1 | # PostgreSQL Client Authentication Configuration File |
---|
2 | # =================================================== |
---|
3 | # |
---|
4 | # Refer to the PostgreSQL Administrator's Guide, chapter "Client |
---|
5 | # Authentication" for a complete description. A short synopsis |
---|
6 | # follows. |
---|
7 | # |
---|
8 | # This file controls: which hosts are allowed to connect, how clients |
---|
9 | # are authenticated, which PostgreSQL user names they can use, which |
---|
10 | # databases they can access. Records take one of seven forms: |
---|
11 | # |
---|
12 | # local DATABASE USER METHOD [OPTION] |
---|
13 | # host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] |
---|
14 | # hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] |
---|
15 | # hostnossl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] |
---|
16 | # host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] |
---|
17 | # hostssl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] |
---|
18 | # hostnossl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] |
---|
19 | # |
---|
20 | # (The uppercase quantities should be replaced by actual values.) |
---|
21 | # The first field is the connection type: "local" is a Unix-domain socket, |
---|
22 | # "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an |
---|
23 | # SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket. |
---|
24 | # DATABASE can be "all", "sameuser", "samegroup", a database name (or |
---|
25 | # a comma-separated list thereof), or a file name prefixed with "@". |
---|
26 | # USER can be "all", an actual user name or a group name prefixed with |
---|
27 | # "+", an include file prefixed with "@" or a list containing either. |
---|
28 | # IP-ADDRESS and IP-MASK specify the set of hosts the record matches. |
---|
29 | # CIDR-MASK is an integer between 0 and 32 (IPv6) or 128(IPv6) |
---|
30 | # inclusive, that specifies the number of significant bits in the |
---|
31 | # mask, so an IPv4 CIDR-MASK of 8 is equivalent to an IP-MASK of |
---|
32 | # 255.0.0.0, and an IPv6 CIDR-MASK of 64 is equivalent to an IP-MASK |
---|
33 | # of ffff:ffff:ffff:ffff::. METHOD can be "trust", "reject", "md5", |
---|
34 | # "crypt", "password", "krb5", "ident", or "pam". Note that |
---|
35 | # "password" uses clear-text passwords; "md5" is preferred for |
---|
36 | # encrypted passwords. OPTION is the ident map or the name of the PAM |
---|
37 | # service. |
---|
38 | # |
---|
39 | # INCLUDE FILES: |
---|
40 | # If you use include files for users and/or databases (see PostgreSQL |
---|
41 | # documentation, section 19.1), these files must be placed in the |
---|
42 | # database directory. Usually this is /var/lib/postgres/data/, but |
---|
43 | # that can be changed in /etc/postgresql/postmaster.conf with the |
---|
44 | # POSTGRES_DATA variable. Putting them in /etc/postgresql/ will NOT |
---|
45 | # work since the configuration files are only symlinked from |
---|
46 | # POSTGRES_DATA. |
---|
47 | # |
---|
48 | # This file is read on server startup and when the postmaster receives |
---|
49 | # a SIGHUP signal. If you edit the file on a running system, you have |
---|
50 | # to SIGHUP the postmaster for the changes to take effect, or use |
---|
51 | # "pg_ctl reload". |
---|
52 | # |
---|
53 | # Upstream default configuration |
---|
54 | # |
---|
55 | # The following configuration is the upstream default, which allows |
---|
56 | # unrestricted access to amy database by any user on the local machine. |
---|
57 | # |
---|
58 | # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD |
---|
59 | # |
---|
60 | #local all all trust |
---|
61 | # IPv4-style local connections: |
---|
62 | #host all all 127.0.0.1 255.255.255.255 trust |
---|
63 | # IPv6-style local connections: |
---|
64 | # |
---|
65 | # Put your actual configuration here |
---|
66 | # ---------------------------------- |
---|
67 | # |
---|
68 | # This default configuration allows any local user to connect as himself |
---|
69 | # without a password, either through a Unix socket or through TCP/IP; users |
---|
70 | # on other machines are denied access. |
---|
71 | # |
---|
72 | # If you want to allow non-local connections, you need to add more |
---|
73 | # "host" records before the final line that rejects all TCP/IP connections. |
---|
74 | # Also, remember TCP/IP connections are only enabled if you enable |
---|
75 | # "tcpip_socket" in /etc/postgresql/postgresql.conf. |
---|
76 | # |
---|
77 | # DO NOT DISABLE! |
---|
78 | # If you change this first entry you will need to make sure the postgres user |
---|
79 | # can access the database using some other method. The postgres user needs |
---|
80 | # non-interactive access to all databases during automatic maintenance |
---|
81 | # (see the vacuum command and the /usr/lib/postgresql/bin/do.maintenance |
---|
82 | # script). |
---|
83 | # |
---|
84 | # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD |
---|
85 | # Database administrative login by UNIX sockets |
---|
86 | local all postgres trust |
---|
87 | # |
---|
88 | # All other connections by UNIX sockets |
---|
89 | #local all all ident sameuser |
---|
90 | # |
---|
91 | # All IPv4 connections from localhost |
---|
92 | host all all 127.0.0.1 255.255.255.255 trust |
---|
93 | # |
---|
94 | # All IPv6 localhost connections |
---|
95 | #host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ident sameuser |
---|
96 | #host all all ::ffff:127.0.0.1/128 ident sameuser |
---|
97 | # |
---|
98 | # reject all other connection attempts |
---|
99 | host all all 0.0.0.0 0.0.0.0 reject |
---|
100 | |
---|