any of the addresses it resolves to are
285 equal to the client's IP address. If both directions match,
286 then the entry is considered to match. (The host name that is
287 used in <filename>pg_hba.conf</filename> should be the one that
288 address-to-name resolution of the client's IP address returns,
289 otherwise the line won't be matched. Some host name databases
290 allow associating an IP address with multiple host names, but
291 the operating system will only return one host name when asked
292 to resolve an IP address.)
296 A host name specification that starts with a dot
297 (<literal>.</literal>) matches a suffix of the actual host
298 name. So <literal>.example.com</literal> would match
299 <literal>foo.example.com</literal> (but not just
300 <literal>example.com</literal>).
304 When host names are specified
305 in <filename>pg_hba.conf</filename>, you should make sure that
306 name resolution is reasonably fast. It can be of advantage to
307 set up a local name resolution cache such
308 as <command>nscd</command>. Also, you may wish to enable the
309 configuration parameter <varname>log_hostname</varname> to see
310 the client's host name instead of the IP address in the log.
315 Occasionally, users have wondered why host names are handled
316 in this seemingly complicated way with two name resolutions
317 and requiring reverse lookup of IP addresses, which is
318 sometimes not set up or points to some undesirable host name.
319 It is primarily for efficiency: A connection attempt requires
320 two resolver lookups of the current client's address. If
321 there is resolver problem with that address, it becomes only
322 that client's problem. A hypothetical alternative
323 implementation which only does forward lookups would have to
324 resolve every host name mentioned in
325 <filename>pg_hba.conf</filename> at every connection attempt.
326 That would already be slow by itself. And if there is a
327 resolver problem with one of the host names, it becomes
332 Also, a reverse lookup is necessary to implement the suffix
333 matching feature, because the actual client host name needs to
334 be known in order to match it against the pattern.
338 Note that this behavior is consistent with other popular
339 implementations of host name-based access control, such as the
340 Apache HTTP Server and TCP Wrappers.
345 This field only applies to <literal>host</literal>,
346 <literal>hostssl</literal>, and <literal>hostnossl</> records.
352 <term><replaceable>IP-address</replaceable></term>
353 <term><replaceable>IP-mask</replaceable></term>
356 These fields can be used as an alternative to the
357 <replaceable>CIDR-address</replaceable> notation. Instead of
358 specifying the mask length, the actual mask is specified in a
359 separate column. For example, <literal>255.0.0.0</> represents an IPv4
360 CIDR mask length of 8, and <literal>255.255.255.255</> represents a
361 CIDR mask length of 32.
365 These fields only apply to <literal>host</literal>,
366 <literal>hostssl</literal>, and <literal>hostnossl</> records.
372 <term><replaceable>auth-method</replaceable></term>
375 Specifies the authentication method to use when a connection matches
376 this record. The possible choices are summarized here; details
377 are in <xref linkend="auth-methods">.
381 <term><literal>trust</></term>
384 Allow the connection unconditionally. This method
385 allows anyone that can connect to the
386 <productname>PostgreSQL</productname> database server to login as
387 any <productname>PostgreSQL</productname> user they wish,
388 without the need for a password or any other authentication. See <xref
389 linkend="auth-trust"> for details.
395 <term><literal>reject</></term>
398 Reject the connection unconditionally. This is useful for
399 <quote>filtering out</> certain hosts from a group, for example a
400 <literal>reject</> line could block a specific host from connecting,
401 while a later line allows the remaining hosts in a specific
408 <term><literal>md5</></term>
411 Require the client to supply an MD5-encrypted password for
413 See <xref linkend="auth-password"> for details.
419 <term><literal>password</></term>
422 Require the client to supply an unencrypted password for
424 Since the password is sent in clear text over the
425 network, this should not be used on untrusted networks.
426 See <xref linkend="auth-password"> for details.
432 <term><literal>gss</></term>
435 Use GSSAPI to authenticate the user. This is only
436 available for TCP/IP connections. See <xref
437 linkend="gssapi-auth"> for details.
443 <term><literal>sspi</></term>
446 Use SSPI to authenticate the user. This is only
447 available on Windows. See <xref
448 linkend="sspi-auth"> for details.
454 <term><literal>krb5</></term>
457 Use Kerberos V5 to authenticate the user. This is only
458 available for TCP/IP connections. See <xref
459 linkend="kerberos-auth"> for details.
465 <term><literal>ident</></term>
468 Obtain the operating system user name of the client
469 by contacting the ident server on the client
470 and check if it matches the requested database user name.
471 Ident authentication can only be used on TCP/IP
472 connections. When specified for local connections, peer
473 authentication will be used instead.
474 See <xref linkend="auth-ident"> for details.
480 <term><literal>peer</></term>
483 Obtain the client's operating system user name from the operating
484 system and check if it matches the requested database user name.
485 This is only available for local connections.
486 See <xref linkend="auth-peer"> for details.
492 <term><literal>ldap</></term>
495 Authenticate using an <acronym>LDAP</> server. See <xref
496 linkend="auth-ldap"> for details.
502 <term><literal>radius</></term>
505 Authenticate using a RADIUS server. See <xref
506 linkend="auth-radius"> for details.
512 <term><literal>cert</></term>
515 Authenticate using SSL client certificates. See
516 <xref linkend="auth-cert"> for details.
522 <term><literal>pam</></term>
525 Authenticate using the Pluggable Authentication Modules
526 (PAM) service provided by the operating system. See <xref
527 linkend="auth-pam"> for details.
538 <term><replaceable>auth-options</replaceable></term>
541 After the <replaceable>auth-method</> field, there can be field(s) of
542 the form <replaceable>name</><literal>=</><replaceable>value</> that
543 specify options for the authentication method. Details about which
544 options are available for which authentication methods appear below.
552 Files included by <literal>@</> constructs are read as lists of names,
553 which can be separated by either whitespace or commas. Comments are
554 introduced by <literal>#</literal>, just as in
555 <filename>pg_hba.conf</filename>, and nested <literal>@</> constructs are
556 allowed. Unless the file name following <literal>@</> is an absolute
557 path, it is taken to be relative to the directory containing the
562 Since the <filename>pg_hba.conf</filename> records are examined
563 sequentially for each connection attempt, the order of the records is
564 significant. Typically, earlier records will have tight connection
565 match parameters and weaker authentication methods, while later
566 records will have looser match parameters and stronger authentication
567 methods. For example, one might wish to use <literal>trust</>
568 authentication for local TCP/IP connections but require a password for
569 remote TCP/IP connections. In this case a record specifying
570 <literal>trust</> authentication for connections from 127.0.0.1 would
571 appear before a record specifying password authentication for a wider
572 range of allowed client IP addresses.
576 The <filename>pg_hba.conf</filename> file is read on start-up and when
577 the main server process receives a
578 <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
579 signal. If you edit the file on an
580 active system, you will need to signal the postmaster
581 (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to make it
587 To connect to a particular database, a user must not only pass the
588 <filename>pg_hba.conf</filename> checks, but must have the
589 <literal>CONNECT</> privilege for the database. If you wish to
590 restrict which users can connect to which databases, it's usually
591 easier to control this by granting/revoking <literal>CONNECT</> privilege
592 than to put the rules in <filename>pg_hba.conf</filename> entries.
597 Some examples of <filename>pg_hba.conf</filename> entries are shown in
598 <xref linkend="example-pg-hba.conf">. See the next section for details on the
599 different authentication methods.
602 <example id="example-pg-hba.conf">
603 <title>Example <filename>pg_hba.conf</filename> Entries</title>
605 # Allow any user on the local system to connect to any database with
606 # any database user name using Unix-domain sockets (the default for local
609 # TYPE DATABASE USER ADDRESS METHOD
612 # The same using local loopback TCP/IP connections.
614 # TYPE DATABASE USER ADDRESS METHOD
615 host all all 127.0.0.1/32 trust
617 # The same as the previous line, but using a separate netmask column
619 # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
620 host all all 127.0.0.1 255.255.255.255 trust
622 # The same over IPv6.
624 # TYPE DATABASE USER ADDRESS METHOD
625 host all all ::1/128 trust
627 # The same using a host name (would typically cover both IPv4 and IPv6).
629 # TYPE DATABASE USER ADDRESS METHOD
630 host all all localhost trust
632 # Allow any user from any host with IP address 192.168.93.x to connect
633 # to database "postgres" as the same user name that ident reports for
634 # the connection (typically the operating system user name).
636 # TYPE DATABASE USER ADDRESS METHOD
637 host postgres all 192.168.93.0/24 ident
639 # Allow any user from host 192.168.12.10 to connect to database
640 # "postgres" if the user's password is correctly supplied.
642 # TYPE DATABASE USER ADDRESS METHOD
643 host postgres all 192.168.12.10/32 md5
645 # Allow any user from hosts in the example.com domain to connect to
646 # any database if the user's password is correctly supplied.
648 # TYPE DATABASE USER ADDRESS METHOD
649 host all all .example.com md5
651 # In the absence of preceding "host" lines, these two lines will
652 # reject all connections from 192.168.54.1 (since that entry will be
653 # matched first), but allow Kerberos 5 connections from anywhere else
654 # on the Internet. The zero mask causes no bits of the host IP
655 # address to be considered, so it matches any host.
657 # TYPE DATABASE USER ADDRESS METHOD
658 host all all 192.168.54.1/32 reject
659 host all all 0.0.0.0/0 krb5
661 # Allow users from 192.168.x.x hosts to connect to any database, if
662 # they pass the ident check. If, for example, ident says the user is
663 # "bryanh" and he requests to connect as PostgreSQL user "guest1", the
664 # connection is allowed if there is an entry in pg_ident.conf for map
665 # "omicron" that says "bryanh" is allowed to connect as "guest1".
667 # TYPE DATABASE USER ADDRESS METHOD
668 host all all 192.168.0.0/16 ident map=omicron
670 # If these are the only three lines for local connections, they will
671 # allow local users to connect only to their own databases (databases
672 # with the same name as their database user name) except for administrators
673 # and members of role "support", who can connect to all databases. The file
674 # $PGDATA/admins contains a list of names of administrators. Passwords
675 # are required in all cases.
677 # TYPE DATABASE USER ADDRESS METHOD
678 local sameuser all md5
679 local all @admins md5
680 local all +support md5
682 # The last two lines above can be combined into a single line:
683 local all @admins,+support md5
685 # The database column can also use lists and file names:
686 local db1,db2,@demodbs all md5
691 <sect1 id="auth-username-maps">
692 <title>User Name Maps</title>
694 <indexterm zone="auth-username-maps">
695 <primary>User name maps</primary>
699 When using an external authentication system like Ident or GSSAPI,
700 the name of the operating system user that initiated the connection
701 might not be the same as the database user he needs to connect as.
702 In this case, a user name map can be applied to map the operating system
703 user name to a database user. To use user name mapping, specify
704 <literal>map</literal>=<replaceable>map-name</replaceable>
705 in the options field in <filename>pg_hba.conf</filename>. This option is
706 supported for all authentication methods that receive external user names.
707 Since different mappings might be needed for different connections,
708 the name of the map to be used is specified in the
709 <replaceable>map-name</replaceable> parameter in <filename>pg_hba.conf</filename>
710 to indicate which map to use for each individual connection.
714 User name maps are defined in the ident map file, which by default is named
715 <filename>pg_ident.conf</><indexterm><primary>pg_ident.conf</primary></indexterm>
717 cluster's data directory. (It is possible to place the map file
718 elsewhere, however; see the <xref linkend="guc-ident-file">
719 configuration parameter.)
720 The ident map file contains lines of the general form:
722 <replaceable>map-name</> <replaceable>system-username</> <replaceable>database-username</>
724 Comments and whitespace are handled in the same way as in
725 <filename>pg_hba.conf</>. The
726 <replaceable>map-name</> is an arbitrary name that will be used to
727 refer to this mapping in <filename>pg_hba.conf</filename>. The other
728 two fields specify an operating system user name and a matching
729 database user name. The same <replaceable>map-name</> can be
730 used repeatedly to specify multiple user-mappings within a single map.
733 There is no restriction regarding how many database users a given
734 operating system user can correspond to, nor vice versa. Thus, entries
735 in a map should be thought of as meaning <quote>this operating system
736 user is allowed to connect as this database user</quote>, rather than
737 implying that they are equivalent. The connection will be allowed if
738 there is any map entry that pairs the user name obtained from the
739 external authentication system with the database user name that the
740 user has requested to connect as.
743 If the <replaceable>system-username</> field starts with a slash (<literal>/</>),
744 the remainder of the field is treated as a regular expression.
745 (See <xref linkend="posix-syntax-details"> for details of
746 <productname>PostgreSQL</>'s regular expression syntax.) The regular
747 expression can include a single capture, or parenthesized subexpression,
748 which can then be referenced in the <replaceable>database-username</>
749 field as <literal>\1</> (backslash-one). This allows the mapping of
750 multiple user names in a single line, which is particularly useful for
751 simple syntax substitutions. For example, these entries
753 mymap /^(.*)@mydomain\.com$ \1
754 mymap /^(.*)@otherdomain\.com$ guest
756 will remove the domain part for users with system user names that end with
757 <literal>@mydomain.com</>, and allow any user whose system name ends with
758 <literal>@otherdomain.com</> to log in as <literal>guest</>.
763 Keep in mind that by default, a regular expression can match just part of
764 a string. It's usually wise to use <literal>^</> and <literal>$</>, as
765 shown in the above example, to force the match to be to the entire
771 The <filename>pg_ident.conf</filename> file is read on start-up and
772 when the main server process receives a
773 <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
774 signal. If you edit the file on an
775 active system, you will need to signal the postmaster
776 (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to make it
781 A <filename>pg_ident.conf</filename> file that could be used in
782 conjunction with the <filename>pg_hba.conf</> file in <xref
783 linkend="example-pg-hba.conf"> is shown in <xref
784 linkend="example-pg-ident.conf">. In this example, anyone
785 logged in to a machine on the 192.168 network that does not have the
786 operating system user name <literal>bryanh</>, <literal>ann</>, or
787 <literal>robert</> would not be granted access. Unix user
788 <literal>robert</> would only be allowed access when he tries to
789 connect as <productname>PostgreSQL</> user <literal>bob</>, not
790 as <literal>robert</> or anyone else. <literal>ann</> would
791 only be allowed to connect as <literal>ann</>. User
792 <literal>bryanh</> would be allowed to connect as either
793 <literal>bryanh</> or as <literal>guest1</>.
796 <example id="example-pg-ident.conf">
797 <title>An Example <filename>pg_ident.conf</> File</title>
799 # MAPNAME SYSTEM-USERNAME PG-USERNAME
801 omicron bryanh bryanh
803 # bob has user name robert on these machines
805 # bryanh can also connect as guest1
806 omicron bryanh guest1
811 <sect1 id="auth-methods">
812 <title>Authentication Methods</title>
814 The following subsections describe the authentication methods in more detail.
817 <sect2 id="auth-trust">
818 <title>Trust Authentication</title>
821 When <literal>trust</> authentication is specified,
822 <productname>PostgreSQL</productname> assumes that anyone who can
823 connect to the server is authorized to access the database with
824 whatever database user name they specify (even superuser names).
825 Of course, restrictions made in the <literal>database</> and
826 <literal>user</> columns still apply.
827 This method should only be used when there is adequate
828 operating-system-level protection on connections to the server.
832 <literal>trust</> authentication is appropriate and very
833 convenient for local connections on a single-user workstation. It
834 is usually <emphasis>not</> appropriate by itself on a multiuser
835 machine. However, you might be able to use <literal>trust</> even
836 on a multiuser machine, if you restrict access to the server's
837 Unix-domain socket file using file-system permissions. To do this, set the
838 <varname>unix_socket_permissions</varname> (and possibly
839 <varname>unix_socket_group</varname>) configuration parameters as
840 described in <xref linkend="runtime-config-connection">. Or you
841 could set the <varname>unix_socket_directories</varname>
842 configuration parameter to place the socket file in a suitably
843 restricted directory.
847 Setting file-system permissions only helps for Unix-socket connections.
848 Local TCP/IP connections are not restricted by file-system permissions.
849 Therefore, if you want to use file-system permissions for local security,
850 remove the <literal>host ... 127.0.0.1 ...</> line from
851 <filename>pg_hba.conf</>, or change it to a
852 non-<literal>trust</> authentication method.
856 <literal>trust</> authentication is only suitable for TCP/IP connections
857 if you trust every user on every machine that is allowed to connect
858 to the server by the <filename>pg_hba.conf</> lines that specify
859 <literal>trust</>. It is seldom reasonable to use <literal>trust</>
860 for any TCP/IP connections other than those from <systemitem>localhost</> (127.0.0.1).
865 <sect2 id="auth-password">
866 <title>Password Authentication</title>
872 <primary>password</primary>
873 <secondary>authentication</secondary>
877 The password-based authentication methods are <literal>md5</>
878 and <literal>password</>. These methods operate
879 similarly except for the way that the password is sent across the
880 connection, namely MD5-hashed and clear-text respectively.
884 If you are at all concerned about password
885 <quote>sniffing</> attacks then <literal>md5</> is preferred.
886 Plain <literal>password</> should always be avoided if possible.
887 However, <literal>md5</> cannot be used with the <xref
888 linkend="guc-db-user-namespace"> feature. If the connection is
889 protected by SSL encryption then <literal>password</> can be used
890 safely (though SSL certificate authentication might be a better
891 choice if one is depending on using SSL).
895 <productname>PostgreSQL</productname> database passwords are
896 separate from operating system user passwords. The password for
897 each database user is stored in the <literal>pg_authid</> system
898 catalog. Passwords can be managed with the SQL commands
899 <xref linkend="sql-createuser"> and
900 <xref linkend="sql-alterrole">,
901 e.g., <userinput>CREATE USER foo WITH PASSWORD 'secret'</userinput>.
902 If no password has been set up for a user, the stored password
903 is null and password authentication will always fail for that user.
908 <sect2 id="gssapi-auth">
909 <title>GSSAPI Authentication</title>
911 <indexterm zone="gssapi-auth">
912 <primary>GSSAPI</primary>
916 <productname>GSSAPI</productname> is an industry-standard protocol
917 for secure authentication defined in RFC 2743.
918 <productname>PostgreSQL</productname> supports
919 <productname>GSSAPI</productname> with <productname>Kerberos</productname>
920 authentication according to RFC 1964. <productname>GSSAPI</productname>
921 provides automatic authentication (single sign-on) for systems
922 that support it. The authentication itself is secure, but the
923 data sent over the database connection will be sent unencrypted unless
924 <acronym>SSL</acronym> is used.
928 When <productname>GSSAPI</productname> uses
929 <productname>Kerberos</productname>, it uses a standard principal
931 <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. For information about the parts of the principal, and
932 how to set up the required keys, see <xref linkend="kerberos-auth">.
936 GSSAPI support has to be enabled when <productname>PostgreSQL</> is built;
937 see <xref linkend="installation"> for more information.
941 The following configuration options are supported for <productname>GSSAPI</productname>:
944 <term><literal>include_realm</literal></term>
947 If set to 1, the realm name from the authenticated user
948 principal is included in the system user name that's passed through
949 user name mapping (<xref linkend="auth-username-maps">). This is
950 useful for handling users from multiple realms.
956 <term><literal>map</literal></term>
959 Allows for mapping between system and database user names. See
960 <xref linkend="auth-username-maps"> for details. For a Kerberos
961 principal <literal>username/hostbased@EXAMPLE.COM</literal>, the
962 user name used for mapping is <literal>username/hostbased</literal>
963 if <literal>include_realm</literal> is disabled, and
964 <literal>username/hostbased@EXAMPLE.COM</literal> if
965 <literal>include_realm</literal> is enabled.
971 <term><literal>krb_realm</literal></term>
974 Sets the realm to match user principal names against. If this parameter
975 is set, only users of that realm will be accepted. If it is not set,
976 users of any realm can connect, subject to whatever user name mapping
985 <sect2 id="sspi-auth">
986 <title>SSPI Authentication</title>
988 <indexterm zone="sspi-auth">
989 <primary>SSPI</primary>
993 <productname>SSPI</productname> is a <productname>Windows</productname>
994 technology for secure authentication with single sign-on.
995 <productname>PostgreSQL</productname> will use SSPI in
996 <literal>negotiate</literal> mode, which will use
997 <productname>Kerberos</productname> when possible and automatically
998 fall back to <productname>NTLM</productname> in other cases.
999 <productname>SSPI</productname> authentication only works when both
1000 server and client are running <productname>Windows</productname>,
1001 or, on non-Windows platforms, when <productname>GSSAPI</productname>
1006 When using <productname>Kerberos</productname> authentication,
1007 <productname>SSPI</productname> works the same way
1008 <productname>GSSAPI</productname> does; see <xref linkend="gssapi-auth">
1013 The following configuration options are supported for <productname>SSPI</productname>:
1017 <term><literal>include_realm</literal></term>
1020 If set to 1, the realm name from the authenticated user
1021 principal is included in the system user name that's passed through
1022 user name mapping (<xref linkend="auth-username-maps">). This is
1023 useful for handling users from multiple realms.
1029 <term><literal>map</literal></term>
1032 Allows for mapping between system and database user names. See
1033 <xref linkend="auth-username-maps"> for details.
1039 <term><literal>krb_realm</literal></term>
1042 Sets the realm to match user principal names against. If this parameter
1043 is set, only users of that realm will be accepted. If it is not set,
1044 users of any realm can connect, subject to whatever user name mapping
1053 <sect2 id="kerberos-auth">
1054 <title>Kerberos Authentication</title>
1056 <indexterm zone="kerberos-auth">
1057 <primary>Kerberos</primary>
1062 Native Kerberos authentication has been deprecated and should be used
1063 only for backward compatibility. New and upgraded installations are
1064 encouraged to use the industry-standard <productname>GSSAPI</productname>
1065 authentication method (see <xref linkend="gssapi-auth">) instead.
1070 <productname>Kerberos</productname> is an industry-standard secure
1071 authentication system suitable for distributed computing over a public
1072 network. A description of the <productname>Kerberos</productname> system
1073 is beyond the scope of this document; in full generality it can be
1074 quite complex (yet powerful). The
1075 <ulink url="http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">
1076 Kerberos <acronym>FAQ</></ulink> or
1077 <ulink url="http://web.mit.edu/kerberos/www/">MIT Kerberos page</ulink>
1078 can be good starting points for exploration.
1079 Several sources for <productname>Kerberos</> distributions exist.
1080 <productname>Kerberos</productname> provides secure authentication but
1081 does not encrypt queries or data passed over the network; for that
1082 use <acronym>SSL</acronym>.
1086 <productname>PostgreSQL</> supports Kerberos version 5. Kerberos
1087 support has to be enabled when <productname>PostgreSQL</> is built;
1088 see <xref linkend="installation"> for more information.
1092 <productname>PostgreSQL</> operates like a normal Kerberos service.
1093 The name of the service principal is
1094 <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
1098 <replaceable>servicename</> can be set on the server side using the
1099 <xref linkend="guc-krb-srvname"> configuration parameter, and on the
1100 client side using the <literal>krbsrvname</> connection parameter. (See
1101 also <xref linkend="libpq-connect">.) The installation default can be
1102 changed from the default <literal>postgres</literal> at build time using
1103 <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
1104 In most environments,
1105 this parameter never needs to be changed. However, it is necessary
1106 when supporting multiple <productname>PostgreSQL</> installations
1108 Some Kerberos implementations might also require a different service name,
1109 such as Microsoft Active Directory which requires the service name
1110 to be in upper case (<literal>POSTGRES</literal>).
1114 <replaceable>hostname</> is the fully qualified host name of the
1115 server machine. The service principal's realm is the preferred realm
1116 of the server machine.
1120 Client principals must have their <productname>PostgreSQL</> database user
1121 name as their first component, for example
1122 <literal>pgusername@realm</>. Alternatively, you can use a user name
1123 mapping to map from the first component of the principal name to the
1124 database user name. By default, the realm of the client is
1125 not checked by <productname>PostgreSQL</>. If you have cross-realm
1126 authentication enabled and need to verify the realm, use the
1127 <literal>krb_realm</> parameter, or enable <literal>include_realm</>
1128 and use user name mapping to check the realm.
1132 Make sure that your server keytab file is readable (and preferably
1133 only readable) by the <productname>PostgreSQL</productname> server
1134 account. (See also <xref linkend="postgres-user">.) The location
1135 of the key file is specified by the <xref
1136 linkend="guc-krb-server-keyfile"> configuration
1137 parameter. The default is
1138 <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
1139 directory was specified as <varname>sysconfdir</> at build time).
1143 The keytab file is generated by the Kerberos software; see the
1144 Kerberos documentation for details. The following example is
1145 for MIT-compatible Kerberos 5 implementations:
1147 <prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</>
1148 <prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
1153 When connecting to the database make sure you have a ticket for a
1154 principal matching the requested database user name. For example, for
1155 database user name <literal>fred</>, principal
1156 <literal>fred@EXAMPLE.COM</> would be able to connect. To also allow
1157 principal <literal>fred/users.example.com@EXAMPLE.COM</>, use a user name
1158 map, as described in <xref linkend="auth-username-maps">.
1162 If you use <ulink url="http://modauthkerb.sf.net">
1163 <application>mod_auth_kerb</application></ulink>
1164 and <application>mod_perl</application> on your
1165 <productname>Apache</productname> web server, you can use
1166 <literal>AuthType KerberosV5SaveCredentials</literal> with a
1167 <application>mod_perl</application> script. This gives secure
1168 database access over the web, with no additional passwords required.
1172 The following configuration options are supported for
1173 <productname>Kerberos</productname>:
1176 <term><literal>map</literal></term>
1179 Allows for mapping between system and database user names. See
1180 <xref linkend="auth-username-maps"> for details.
1186 <term><literal>include_realm</literal></term>
1189 If set to 1, the realm name from the authenticated user
1190 principal is included in the system user name that's passed through
1191 user name mapping (<xref linkend="auth-username-maps">). This is
1192 useful for handling users from multiple realms.
1198 <term><literal>krb_realm</literal></term>
1201 Sets the realm to match user principal names against. If this parameter
1202 is set, only users of that realm will be accepted. If it is not set,
1203 users of any realm can connect, subject to whatever user name mapping
1210 <term><literal>krb_server_hostname</literal></term>
1213 Sets the host name part of the service principal.
1214 This, combined with <varname>krb_srvname</>, is used to generate
1215 the complete service principal, that is
1216 <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
1217 If not set, the default is the server host name.
1225 <sect2 id="auth-ident">
1226 <title>Ident Authentication</title>
1229 <primary>ident</primary>
1233 The ident authentication method works by obtaining the client's
1234 operating system user name from an ident server and using it as
1235 the allowed database user name (with an optional user name mapping).
1236 This is only supported on TCP/IP connections.
1241 When ident is specified for a local (non-TCP/IP) connection,
1242 peer authentication (see <xref linkend="auth-peer">) will be
1248 The following configuration options are supported for <productname>ident</productname>:
1251 <term><literal>map</literal></term>
1254 Allows for mapping between system and database user names. See
1255 <xref linkend="auth-username-maps"> for details.
1263 The <quote>Identification Protocol</quote> is described in
1264 RFC 1413. Virtually every Unix-like
1265 operating system ships with an ident server that listens on TCP
1266 port 113 by default. The basic functionality of an ident server
1267 is to answer questions like <quote>What user initiated the
1268 connection that goes out of your port <replaceable>X</replaceable>
1269 and connects to my port <replaceable>Y</replaceable>?</quote>.
1270 Since <productname>PostgreSQL</> knows both <replaceable>X</> and
1271 <replaceable>Y</> when a physical connection is established, it
1272 can interrogate the ident server on the host of the connecting
1273 client and can theoretically determine the operating system user
1274 for any given connection.
1278 The drawback of this procedure is that it depends on the integrity
1279 of the client: if the client machine is untrusted or compromised,
1280 an attacker could run just about any program on port 113 and
1281 return any user name he chooses. This authentication method is
1282 therefore only appropriate for closed networks where each client
1283 machine is under tight control and where the database and system
1284 administrators operate in close contact. In other words, you must
1285 trust the machine running the ident server.
1288 <attribution>RFC 1413</attribution>
1290 The Identification Protocol is not intended as an authorization
1291 or access control protocol.
1297 Some ident servers have a nonstandard option that causes the returned
1298 user name to be encrypted, using a key that only the originating
1299 machine's administrator knows. This option <emphasis>must not</> be
1300 used when using the ident server with <productname>PostgreSQL</>,
1301 since <productname>PostgreSQL</> does not have any way to decrypt the
1302 returned string to determine the actual user name.
1306 <sect2 id="auth-peer">
1307 <title>Peer Authentication</title>
1310 <primary>peer</primary>
1314 The peer authentication method works by obtaining the client's
1315 operating system user name from the kernel and using it as the
1316 allowed database user name (with optional user name mapping). This
1317 method is only supported on local connections.
1321 The following configuration options are supported for <productname>peer</productname>:
1324 <term><literal>map</literal></term>
1327 Allows for mapping between system and database user names. See
1328 <xref linkend="auth-username-maps"> for details.
1336 Peer authentication is only available on operating systems providing
1337 the <function>getpeereid()</> function, the <symbol>SO_PEERCRED</symbol>
1338 socket parameter, or similar mechanisms. Currently that includes
1339 <systemitem class="osname">Linux</>,
1340 most flavors of <systemitem class="osname">BSD</> including
1341 <systemitem class="osname">Mac OS X</>,
1342 and <systemitem class="osname">Solaris</systemitem>.
1347 <sect2 id="auth-ldap">
1348 <title>LDAP Authentication</title>
1350 <indexterm zone="auth-ldap">
1351 <primary>LDAP</primary>
1355 This authentication method operates similarly to
1356 <literal>password</literal> except that it uses LDAP
1357 as the password verification method. LDAP is used only to validate
1358 the user name/password pairs. Therefore the user must already
1359 exist in the database before LDAP can be used for
1364 LDAP authentication can operate in two modes. In the first mode,
1365 the server will bind to the distinguished name constructed as
1366 <replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
1367 Typically, the <replaceable>prefix</> parameter is used to specify
1368 <literal>cn=</>, or <replaceable>DOMAIN</><literal>\</> in an Active
1369 Directory environment. <replaceable>suffix</> is used to specify the
1370 remaining part of the DN in a non-Active Directory environment.
1374 In the second mode, the server first binds to the LDAP directory with
1375 a fixed user name and password, specified with <replaceable>ldapbinduser</>
1376 and <replaceable>ldapbinddn</>, and performs a search for the user trying
1377 to log in to the database. If no user and password is configured, an
1378 anonymous bind will be attempted to the directory. The search will be
1379 performed over the subtree at <replaceable>ldapbasedn</>, and will try to
1380 do an exact match of the attribute specified in
1381 <replaceable>ldapsearchattribute</>. If no attribute is specified, the
1382 <literal>uid</> attribute will be used. Once the user has been found in
1383 this search, the server disconnects and re-binds to the directory as
1384 this user, using the password specified by the client, to verify that the
1385 login is correct. This method allows for significantly more flexibility
1386 in where the user objects are located in the directory, but will cause
1387 two separate connections to the LDAP server to be made.
1391 The following configuration options are supported for LDAP:
1394 <term><literal>ldapserver</literal></term>
1397 Names or IP addresses of LDAP servers to connect to. Multiple
1398 servers may be specified, separated by spaces.
1403 <term><literal>ldapport</literal></term>
1406 Port number on LDAP server to connect to. If no port is specified,
1407 the LDAP library's default port setting will be used.
1412 <term><literal>ldaptls</literal></term>
1415 Set to 1 to make the connection between PostgreSQL and the
1416 LDAP server use TLS encryption. Note that this only encrypts
1417 the traffic to the LDAP server — the connection to the client
1418 will still be unencrypted unless SSL is used.
1423 <term><literal>ldapprefix</literal></term>
1426 String to prepend to the user name when forming the DN to bind as,
1427 when doing simple bind authentication.
1432 <term><literal>ldapsuffix</literal></term>
1435 String to append to the user name when forming the DN to bind as,
1436 when doing simple bind authentication.
1441 <term><literal>ldapbasedn</literal></term>
1444 Root DN to begin the search for the user in, when doing search+bind
1450 <term><literal>ldapbinddn</literal></term>
1453 DN of user to bind to the directory with to perform the search when
1454 doing search+bind authentication.
1459 <term><literal>ldapbindpasswd</literal></term>
1462 Password for user to bind to the directory with to perform the search
1463 when doing search+bind authentication.
1468 <term><literal>ldapsearchattribute</literal></term>
1471 Attribute to match against the user name in the search when doing
1472 search+bind authentication.
1481 Since LDAP often uses commas and spaces to separate the different
1482 parts of a DN, it is often necessary to use double-quoted parameter
1483 values when configuring LDAP options, for example:
1485 ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
1492 <sect2 id="auth-radius">
1493 <title>RADIUS Authentication</title>
1495 <indexterm zone="auth-radius">
1496 <primary>RADIUS</primary>
1500 This authentication method operates similarly to
1501 <literal>password</literal> except that it uses RADIUS
1502 as the password verification method. RADIUS is used only to validate
1503 the user name/password pairs. Therefore the user must already
1504 exist in the database before RADIUS can be used for
1509 When using RADIUS authentication, an Access Request message will be sent
1510 to the configured RADIUS server. This request will be of type
1511 <literal>Authenticate Only</literal>, and include parameters for
1512 <literal>user name</>, <literal>password</> (encrypted) and
1513 <literal>NAS Identifier</>. The request will be encrypted using
1514 a secret shared with the server. The RADIUS server will respond to
1515 this server with either <literal>Access Accept</> or
1516 <literal>Access Reject</>. There is no support for RADIUS accounting.
1520 The following configuration options are supported for RADIUS:
1523 <term><literal>radiusserver</literal></term>
1526 The name or IP address of the RADIUS server to connect to.
1527 This parameter is required.
1533 <term><literal>radiussecret</literal></term>
1536 The shared secret used when talking securely to the RADIUS
1537 server. This must have exactly the same value on the PostgreSQL
1538 and RADIUS servers. It is recommended that this be a string of
1539 at least 16 characters. This parameter is required.
1542 The encryption vector used will only be cryptographically
1543 strong if <productname>PostgreSQL</> is built with support for
1544 <productname>OpenSSL</>. In other cases, the transmission to the
1545 RADIUS server should only be considered obfuscated, not secured, and
1546 external security measures should be applied if necessary.
1554 <term><literal>radiusport</literal></term>
1557 The port number on the RADIUS server to connect to. If no port
1558 is specified, the default port <literal>1812</> will be used.
1564 <term><literal>radiusidentifier</literal></term>
1567 The string used as <literal>NAS Identifier</> in the RADIUS
1568 requests. This parameter can be used as a second parameter
1569 identifying for example which database user the user is attempting
1570 to authenticate as, which can be used for policy matching on
1571 the RADIUS server. If no identifier is specified, the default
1572 <literal>postgresql</> will be used.
1581 <sect2 id="auth-cert">
1582 <title>Certificate Authentication</title>
1584 <indexterm zone="auth-cert">
1585 <primary>Certificate</primary>
1589 This authentication method uses SSL client certificates to perform
1590 authentication. It is therefore only available for SSL connections.
1591 When using this authentication method, the server will require that
1592 the client provide a valid certificate. No password prompt will be sent
1593 to the client. The <literal>cn</literal> (Common Name) attribute of the
1595 will be compared to the requested database user name, and if they match
1596 the login will be allowed. User name mapping can be used to allow
1597 <literal>cn</literal> to be different from the database user name.
1601 The following configuration options are supported for SSL certificate
1605 <term><literal>map</literal></term>
1608 Allows for mapping between system and database user names. See
1609 <xref linkend="auth-username-maps"> for details.
1617 <sect2 id="auth-pam">
1618 <title>PAM Authentication</title>
1620 <indexterm zone="auth-pam">
1621 <primary>PAM</primary>
1625 This authentication method operates similarly to
1626 <literal>password</literal> except that it uses PAM (Pluggable
1627 Authentication Modules) as the authentication mechanism. The
1628 default PAM service name is <literal>postgresql</literal>.
1629 PAM is used only to validate user name/password pairs.
1630 Therefore the user must already exist in the database before PAM
1631 can be used for authentication. For more information about
1632 PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
1633 <productname>Linux-PAM</> Page</ulink>.
1637 The following configuration options are supported for PAM:
1640 <term><literal>pamservice</literal></term>
1652 If PAM is set up to read <filename>/etc/shadow</>, authentication
1653 will fail because the PostgreSQL server is started by a non-root
1654 user. However, this is not an issue when PAM is configured to use
1655 LDAP or other authentication methods.
1661 <sect1 id="client-authentication-problems">
1662 <title>Authentication Problems</title>
1665 Authentication failures and related problems generally
1666 manifest themselves through error messages like the following:
1671 FATAL: no pg_hba.conf entry for host "123.123.123.123", user "andym", database "testdb"
1673 This is what you are most likely to get if you succeed in contacting
1674 the server, but it does not want to talk to you. As the message
1675 suggests, the server refused the connection request because it found
1676 no matching entry in its <filename>pg_hba.conf</filename>
1682 FATAL: password authentication failed for user "andym"
1684 Messages like this indicate that you contacted the server, and it is
1685 willing to talk to you, but not until you pass the authorization
1686 method specified in the <filename>pg_hba.conf</filename> file. Check
1687 the password you are providing, or check your Kerberos or ident
1688 software if the complaint mentions one of those authentication
1694 FATAL: user "andym" does not exist
1696 The indicated database user name was not found.
1701 FATAL: database "testdb" does not exist
1703 The database you are trying to connect to does not exist. Note that
1704 if you do not specify a database name, it defaults to the database
1705 user name, which might or might not be the right thing.
1710 The server log might contain more information about an
1711 authentication failure than is reported to the client. If you are
1712 confused about the reason for a failure, check the server log.