-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.11 2001/05/12 22:51:34 petere Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.12 2001/07/11 20:32:10 momjian Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
of the connecting user. <productname>Postgres</productname>
then verifies whether the so identified operating system user
is allowed to connect as the database user that is requested.
- This is only available for TCP/IP connections.
+ This is only available for TCP/IP connections. It can be used
+ on the local machine by specifying the localhost address 127.0.0.1.
+ </para>
+ <para>
The <replaceable>authentication option</replaceable> following
the <literal>ident</> keyword specifies the name of an
<firstterm>ident map</firstterm> that specifies which operating
<attribution>RFC 1413</attribution>
<para>
The Identification Protocol is not intended as an authorization
- or access control protocol.
+ or access control protocol. You must trust the machine running the
+ ident server.
</para>
</blockquote>
</para>
#
-# PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
+# PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
#
#
# This file controls:
# be use only for machines where all users are truested.
#
# password: Authentication is done by matching a password supplied
-# in clear by the host. If no AUTH_ARGUMENT is used, the
-# password is compared with the user's entry in the
-# pg_shadow table.
+# in clear by the host. If no AUTH_ARGUMENT is used, the
+# password is compared with the user's entry in the
+# pg_shadow table.
#
# If AUTH_ARGUMENT is specified, the username is looked up
# in that file in the $PGDATA directory. If the username
# passwords.
#
# crypt: Same as "password", but authentication is done by
-# encrypting the password sent over the network. This is
-# always preferable to "password" except for old clients
-# that don't support "crypt". Also, crypt can use
-# usernames stored in secondary password files but not
-# secondary passwords.
-#
-# ident: Authentication is done by the ident server on the local
-# or remote host. AUTH_ARGUMENT is required and maps names
-# found in the $PGDATA/pg_ident.conf file. The connection
-# is accepted if the file contains an entry for this map
-# name with the ident-supplied username and the requested
-# PostgreSQL username. The special map name "sameuser"
-# indicates an implied map (not in pg_ident.conf) that
-# maps each ident username to the identical PostgreSQL
+# encrypting the password sent over the network. This is
+# always preferable to "password" except for old clients
+# that don't support "crypt". Also, crypt can use
+# usernames stored in secondary password files but not
+# secondary passwords.
+#
+# ident: Authentication is done by the ident server on the local
+# (127.0.0.1) or remote host. AUTH_ARGUMENT is required and
+# maps names found in the $PGDATA/pg_ident.conf file. The
+# connection is accepted if the file contains an entry for
+# this map name with the ident-supplied username and the
+# requested PostgreSQL username. The special map name
+# "sameuser" indicates an implied map (not in pg_ident.conf)
+# that maps each ident username to the identical PostgreSQL
# username.
#
-# krb4: Kerberos V4 authentication is used.
+# krb4: Kerberos V4 authentication is used.
#
-# krb5: Kerberos V5 authentication is used.
+# krb5: Kerberos V5 authentication is used.
#
# reject: Reject the connection. This is used to reject certain hosts
-# that are part of a network specified later in the file.
-# To be effective, "reject" must appear before the later
-# entries.
+# that are part of a network specified later in the file.
+# To be effective, "reject" must appear before the later
+# entries.
#
# Local UNIX-domain socket connections support only the AUTH_TYPEs of
# "trust", "password", "crypt", and "reject".
projects / postgresql / commitdiff