# # # PostgreSQL HOST ACCESS CONTROL FILE # # # This file controls what hosts are allowed to connect to what databases # and specifies some options on how users on a particular host are # identified. It is read each time a host tries to make a connection to a # database. # # Each line (terminated by a newline character) is a record. A record # cannot be continued across two lines. # # There are 3 kinds of records: # # 1) comment: Starts with #. # # 2) empty: Contains nothing excepting spaces and tabs. # # 3) record: anything else. # # Only record lines are significant. # # A record consists of tokens separated by spaces or tabs. Spaces and # tabs at the beginning and end of a record are ignored as are extra # spaces and tabs between two tokens. # # The first token in a record is the record type. The interpretation of # the rest of the record depends on the record type. # Record type "host" # ------------------ # # This record identifies a set of network hosts that are permitted to # connect to databases. No network hosts are permitted to connect except # as specified by a "host" record. See the record type "local" to specify # permitted connections for local users via UNIX domain sockets. # # Format: # # host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE [AUTH_ARGUMENT] # # DBNAME is the name of a PostgreSQL database, "all" to indicate all # databases, or "sameuser" to restrict a user's access to a database with # the same user name. # # IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address # and mask to identify a set of hosts. These hosts are allowed to connect # to Database DBNAME. There is a separate section about AUTHTYPE below. # Record type "hostssl" # --------------------- # # The format of this record is identical to that of "host". # # This record identifies the authentication to use when connecting to a # particular database via TCP/IP sockets over SSL. Note that normal # "host" records are also matched - "hostssl" records can be used to # require a SSL connection. This keyword is only available if the server # is compiled with SSL support enabled. # Record type "local" # ------------------ # # This record identifies the authentication to use when connecting to a # particular database via a local UNIX socket. # # Format: # # local DBNAME AUTHTYPE [AUTH_ARGUMENT] # # The format is the same as that of the "host" record type except that # the IP_ADDRESS and ADDRESS_MASK are omitted. Local supports only # AUTHTYPEs "trust", "password", "crypt", and "reject". # Authentication Types (AUTHTYPE) # ------------------------------- # # AUTHTYPE is a keyword indicating the method used to authenticate the # user, i.e. to determine that the user is authorized to connect under # the PostgreSQL username supplied in his connection parameters. # # trust: No authentication is done. Trust that the user has the # authority to use whatever username he specifies. # # password: Authentication is done by matching a password supplied # in clear by the host. If AUTH_ARGUMENT is specified then # the password is compared with the user's entry in that # file (in the $PGDATA directory). See pg_passwd(1). If it # is omitted then the password is compared with the user's # entry in the pg_shadow table. # # crypt: Same as 'password', but authentication is done by # encrypting the password sent over the network. # # ident: Authentication is done by the ident server on the remote # host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, # if specified, is a map name to be found in the # pg_ident.conf file. That table maps from ident usernames # to PostgreSQL usernames. The special map name "sameuser" # indicates an implied map (not found in pg_ident.conf) # that maps every ident username to the identical # PostgreSQL username. # # krb4: Kerberos V4 authentication is used. # # krb5: Kerberos V5 authentication is used. # # reject: Reject the connection. # Examples # -------- # # TYPE DATABASE IP_ADDRESS MASK AUTHTYPE MAP # #host all 127.0.0.1 255.255.255.255 trust # # The above allows any user on the local system to connect to any # database under any username. # #host template1 192.168.93.0 255.255.255.0 ident sameuser # # The above allows any user from any host with IP address 192.168.93.x to # connect to database template1 as the same username that ident on that # host identifies him as (typically his Unix username). # #host template1 192.168.12.10 255.255.255.255 crypt # # The above allows a user from host 192.168.12.10 to connect to # database template1 if the user's password in pg_shadow is # supplied. User passwords are optionally assigned when a # user is created. # #host all 192.168.54.1 255.255.255.255 reject #host all 0.0.0.0 0.0.0.0 trust # # The above would allow anyone anywhere except from 192.168.54.1 to # connect to any database under any username. # #host all 192.168.77.0 255.255.255.0 ident omicron # # The above would allow users from 192.168.77.x hosts to connect to any # database, but if Ident says the user is "bryanh" and he requests to # connect as PostgreSQL user "guest1", the connection is only allowed if # there is an entry for map "omicron" in pg_ident.conf that says "bryanh" # is allowed to connect as "guest1". # # By default, allow anything over UNIX domain sockets and localhost. local all trust host all 127.0.0.1 255.255.255.255 trust