pg_hba.conf(5)
NAME
$PGDATA/pg_hba.conf
DESCRIPTION
"Host-based access control" is the name for the basic con-
trols PostgreSQL exercises on what clients are allowed to
access a database and how the users on those clients must
authenticate themselves.
Each database system contains a file named "pg_hba.conf",
in its $PGDATA directory, that controls who can connect to
each database.
Every client that wants to access to a database must be
covered by one of the entries in pg_hba.conf. Otherwise
all attempted connections from that client will be
rejected with a "User authentication failed" error mes-
sage.
The general format of the pg_hba.conf file is of a set of
records, one per line. Blank lines and lines beginning
with '#' are ignored. A record is made up of a number of
fields which are separated by spaces and/or tabs.
Connections from clients can be made using UNIX domain
sockets or Internet domain sockets (ie. TCP/IP). Connec-
tions made using UNIX domain sockets are controlled using
records of the following format.
local <database> <authentication method>
<database> specifies the database that this record applies
to. The value all specifies that it applies to all
databases. <authentication method> specifies the method a
user must use to authenticate themselves when connecting
to that database using UNIX domain sockets. The different
methods are described below.
Connections made using Internet domain sockets are con-
trolled using records of the following format.
host <database> <TCP/IP address> <TCP/IP mask> <authenti-
cation method>
The <TCP/IP mask> is logically anded to both the specified
<TCP/IP address> and the TCP/IP address of the connecting
client. If the two values that result are equal then the
record is used for this connection. If a connection
matches more than one record then the earliest one in the
file is used. Both the <TCP/IP address> and the <TCP/IP
mask> are specified in dotted decimal notation.
If a connection fails to match any record then the reject
authentication method is applied (see below).
AUTHENTICATION METHODS
The following authentication methods are supported for
both UNIX and TCP/IP domain sockets.
trust - the connection is allowed unconditionally.
reject - the connection is rejected unconditionally.
crypt - the client is asked for a password for the user.
This is sent encrypted (using crypt(3)) and compared
against the password held in the pg_shadow table. If the
passwords match, the connection is allowed.
password - the client is asked for a password for the
user. This is sent in clear and compared against the
password held in the pg_shadow table. If the passwords
match, the connection is allowed. An optional password
file may be specified after the password keyword which is
used to match the supplied password rather than the
pg_shadow table. See pg_passwd(1).
The following authentication methods are supported for
TCP/IP domain sockets only.
krb4 - Kerberos V4 is used to authenticate the user.
krb5 - Kerberos V5 is used to authenticate the user.
ident - the ident server on the client is used to authen-
ticate the user (RFC 1413). An optional map name may be
specified after the ident keyword which allows ident user
names to be mapped onto PostgreSQL user names. Maps are
held in the file $PGDATA/pg_ident.conf.
EXAMPLES
# Trust any connection via UNIX domain sockets.
local trust
# Trust any connection via TCP/IP from this machine.
host all 127.0.0.1 255.255.255.255 trust
# We don't like this machine.
host all 192.168.0.10 255.255.255.0 reject
# This machine can't encrypt so we ask for passwords in
clear.
host all 192.168.0.3 255.255.255.0 password
# The rest of this group of machines should provide
encrypted passwords.
host all 192.168.0.0 255.255.255.0 crypt
SEE ALSO
pgintro(1).