2 # PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
6 # o which hosts are allowed to connect
7 # o how users are authenticated on each host
8 # o databases accessible by each host
10 # It is read on postmaster startup and when the postmaster receives a SIGHUP.
11 # If you edit the file on a running system, you have to SIGHUP the postmaster
12 # for the changes to take effect.
14 # Each line is a new record. Records cannot be continued across multiple
15 # lines. Comments begin with # and continue to the end of the line.
16 # Blank lines are ignored. A record consists of tokens separated by
17 # multiple spaces or tabs.
19 # The first token of a record indicates its type. The remainder of the
20 # record is interpreted based on its type.
25 # There are three types of records:
33 # This record identifies the networked hosts that are permitted to connect
38 # host DBNAME IP_ADDRESS ADDRESS_MASK AUTH_TYPE [AUTH_ARGUMENT]
41 # o the name of a PostgreSQL database
42 # o "all" to indicate all databases
43 # o "sameuser" to allow access only to databases with the same
44 # name as the connecting user
46 # IP_ADDRESS and ADDRESS_MASK are standard dotted decimal IP address and
47 # mask values. IP addresses can only be specified numerically, not as
48 # domain or host names.
50 # AUTH_TYPE and AUTH_ARGUMENT are described below.
52 # There can be multiple "host" records, possibly with overlapping sets of
53 # host addresses. The postmaster finds the first entry that matches the
54 # connecting host IP address and the requested database name. If no entry
55 # matches the database/hostname combination, the connection is rejected.
61 # The format of this record is identical to "host".
63 # This record identifies a set of network hosts that are permitted to
64 # connect to databases over secure SSL IP connections. Note that a "host"
65 # record will also allow SSL connections. "hostssl" forces these
66 # hosts to use *only* SSL-secured connections.
68 # This keyword is only available if the server was compiled with SSL
75 # This record identifies the authentication to use when connecting to
76 # the server via a local UNIX domain socket. UNIX-socket connections are
77 # allowed only if this record type appears.
80 # local DBNAME AUTH_TYPE [AUTH_ARGUMENT]
82 # This format is identical to the "host" record type except the IP_ADDRESS
83 # and ADDRESS_MASK fields are omitted.
85 # As with "host" records, the first "local" record matching the requested
86 # database name is used.
90 # Authentication Types (AUTH_TYPE)
91 # ================================
93 # AUTH_TYPE indicates the method used to authenticate users. The username
94 # is specified in the connection request. A different AUTH_TYPE can be
95 # specified for each record in the file.
97 # trust: No authentication is done. Any valid username is accepted,
98 # including the PostgreSQL superuser. This option should
99 # be use only for machines where all users are truested.
101 # password: Authentication is done by matching a password supplied
102 # in clear by the host. If no AUTH_ARGUMENT is used, the
103 # password is compared with the user's entry in the
106 # If AUTH_ARGUMENT is specified, the username is looked up
107 # in that file in the $PGDATA directory. If the username
108 # exists but there is no password, the password is looked
109 # up in pg_shadow. If a password exists in the file, it is
110 # it used instead. These secondary files allow fine-grained
111 # control over who can access which databases and whether
112 # a non-default passwords are required. The same file can be
113 # used in multiple records for easier administration.
114 # Password files can be maintained with the pg_passwd(1)
115 # utility. Remember, these passwords override pg_shadow
118 # md5: Same as "password", but authentication is done by
119 # encrypting the password sent over the network. This is
120 # always preferable to "password" except for old clients
121 # that don't support it. Also, md5 can use usernames stored
122 # in secondary password files but not secondary passwords.
124 # crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can
125 # not store encrypted passwords if you use this option.
127 # ident: For TCP/IP connections, authentication is done by contacting
128 # the ident server on the client host. (CAUTION: this is only
129 # as secure as the client machine!) On machines that support
130 # SO_PEERCRED socket requests, this method also works for
131 # local Unix-domain connections. AUTH_ARGUMENT is required:
132 # it determines how to map remote user names to Postgres user
133 # names. The AUTH_ARGUMENT is a map name found in the
134 # $PGDATA/pg_ident.conf file. The connection is accepted if
135 # that file contains an entry for this map name with the
136 # ident-supplied username and the requested Postgres username.
137 # The special map name "sameuser" indicates an implied map
138 # (not in pg_ident.conf) that maps each ident username to the
139 # identical PostgreSQL username.
141 # krb4: Kerberos V4 authentication is used. Allowed only for
142 # TCP/IP connections, not for local UNIX-domain sockets.
144 # krb5: Kerberos V5 authentication is used. Allowed only for
145 # TCP/IP connections, not for local UNIX-domain sockets.
147 # reject: Reject the connection. This is used to reject certain hosts
148 # that are part of a network specified later in the file.
149 # To be effective, "reject" must appear before the later
158 # Allow any user on the local system to connect to any database under any
159 # username using Unix-domain sockets (the default for local connections):
160 # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
163 # The same using IP connections on the same machine:
164 # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
165 # host all 127.0.0.1 255.255.255.255 trust
167 # Allow any user from any host with IP address 192.168.93.x to
168 # connect to database "template1" as the same username that ident reports
169 # for the connection (typically his Unix username):
171 # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
172 # host template1 192.168.93.0 255.255.255.0 ident sameuser
174 # Allow a user from host 192.168.12.10 to connect to database "template1"
175 # if the user's password in pg_shadow is correctly supplied:
177 # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
178 # host template1 192.168.12.10 255.255.255.255 md5
180 # In the absence of preceding "host" lines, these two lines will reject
181 # all connection from 192.168.54.1 (since that entry will be matched
182 # first), but allow Kerberos V5-validated connections from anywhere else
183 # on the Internet. The zero mask means that no bits of the host IP address
184 # are considered, so it matches any host:
187 # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
188 # host all 192.168.54.1 255.255.255.255 reject
189 # host all 0.0.0.0 0.0.0.0 krb5
191 # Allow users from 192.168.x.x hosts to connect to any database if they
192 # pass the ident check. For example, if ident says the user is "james" and
193 # he requests to connect as PostgreSQL user "guest", the connection is
194 # allowed if there is an entry in $PGDATA/pg_ident.conf with map name
195 # "phoenix" that says "james" is allowed to connect as "guest":
197 # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
198 # host all 192.168.0.0 255.255.0.0 ident phoenix
200 # See $PGDATA/pg_ident.conf for more information on Ident maps.
202 # Put your actual configuration here
203 # ==================================
205 # This default configuration allows any local user to connect with any
206 # PostgreSQL username, over either UNIX domain sockets or IP:
208 # If you want to allow non-local connections, you will need to add more
209 # "host" records. Also, remember IP connections are only enabled if you
210 # start the postmaster with the -i option.
212 # CAUTION: if you are on a multiple-user machine, the default
213 # configuration is probably too liberal for you. Change it to use
214 # something other than "trust" authentication.
216 # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
219 host all 127.0.0.1 255.255.255.255 trust