-#
-# Example PostgreSQL host access control file.
-#
-#
-# This file controls what hosts are allowed to connect to what databases
-# and specifies some options on how users on a particular host are identified.
-# It is read each time a host tries to make a connection to a database.
-#
-# Each line (terminated by a newline character) is a record. A record cannot
-# be continued across two lines.
-#
-# There are 3 kinds of records:
-#
-# 1) comment: Starts with #.
-#
-# 2) empty: Contains nothing excepting spaces and tabs.
-#
-# 3) content: anything else.
-#
-# Unless specified otherwise, "record" from here on means a content
-# record.
-#
-# A record consists of tokens separated by spaces or tabs. Spaces and
-# tabs at the beginning and end of a record are ignored as are extra
-# spaces and tabs between two tokens.
-#
-# The first token in a record is the record type. The interpretation of the
-# rest of the record depends on the record type.
-#
-# Record type "host"
-# ------------------
-#
-# This record identifies a set of network hosts that are permitted to connect
-# to databases. No network hosts are permitted to connect except as specified
-# by a "host" record. See the record type "local" to specify permitted
-# connections using UNIX sockets.
-#
-# Format:
-#
-# host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
-#
-# DBNAME is the name of a PostgreSQL database, or "all" to indicate all
-# databases.
-#
-# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
-# mask to identify a set of hosts. These hosts are allowed to connect to
-# Database DBNAME.
-#
-# USERAUTH is a keyword indicating the method used to authenticate the
-# user, i.e. to determine that the principal is authorized to connect
-# under the PostgreSQL username he supplies in his connection parameters.
-#
-# ident: Authentication is done by the ident server on the remote
-# host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, if
-# specified, is a map name to be found in the pg_ident.conf file.
-# That table maps from ident usernames to PostgreSQL usernames. The
-# special map name "sameuser" indicates an implied map (not found
-# in pg_ident.conf) that maps every ident username to the identical
-# PostgreSQL username.
-#
-# trust: No authentication is done. Trust that the user has the
-# authority to use whatever username he specifies. Before
-# PostgreSQL version 6, all authentication was done this way.
-#
-# reject: Reject the connection.
-#
-# password: Authentication is done by matching a password supplied in clear
-# by the host. If AUTH_ARGUMENT is specified then the password
-# is compared with the user's entry in that file (in the $PGDATA
-# directory). See pg_passwd(1). If it is omitted then the
-# password is compared with the user's entry in the pg_shadow
-# table.
-#
-# crypt: Authentication is done by matching an encrypted password supplied
-# by the host with that held for the user in the pg_shadow table.
-#
-# krb4: Kerberos V4 authentication is used.
-#
-# krb5: Kerberos V5 authentication is used.
-
-# Record type "local"
-# ------------------
-#
-# This record identifies the authentication to use when connecting to a
-# particular database via a local UNIX socket.
-#
-# Format:
-#
-# local DBNAME USERAUTH [AUTH_ARGUMENT]
-#
-# The format is the same as that of the "host" record type except that the
-# IP_ADDRESS and ADDRESS_MASK are omitted and the "ident", "krb4" and "krb5"
-# values of USERAUTH are not allowed.
-
-# For backwards compatibility, PostgreSQL also accepts pre-version 6 records,
-# which look like:
-#
-# all 127.0.0.1 0.0.0.0
-
-# TYPE DATABASE IP_ADDRESS MASK USERAUTH MAP
-
-#host all 127.0.0.1 255.255.255.255 trust
-
-# The above allows any user on the local system to connect to any database
-# under any username.
-
-#host template1 192.168.0.0 255.255.255.0 ident sameuser
-
-# The above allows any user from any host with IP address 192.168.0.x to
-# connect to database template1 as the same username that ident on that host
-# identifies him as (typically his Unix username).
-
-#host all 192.168.0.1 255.255.255.255 reject
-#host all 0.0.0.0 0.0.0.0 trust
-
-# The above would allow anyone anywhere except from 192.168.0.1 to connect to
-# any database under any username.
-
-#host all 192.168.0.0 255.255.255.0 ident omicron
-#
-# The above would allow users from 192.168.0.x hosts to connect to any
-# database, but if Ident says the user is "bryanh" and he requests to
-# connect as PostgreSQL user "guest1", the connection is only allowed if
-# there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is
-# allowed to connect as "guest1".
-
-# By default, allow anything over UNIX domain sockets and localhost.
-
-local all trust
-host all 127.0.0.1 255.255.255.255 trust
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the PostgreSQL Administrator's Guide, chapter "Client
+# Authentication" for a complete description. A short synopsis
+# follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access. Records take one of seven forms:
+#
+# local DATABASE USER METHOD [OPTION]
+# host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
+# hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
+# hostnossl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
+# host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION]
+# hostssl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION]
+# hostnossl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION]
+#
+# (The uppercase quantities should be replaced by actual values.)
+# The first field is the connection type: "local" is a Unix-domain socket,
+# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
+# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
+# DATABASE can be "all", "sameuser", "samegroup", a database name (or
+# a comma-separated list thereof), or a file name prefixed with "@".
+# USER can be "all", an actual user name or a group name prefixed with
+# "+" or a list containing either. IP-ADDRESS and IP-MASK specify the
+# set of hosts the record matches. CIDR-MASK is an integer between 0
+# and 32 (IPv6) or 128(IPv6) inclusive, that specifies the number of
+# significant bits in the mask, so an IPv4 CIDR-MASK of 8 is equivalent
+# to an IP-MASK of 255.0.0.0, and an IPv6 CIDR-MASK of 64 is equivalent
+# to an IP-MASK of ffff:ffff:ffff:ffff::. METHOD can be "trust", "reject",
+# "md5", "crypt", "password", "krb4", "krb5", "ident", or "pam". Note
+# that "password" uses clear-text passwords; "md5" is preferred for
+# encrypted passwords. OPTION is the ident map or the name of the PAM
+# service.
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters can be quoted. Quoting one of the keywords "all", "sameuser" or
+# "samegroup" makes the name lose its special character, and just match a
+# database or username with that name.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal. If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect, or use
+# "pg_ctl reload".
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. Also, remember TCP/IP connections are only enabled
+# if you enable "tcpip_socket" in postgresql.conf.
+
+@authcomment@
+
+# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
+
+local all all @authmethod@
+# IPv4-style local connections:
+host all all 127.0.0.1 255.255.255.255 @authmethod@
+# IPv6-style local connections:
+host all all ::1/128 @authmethod@
projects / postgresql / blobdiff