3 # PostgreSQL HOST ACCESS CONTROL FILE
6 # This file controls what hosts are allowed to connect to what databases
7 # and specifies some options on how users on a particular host are
8 # identified. It is read each time a host tries to make a connection to a
11 # Each line (terminated by a newline character) is a record. A record
12 # cannot be continued across two lines.
14 # There are 3 kinds of records:
16 # 1) comment: Starts with #.
18 # 2) empty: Contains nothing excepting spaces and tabs.
20 # 3) record: anything else.
22 # Only record lines are significant.
24 # A record consists of tokens separated by spaces or tabs. Spaces and
25 # tabs at the beginning and end of a record are ignored as are extra
26 # spaces and tabs between two tokens.
28 # The first token in a record is the record type. The interpretation of
29 # the rest of the record depends on the record type.
35 # This record identifies a set of network hosts that are permitted to
36 # connect to databases. No network hosts are permitted to connect except
37 # as specified by a "host" record. See the record type "local" to specify
38 # permitted connections for local users via UNIX domain sockets.
42 # host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT]
44 # DBNAME is the name of a PostgreSQL database, "all" to indicate all
45 # databases, or "sameuser" to restrict a user's access to a database with
48 # IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address
49 # and mask to identify a set of hosts. These hosts are allowed to connect
50 # to Database DBNAME. There is a separate section about AUTHTYPE below.
53 # Record type "hostssl"
54 # ---------------------
56 # The format of this record is identical to that of "host".
58 # This record identifies the authentication to use when connecting to a
59 # particular database via TCP/IP sockets over SSL. Note that normal
60 # "host" records are also matched - "hostssl" records can be used to
61 # require a SSL connection. This keyword is only available if the server
62 # is compiled with SSL support enabled.
68 # This record identifies the authentication to use when connecting to a
69 # particular database via a local UNIX socket.
73 # local DBNAME AUTHTYPE [AUTH_ARGUMENT]
75 # The format is the same as that of the "host" record type except that
76 # the IP_ADDRESS and ADDRESS_MASK are omitted. Local supports only
77 # AUTHTYPEs "trust", "password", "crypt", and "reject".
80 # Authentication Types (AUTHTYPE)
81 # -------------------------------
83 # AUTHTYPE is a keyword indicating the method used to authenticate the
84 # user, i.e. to determine that the user is authorized to connect under
85 # the PostgreSQL username supplied in his connection parameters.
87 # trust: No authentication is done. Trust that the user has the
88 # authority to use whatever username he specifies.
90 # password: Authentication is done by matching a password supplied
91 # in clear by the host. If AUTH_ARGUMENT is specified then
92 # the password is compared with the user's entry in that
93 # file (in the $PGDATA directory). See pg_passwd(1). If it
94 # is omitted then the password is compared with the user's
95 # entry in the pg_shadow table.
97 # crypt: Same as 'password', but authentication is done by
98 # encrypting the password sent over the network.
100 # ident: Authentication is done by the ident server on the remote
101 # host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT,
102 # if specified, is a map name to be found in the
103 # pg_ident.conf file. That table maps from ident usernames
104 # to PostgreSQL usernames. The special map name "sameuser"
105 # indicates an implied map (not found in pg_ident.conf)
106 # that maps every ident username to the identical
107 # PostgreSQL username.
109 # krb4: Kerberos V4 authentication is used.
111 # krb5: Kerberos V5 authentication is used.
113 # reject: Reject the connection.
119 # TYPE DATABASE IP_ADDRESS MASK AUTHTYPE MAP
121 #host all 127.0.0.1 255.255.255.255 trust
123 # The above allows any user on the local system to connect to any
124 # database under any username.
126 #host template1 192.168.93.0 255.255.255.0 ident sameuser
128 # The above allows any user from any host with IP address 192.168.93.x to
129 # connect to database template1 as the same username that ident on that
130 # host identifies him as (typically his Unix username).
132 #host template1 192.168.12.10 255.255.255.255 crypt
134 # The above allows a user from host 192.168.12.10 to connect to
135 # database template1 if the password assigned to that user is
136 # supplied. User passwords are optionally assigned when a
139 #host all 192.168.54.1 255.255.255.255 reject
140 #host all 0.0.0.0 0.0.0.0 trust
142 # The above would allow anyone anywhere except from 192.168.54.1 to
143 # connect to any database under any username.
145 #host all 192.168.77.0 255.255.255.0 ident omicron
147 # The above would allow users from 192.168.77.x hosts to connect to any
148 # database, but if Ident says the user is "bryanh" and he requests to
149 # connect as PostgreSQL user "guest1", the connection is only allowed if
150 # there is an entry for map "omicron" in pg_ident.conf that says "bryanh"
151 # is allowed to connect as "guest1".
155 # By default, allow anything over UNIX domain sockets and localhost.
157 host all 127.0.0.1 255.255.255.255 trust