1996-10-12 09:47:12 +02:00
|
|
|
#
|
|
|
|
# Example Postgres95 host access control file.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# This file controls what hosts are allowed to connect to what databases
|
|
|
|
# and specifies some options on how users on a particular host are identified.
|
1998-01-26 02:42:53 +01:00
|
|
|
# It is read each time a host tries to make a connection to a database.
|
1996-10-12 09:47:12 +02:00
|
|
|
#
|
|
|
|
# Each line (terminated by a newline character) is a record. A record cannot
|
|
|
|
# be continued across two lines.
|
|
|
|
#
|
|
|
|
# There are 3 kinds of records:
|
|
|
|
#
|
|
|
|
# 1) comment: Starts with #.
|
|
|
|
#
|
|
|
|
# 2) empty: Contains nothing excepting spaces and tabs.
|
|
|
|
#
|
|
|
|
# 3) content: anything else.
|
|
|
|
#
|
|
|
|
# Unless specified otherwise, "record" from here on means a content
|
|
|
|
# record.
|
|
|
|
#
|
|
|
|
# A record consists of tokens separated by spaces or tabs. Spaces and
|
|
|
|
# tabs at the beginning and end of a record are ignored as are extra
|
|
|
|
# spaces and tabs between two tokens.
|
|
|
|
#
|
|
|
|
# The first token in a record is the record type. The interpretation of the
|
|
|
|
# rest of the record depends on the record type.
|
|
|
|
#
|
|
|
|
# Record type "host"
|
|
|
|
# ------------------
|
|
|
|
#
|
1998-01-26 02:42:53 +01:00
|
|
|
# This record identifies a set of network hosts that are permitted to connect
|
|
|
|
# to databases. No network hosts are permitted to connect except as specified
|
|
|
|
# by a "host" record. See the record type "local" to specify permitted
|
|
|
|
# connections using UNIX sockets.
|
1996-10-12 09:47:12 +02:00
|
|
|
#
|
|
|
|
# Format:
|
|
|
|
#
|
1998-01-26 02:42:53 +01:00
|
|
|
# host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [AUTH_ARGUMENT]
|
1996-10-12 09:47:12 +02:00
|
|
|
#
|
|
|
|
# DBNAME is the name of a Postgres database, or "all" to indicate all
|
|
|
|
# databases.
|
|
|
|
#
|
|
|
|
# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
|
|
|
|
# mask to identify a set of hosts. These hosts are allowed to connect to
|
|
|
|
# Database DBNAME.
|
|
|
|
#
|
|
|
|
# USERAUTH is a keyword indicating the method used to authenticate the
|
|
|
|
# user, i.e. to determine that the principal is authorized to connect
|
|
|
|
# under the Postgres username he supplies in his connection parameters.
|
|
|
|
#
|
|
|
|
# ident: Authentication is done by the ident server on the remote
|
1998-01-26 02:42:53 +01:00
|
|
|
# host, via the ident (RFC 1413) protocol. AUTH_ARGUMENT, if
|
|
|
|
# specified, is a map name to be found in the pg_ident.conf file.
|
|
|
|
# That table maps from ident usernames to Postgres usernames. The
|
|
|
|
# special map name "sameuser" indicates an implied map (not found
|
|
|
|
# in pg_ident.conf) that maps every ident username to the identical
|
|
|
|
# Postgres username.
|
1996-10-12 09:47:12 +02:00
|
|
|
#
|
|
|
|
# trust: No authentication is done. Trust that the user has the
|
|
|
|
# authority to user whatever username he says he does.
|
|
|
|
# Before Postgres Version 6, all authentication was this way.
|
|
|
|
#
|
1998-01-26 02:42:53 +01:00
|
|
|
# reject: Reject the connection.
|
1996-10-12 09:47:12 +02:00
|
|
|
#
|
1998-01-26 02:42:53 +01:00
|
|
|
# password: Authentication is done by matching a password supplied in clear
|
|
|
|
# by the host. If AUTH_ARGUMENT is specified then the password is
|
|
|
|
# compared with the user's entry in that file (in the $PGDATA
|
|
|
|
# directory). See pg_passwd(1). If it is omitted then the
|
|
|
|
# password is compared with the user's entry in the pg_user table.
|
|
|
|
#
|
|
|
|
# crypt: Authentication is done by matching an encrypted password supplied
|
|
|
|
# by the host with that held for the user in the pg_user table.
|
|
|
|
#
|
|
|
|
# krb4: Kerberos V4 authentication is used.
|
|
|
|
#
|
|
|
|
# krb5: Kerberos V5 authentication is used.
|
1996-10-12 09:47:12 +02:00
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
# Record type "local"
|
|
|
|
# ------------------
|
1996-10-12 09:47:12 +02:00
|
|
|
#
|
1998-01-26 02:42:53 +01:00
|
|
|
# This record identifies the authentication to use when connecting to a
|
|
|
|
# particular database via a local UNIX socket.
|
|
|
|
#
|
|
|
|
# Format:
|
|
|
|
#
|
|
|
|
# local DBNAME USERAUTH [AUTH_ARGUMENT]
|
|
|
|
#
|
|
|
|
# The format is the same as that of the "host" record type except that the
|
|
|
|
# IP_ADDRESS and ADDRESS_MASK are omitted and the "ident", "krb4" and "krb5"
|
|
|
|
# values of USERAUTH are no allowed.
|
|
|
|
|
1997-01-16 17:13:40 +01:00
|
|
|
# For backwards compatibility, PostgreSQL also accepts pre-Version 6 records,
|
1996-10-12 09:47:12 +02:00
|
|
|
# which look like:
|
|
|
|
#
|
|
|
|
# all 127.0.0.1 0.0.0.0
|
|
|
|
|
|
|
|
# TYPE DATABASE IP_ADDRESS MASK USERAUTH MAP
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
#host all 127.0.0.1 255.255.255.255 trust
|
1996-10-12 09:47:12 +02:00
|
|
|
|
|
|
|
# The above allows any user on the local system to connect to any database
|
|
|
|
# under any username.
|
|
|
|
|
1997-04-04 13:23:15 +02:00
|
|
|
#host template1 192.168.0.0 255.255.255.0 ident sameuser
|
1996-10-12 09:47:12 +02:00
|
|
|
|
|
|
|
# The above allows any user from any host with IP address 192.168.0.x to
|
|
|
|
# connect to database template1 as the same username that ident on that host
|
|
|
|
# identifies him as (typically his Unix username).
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
#host all 192.168.0.1 255.255.255.255 reject
|
1996-10-12 09:47:12 +02:00
|
|
|
#host all 0.0.0.0 0.0.0.0 trust
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
# The above would allow anyone anywhere except from 192.168.0.1 to connect to
|
|
|
|
# any database under any username.
|
1996-10-12 09:47:12 +02:00
|
|
|
|
|
|
|
#host all 192.168.0.0 255.255.255.0 ident omicron
|
|
|
|
#
|
|
|
|
# The above would allow users from 192.168.0.x hosts to connect to any
|
|
|
|
# database, but if e.g. Ident says the user is "bryanh" and he requests to
|
|
|
|
# connect as Postgres user "guest1", the connection is only allowed if
|
|
|
|
# there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is
|
|
|
|
# allowed to connect as "guest1".
|
1998-01-27 04:25:14 +01:00
|
|
|
|
|
|
|
# By default, allow anything over UNIX domain sockets and localhost.
|
|
|
|
|
|
|
|
local all trust
|
|
|
|
host all 127.0.0.1 255.255.255.255 trust
|