postgresql/src/backend/libpq/pg_hba.conf.sample

# 
#		  PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
# 
# 
# This file controls:
# 	o which hosts are allowed to connect
# 	o how users are authenticated on each host
# 	o databases accessible by each host
# 
# It is read on postmaster startup and when the postmaster receives a SIGHUP.
# If you edit the file on a running system, you have to SIGHUP the postmaster
# for the changes to take effect, or use "pg_ctl reload".
# 
# Each line is a new record. Records cannot span multiple lines. 
# Comments begin with # and continue to the end of the line. 
# Blank lines are ignored. A record consists of tokens separated by 
# spaces or tabs.
# 
# Each record specifies a connection type and authentication method. Most
# records also can restrict based on database name or IP address. 
#
# When reading this file, the postmaster finds the first record that
# matches the connection type, client address, and database name, and uses
# that record to perform client authentication. If no record matches, the
# connection is rejected.
#
# The first token of a record indicates the connection type. The
# remainder of the record is interpreted based on that type.
# 
# Record Types
# ============
# 
# There are three record types:
# 	o host
# 	o hostssl
# 	o local
# 
# host
# ----
# 
# This record identifies hosts that are permitted to connect via TCP/IP.
# 
# Format:
# 
#   host       DATABASE    USER      IP_ADDRESS    MASK               AUTH_TYPE
# 
# DATABASE can be:
#	o a database name
#	o "sameuser", which means a user can only access a database with the
#	  same name as their user name
#	o "samegroup", which means a user can only access databases when they
#	  are members of a group with the same name as the database name
#	o "all", which matches all databases
#	o a list of database names, separated by commas
#	o a file name containing database names, starting with '@'
#
# USER can be:
#	o a user name
#	o "all", which matches all users
#	o a list of user names, separated by commas
#	o a group name, starting with '+'
#	o a file name containing user names, starting with '@'
#
# Files read using '@' can contain comma-separated database/user names,
# or one name per line.  The files can also contain comments using '#'.
#
# IP_ADDRESS and MASK are standard dotted decimal IP address and
# mask values. IP addresses can only be specified numerically, not as
# domain or host names.
# 
# Do not prevent the superuser from accessing the template1 database.
# Various utility commands need access to template1.
# 
# AUTH_TYPE is described below.
#
# 
# hostssl
# -------
# 
# The format of this record is identical to "host".
# 
# It specifies hosts that require connection via secure SSL. "host"
# allows SSL connections too, but "hostssl" requires SSL-secured
# connections.
# 
# This keyword is only available if the server was compiled with SSL
# support.
# 
# 
# local
# -----
# 
# This record identifies the authentication for local UNIX domain socket
# connections. Without this record, UNIX-socket connections are disallowed
# 
# Format:
#   local      DATABASE    USER      AUTH_TYPE
# 
# This format is identical to the "host" record type except there are no
# IP_ADDRESS and MASK fields.
#
# 
# 
# Authentication Types (AUTH_TYPE)
# ================================
# 
# AUTH_TYPE indicates the method used to authenticate users. Each record
# has an AUTH_TYPE.
#
#   trust: 
#		No authentication is done. Any valid user name is accepted,
# 		including the PostgreSQL superuser. This option should
# 		be used only for hosts where all users are trusted.
# 
#   md5:
#	  	Requires the client to supply an MD5 encrypted password for
#		authentication.  This is the only method that allows encrypted
#		passwords to be stored in pg_shadow.
# 
#   crypt:
#	  	Same as "md5", but uses crypt for pre-7.2 clients.
#
#   password:
#		Same as "md5", but the password is sent in cleartext over
#		the network.  This should not be used on untrusted
#		networks.
# 
#   ident:
#		For TCP/IP connections, authentication is done by contacting the
#		ident server on the client host. This is only as secure as the
#		client machine. You must specify the map name after the 'ident'
#		keyword. It determines how to map remote user names to
#		PostgreSQL user names. If you use "sameuser", the user names are
#		assumed to be identical. If not, the map name is looked up
#		in the $PGDATA/pg_ident.conf file. The connection is accepted if
#		that file contains an entry for this map name with the
#		ident-supplied username and the requested PostgreSQL username.
#
#		On machines that support unix-domain socket credentials
#		(currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows
#		reliable authentication of 'local' connections without ident 
#		running on the local machine.
#
#   krb4:
#		Kerberos V4 authentication is used.  Allowed only for
#		TCP/IP connections, not for local UNIX-domain sockets.
# 
#   krb5:
#		Kerberos V5 authentication is used.  Allowed only for
#		TCP/IP connections, not for local UNIX-domain sockets.
# 
#   pam:
#		Authentication is done by PAM using the default service name
#		"postgresql". You can specify your own service name by adding
#		the service name after the 'pam' keyword. To use this option,
#		PostgreSQL must be configured --with-pam.
#
#   reject:
#	 	Reject the connection. This is used to reject certain hosts
#		that are part of a network specified later in the file.
#		To be effective, "reject" must appear before the later
#		entries.
#
# 
# 
# Examples
# ========
# 
# 
# Allow any user on the local system to connect to any database under any
# username using Unix-domain sockets (the default for local connections):
#
# TYPE       DATABASE    USER       IP_ADDRESS    MASK               AUTH_TYPE
# local      all         all                                         trust
# 
# The same using local loopback TCP/IP connections:
#
# TYPE      DATABASE     USER    IP_ADDRESS    MASK               AUTH_TYPE
# host      all          all     127.0.0.1     255.255.255.255    trust     
# 
# Allow any user from any host with IP address 192.168.93.x to
# connect to database "template1" as the same username that ident reports
# for the connection (typically his Unix username):
# 
# TYPE       DATABASE    USER    IP_ADDRESS    MASK               AUTH_TYPE
# host       template1   all     192.168.93.0  255.255.255.0      ident sameuser
# 
# Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password is correctly supplied:
# 
# TYPE       DATABASE    USER     IP_ADDRESS    MASK               AUTH_TYPE
# host       template1   all      192.168.12.10 255.255.255.255    md5
# 
# In the absence of preceding "host" lines, these two lines will reject
# all connection from 192.168.54.1 (since that entry will be matched
# first), but allow Kerberos V5 connections from anywhere else on the
# Internet. The zero mask means that no bits of the host IP address are
# considered so it matches any host:
# 
# 
# TYPE       DATABASE    USER     IP_ADDRESS    MASK               AUTH_TYPE
# host       all         all      192.168.54.1  255.255.255.255    reject
# host       all         all      0.0.0.0       0.0.0.0            krb5
# 
# Allow users from 192.168.x.x hosts to connect to any database if they
# pass the ident check. For example, if ident says the user is "james" and
# he requests to connect as PostgreSQL user "guest", the connection is
# allowed if there is an entry in $PGDATA/pg_ident.conf with map name 
# "phoenix" that says "james" is allowed to connect as "guest":
# See $PGDATA/pg_ident.conf for more information on Ident maps.
# 
# TYPE       DATABASE    USER     IP_ADDRESS    MASK               AUTH_TYPE
# host       all         all      192.168.0.0    255.255.0.0       ident phoenix
#
# If these are the only three lines for local connections, they will
# allow local users to connect only to their own databases (databases
# with the same name as their user name) except for administrators and
# members of group 'support' who may connect to all databases . The file
# $PGDATA/admins contains a list of user names. Passwords are required in
# all cases.
#
# TYPE       DATABASE    USER      IP_ADDRESS    MASK               AUTH_TYPE
# local      sameuser    all                                        md5
# local      all         @admins                                    md5
# local      all         +support                                   md5
#
# The last two lines above can be combined into a single line:
#
# local      all         @admins,+support                           md5
#
# The database column can also use lists and file names, but not groups:
#
# local      db1,db2,@demodbs  all                                  md5
#
#
# 
#
#
# 
# Put your actual configuration here
# ==================================
# 
# The default configuration allows any local user to connect using any
# PostgreSQL username, including the superuser, over either UNIX domain
# sockets or TCP/IP.
# 
# If you want to allow non-local connections, you need to add more "host"
# records. Also, remember TCP/IP connections are only enabled if you
# start the postmaster with the -i flag, or enable "tcpip_socket" in
# $PGDATA/postgresql.conf.
# 
# CAUTION: if you are on a multiple-user machine, the default
# configuration is probably too liberal for you. Change it to use
# something other than "trust" authentication.
# 
# TYPE       DATABASE      USER      IP_ADDRESS    MASK               AUTH_TYPE

local        all           all                                        trust
host         all           all       127.0.0.1     255.255.255.255    trust