1 | # PostgreSQL Client Authentication Configuration File
|
---|
2 | # ===================================================
|
---|
3 | #
|
---|
4 | # Refer to the PostgreSQL Administrator's Guide, chapter "Client
|
---|
5 | # Authentication" for a complete description. A short synopsis
|
---|
6 | # follows.
|
---|
7 | #
|
---|
8 | # This file controls: which hosts are allowed to connect, how clients
|
---|
9 | # are authenticated, which PostgreSQL user names they can use, which
|
---|
10 | # databases they can access. Records take one of seven forms:
|
---|
11 | #
|
---|
12 | # local DATABASE USER METHOD [OPTION]
|
---|
13 | # host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
|
---|
14 | # hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
|
---|
15 | # hostnossl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
|
---|
16 | # host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION]
|
---|
17 | # hostssl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION]
|
---|
18 | # hostnossl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION]
|
---|
19 | #
|
---|
20 | # (The uppercase quantities should be replaced by actual values.)
|
---|
21 | # The first field is the connection type: "local" is a Unix-domain socket,
|
---|
22 | # "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
|
---|
23 | # SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
|
---|
24 | # DATABASE can be "all", "sameuser", "samegroup", a database name (or
|
---|
25 | # a comma-separated list thereof), or a file name prefixed with "@".
|
---|
26 | # USER can be "all", an actual user name or a group name prefixed with
|
---|
27 | # "+", an include file prefixed with "@" or a list containing either.
|
---|
28 | # IP-ADDRESS and IP-MASK specify the set of hosts the record matches.
|
---|
29 | # CIDR-MASK is an integer between 0 and 32 (IPv6) or 128(IPv6)
|
---|
30 | # inclusive, that specifies the number of significant bits in the
|
---|
31 | # mask, so an IPv4 CIDR-MASK of 8 is equivalent to an IP-MASK of
|
---|
32 | # 255.0.0.0, and an IPv6 CIDR-MASK of 64 is equivalent to an IP-MASK
|
---|
33 | # of ffff:ffff:ffff:ffff::. METHOD can be "trust", "reject", "md5",
|
---|
34 | # "crypt", "password", "krb5", "ident", or "pam". Note that
|
---|
35 | # "password" uses clear-text passwords; "md5" is preferred for
|
---|
36 | # encrypted passwords. OPTION is the ident map or the name of the PAM
|
---|
37 | # service.
|
---|
38 | #
|
---|
39 | # INCLUDE FILES:
|
---|
40 | # If you use include files for users and/or databases (see PostgreSQL
|
---|
41 | # documentation, section 19.1), these files must be placed in the
|
---|
42 | # database directory. Usually this is /var/lib/postgres/data/, but
|
---|
43 | # that can be changed in /etc/postgresql/postmaster.conf with the
|
---|
44 | # POSTGRES_DATA variable. Putting them in /etc/postgresql/ will NOT
|
---|
45 | # work since the configuration files are only symlinked from
|
---|
46 | # POSTGRES_DATA.
|
---|
47 | #
|
---|
48 | # This file is read on server startup and when the postmaster receives
|
---|
49 | # a SIGHUP signal. If you edit the file on a running system, you have
|
---|
50 | # to SIGHUP the postmaster for the changes to take effect, or use
|
---|
51 | # "pg_ctl reload".
|
---|
52 | #
|
---|
53 | # Upstream default configuration
|
---|
54 | #
|
---|
55 | # The following configuration is the upstream default, which allows
|
---|
56 | # unrestricted access to amy database by any user on the local machine.
|
---|
57 | #
|
---|
58 | # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
|
---|
59 | #
|
---|
60 | #local all all trust
|
---|
61 | # IPv4-style local connections:
|
---|
62 | #host all all 127.0.0.1 255.255.255.255 trust
|
---|
63 | # IPv6-style local connections:
|
---|
64 | #
|
---|
65 | # Put your actual configuration here
|
---|
66 | # ----------------------------------
|
---|
67 | #
|
---|
68 | # This default configuration allows any local user to connect as himself
|
---|
69 | # without a password, either through a Unix socket or through TCP/IP; users
|
---|
70 | # on other machines are denied access.
|
---|
71 | #
|
---|
72 | # If you want to allow non-local connections, you need to add more
|
---|
73 | # "host" records before the final line that rejects all TCP/IP connections.
|
---|
74 | # Also, remember TCP/IP connections are only enabled if you enable
|
---|
75 | # "tcpip_socket" in /etc/postgresql/postgresql.conf.
|
---|
76 | #
|
---|
77 | # DO NOT DISABLE!
|
---|
78 | # If you change this first entry you will need to make sure the postgres user
|
---|
79 | # can access the database using some other method. The postgres user needs
|
---|
80 | # non-interactive access to all databases during automatic maintenance
|
---|
81 | # (see the vacuum command and the /usr/lib/postgresql/bin/do.maintenance
|
---|
82 | # script).
|
---|
83 | #
|
---|
84 | # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
|
---|
85 | # Database administrative login by UNIX sockets
|
---|
86 | local all postgres trust
|
---|
87 | #
|
---|
88 | # All other connections by UNIX sockets
|
---|
89 | local all all trust
|
---|
90 | #
|
---|
91 | # All IPv4 connections from localhost
|
---|
92 | host all all 127.0.0.1 255.255.255.255 trust
|
---|
93 | #
|
---|
94 | # All IPv6 localhost connections
|
---|
95 | #host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust
|
---|
96 | #host all all ::ffff:127.0.0.1/128 trust
|
---|
97 | #
|
---|
98 | # reject all other connection attempts
|
---|
99 | host all all 0.0.0.0 0.0.0.0 reject
|
---|
100 |
|
---|