2 # Example PostgreSQL host access control file.
5 # This file controls what hosts are allowed to connect to what databases
6 # and specifies some options on how users on a particular host are identified.
7 # It is read each time a host tries to make a connection to a database.
9 # Each line (terminated by a newline character) is a record. A record cannot
10 # be continued across two lines.
12 # There are 3 kinds of records:
14 # 1) comment: Starts with #.
16 # 2) empty: Contains nothing excepting spaces and tabs.
18 # 3) content: anything else.
20 # Unless specified otherwise, "record" from here on means a content
23 # A record consists of tokens separated by spaces or tabs. Spaces and
24 # tabs at the beginning and end of a record are ignored as are extra
25 # spaces and tabs between two tokens.
27 # The first token in a record is the record type. The interpretation of the
28 # rest of the record depends on the record type.
33 # This record identifies a set of network hosts that are permitted to connect
34 # to databases. No network hosts are permitted to connect except as specified
35 # by a "host" record. See the record type "local" to specify permitted
36 # connections using UNIX sockets.
40 # host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
42 # DBNAME is the name of a PostgreSQL database, "all" to indicate all
43 # databases, or "sameuser" to restrict a user's access to a database
44 # with the same user name.
46 # IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
47 # mask to identify a set of hosts. These hosts are allowed to connect to
50 # USERAUTH is a keyword indicating the method used to authenticate the
51 # user, i.e. to determine that the principal is authorized to connect
52 # under the PostgreSQL username he supplies in his connection parameters.
54 # ident: Authentication is done by the ident server on the remote
55 # host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, if
56 # specified, is a map name to be found in the pg_ident.conf file.
57 # That table maps from ident usernames to PostgreSQL usernames. The
58 # special map name "sameuser" indicates an implied map (not found
59 # in pg_ident.conf) that maps every ident username to the identical
60 # PostgreSQL username.
62 # trust: No authentication is done. Trust that the user has the
63 # authority to use whatever username he specifies. Before
64 # PostgreSQL version 6, all authentication was done this way.
66 # reject: Reject the connection.
68 # password: Authentication is done by matching a password supplied in clear
69 # by the host. If AUTH_ARGUMENT is specified then the password
70 # is compared with the user's entry in that file (in the $PGDATA
71 # directory). See pg_passwd(1). If it is omitted then the
72 # password is compared with the user's entry in the pg_shadow
75 # crypt: Authentication is done by matching an encrypted password supplied
76 # by the host with that held for the user in the pg_shadow table.
78 # krb4: Kerberos V4 authentication is used.
80 # krb5: Kerberos V5 authentication is used.
85 # This record identifies the authentication to use when connecting to a
86 # particular database via a local UNIX socket.
90 # local DBNAME USERAUTH [AUTH_ARGUMENT]
92 # The format is the same as that of the "host" record type except that the
93 # IP_ADDRESS and ADDRESS_MASK are omitted and the "ident", "krb4" and "krb5"
94 # values of USERAUTH are not allowed.
96 # For backwards compatibility, PostgreSQL also accepts pre-version 6 records,
99 # all 127.0.0.1 0.0.0.0
101 # TYPE DATABASE IP_ADDRESS MASK USERAUTH MAP
103 #host all 127.0.0.1 255.255.255.255 trust
105 # The above allows any user on the local system to connect to any database
106 # under any username.
108 #host template1 192.168.0.0 255.255.255.0 ident sameuser
110 # The above allows any user from any host with IP address 192.168.0.x to
111 # connect to database template1 as the same username that ident on that host
112 # identifies him as (typically his Unix username).
114 #host all 192.168.0.1 255.255.255.255 reject
115 #host all 0.0.0.0 0.0.0.0 trust
117 # The above would allow anyone anywhere except from 192.168.0.1 to connect to
118 # any database under any username.
120 #host all 192.168.0.0 255.255.255.0 ident omicron
122 # The above would allow users from 192.168.0.x hosts to connect to any
123 # database, but if Ident says the user is "bryanh" and he requests to
124 # connect as PostgreSQL user "guest1", the connection is only allowed if
125 # there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is
126 # allowed to connect as "guest1".
128 # By default, allow anything over UNIX domain sockets and localhost.
131 host all 127.0.0.1 255.255.255.255 trust