From 49c86099f3bfde9f048f415a465f23ed6ac52d57 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Sat, 14 Sep 2002 18:35:46 +0000 Subject: [PATCH] Shrink the pg_hba.conf and pg_ident.conf default files and move most of the inline documentation to the main docs. --- doc/src/sgml/client-auth.sgml | 357 +++++++++++++++---------- src/backend/libpq/pg_hba.conf.sample | 295 +++----------------- src/backend/libpq/pg_ident.conf.sample | 66 ++--- 3 files changed, 295 insertions(+), 423 deletions(-) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 1cc48a65379..dc4b2649c13 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,5 +1,5 @@ @@ -45,10 +45,10 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.36 2002/08/16 04:48:16 database user names and OS user names. - + The <filename>pg_hba.conf</filename> file - + pg_hba.conf @@ -85,9 +85,9 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.36 2002/08/16 04:48:16 A record may have one of the three formats -local database user authentication-method [ authentication-option ] -host database user IP-address IP-mask authentication-method -hostssl database user IP-address IP-mask authentication-method +local database user authentication-method authentication-option +host database user IP-address IP-mask authentication-method authentication-option +hostssl database user IP-address IP-mask authentication-method authentication-option The meaning of the fields is as follows: @@ -96,8 +96,9 @@ hostssl database user local - This record applies to connection attempts using Unix domain - sockets. + This record matches connection attempts using Unix domain + sockets. Without a record of this type, Unix-domain socket + connections are disallowed @@ -106,7 +107,7 @@ hostssl database user host - This record applied to connection attempts using TCP/IP networks. + This record matches connection attempts using TCP/IP networks. Note that TCP/IP connections are disabled unless the server is started with the option or the tcpip_socket postgresql.conf @@ -119,13 +120,18 @@ hostssl database user hostssl - This record applies to connection attempts using SSL over - TCP/IP. To make use of this option the server must be - built with SSL support enabled. Furthermore, SSL must be - enabled with the + + + To be able make use of this option the server must be built + with SSL support enabled. Furthermore, SSL must be enabled by + enabling the option ssl in + postgresql.conf (see ). @@ -134,18 +140,18 @@ hostssl database user database - Specifies the database for this record. The value - all specifies that it applies to all - databases, while the value sameuser identifies the - database with the same name as the connecting user. The value - samegroup identifies a group with the same name as - the database name. Only members of this group can connect to the - database. Otherwise, this is the name of a specific - PostgreSQL database. Multiple database - names can be supplied by separating them with commas. A file - containing database names can be specified by preceding the file - name with @. The file must be in the same directory - as pg_hba.conf. + Specifies which databases this record matches. The value + all specifies that it matches all databases. + The value sameuser specifies that the record + matches if the requested database has the same name as the + requested user. The value samegroup specifies that + the requested user must a member of the group with the same + name as the requested database. Otherwise, this is the name of + a specific PostgreSQL database. + Multiple database names can be supplied by separating them with + commas. A file containing database names can be specified by + preceding the file name with @. The file must be in + the same directory as pg_hba.conf. @@ -154,41 +160,48 @@ hostssl database user user - Specifies the user for this record. The value - all specifies that it applies to all users. + Specifies which PostgreSQL users this record matches. The value + all specifies that it matches all users. Otherwise, this is the name of a specific PostgreSQL user. Multiple user names can be supplied by separating them with commas. Group names can be specified by preceding the group name with +. A - file containing user names can be specified by preceding the file - name with @. The file must be in the same directory - as pg_hba.conf. + file containing user names can be specified by preceding the + file name with @. The file must be in the same + directory as pg_hba.conf. - IP address - IP mask + IP-address + IP-mask - These two fields specify the client machine IP addresses - (host or hostssl) for this - record. (Of course IP addresses can be spoofed but this - consideration is beyond the scope of - PostgreSQL.) The precise logic is that + These two fields contain IP address/mask values in standard + dotted decimal notation. (IP addresses can only be specified + numerically, not as domain or host names.) Taken together they + specify the client machine IP addresses that this record + matches. The precise logic is that
(actual-IP-address xor IP-address-field) and IP-mask-field
- must be zero for the record to match. + must be zero for the record to match. (Of course IP addresses + can be spoofed but this consideration is beyond the scope of + PostgreSQL.) + + + + These fields only apply to host and + hostssl records. - authentication method + authentication-method Specifies the authentication method to use when connecting via @@ -204,7 +217,8 @@ hostssl database user PostgreSQL database to login as any PostgreSQL user they like, - without the need for a password. + without the need for a password. See for details. @@ -226,6 +240,7 @@ hostssl database user pg_shadow. + See for details. @@ -237,6 +252,7 @@ hostssl database user md5 method but uses older crypt encryption, which is needed for pre-7.2 clients. md5 is preferred for 7.2 and later clients. + See for details. @@ -247,6 +263,7 @@ hostssl database user Same as "md5", but the password is sent in cleartext over the network. This should not be used on untrusted networks. + See for details. @@ -256,7 +273,8 @@ hostssl database user Kerberos V4 is used to authenticate the user. This is only - available for TCP/IP connections. + available for TCP/IP connections. See for details. @@ -266,7 +284,8 @@ hostssl database user Kerberos V5 is used to authenticate the user. This is only - available for TCP/IP connections. + available for TCP/IP connections. See for details. @@ -274,39 +293,33 @@ hostssl database user ident - - For TCP/IP connections, authentication is done by contacting - the ident server on the client - host. This is only as secure as the client machine. You must - specify the map name after the 'ident' keyword. It - determines how to map remote user names to - PostgreSQL user names. If you use - "sameuser", the user names are assumed to be identical. If - not, the map name is looked up in the $PGDATA/pg_ident.conf + + Obtain the operating system user name of the client (for + TCP/IP connections by contacting the ident server on the + client, for local connections by getting it from the + operating system) and check if the user is allowed to + connect as the requested database user by consulting the map + specified after the ident key word. + + + + If you use the map sameuser, the user + names are assumed to be identical. If not, the map name is + looked up in the $PGDATA/pg_ident.conf file. The connection is accepted if that file contains an entry for this map name with the ident-supplied user name and the requested PostgreSQL user name. + - On machines that support unix-domain socket credentials - (currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows - reliable authentication of 'local' connections without ident - running on the local machine. + For local connections, this only works on machines that + support Unix-domain socket credentials (currently Linux, + FreeBSD, NetBSD, and BSD/OS). + - On systems without SO_PEERCRED requests, ident - authentication is only available for TCP/IP connections. As a - work around, it is possible to specify the localhost address 127.0.0.1 and make connections to this - address. - - - Following the ident keyword, an ident - map name should be supplied which specifies which - operating system users equate with which database users. See - below for details. + See below for details. @@ -315,27 +328,27 @@ hostssl database user pam - This authentication type operates similarly to - password except that it uses PAM - (Pluggable Authentication Modules) as the authentication - mechanism. The default PAM service name is - postgresql. You can optionally supply you - own service name after the pam keyword in the - file. For more information about PAM, please read the Linux-PAM - Page and the Solaris PAM Page. + Authenticate using the Pluggable Authentication Modules + (PAM) service provided by the operating system. See for details. - + + authentication-option + + + The meaning of this optional field depends on the chosen + authentication method and is described in the next section. + + + @@ -353,6 +366,13 @@ hostssl database user + + + Do not prevent the superuser from accessing the template1 + database. Various utility commands need access to template1. + + + SIGHUP @@ -373,55 +393,67 @@ hostssl database user An example <filename>pg_hba.conf</filename> file -# TYPE DATABASE USER IP_ADDRESS MASK AUTHTYPE +# Allow any user on the local system to connect to any database under +# any user name using Unix-domain sockets (the default for local +# connections). +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +local all all trust -# Allow any user on the local system to connect to any -# database under any user name, but only via an IP connection: +# The same using local loopback TCP/IP connections. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host all all 127.0.0.1 255.255.255.255 trust -host all all 127.0.0.1 255.255.255.255 trust +# Allow any user from any host with IP address 192.168.93.x to connect +# to database "template1" as the same user name that ident reports for +# the connection (typically the Unix user name). +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host template1 all 192.168.93.0 255.255.255.0 ident sameuser -# The same, over Unix-socket connections: +# Allow a user from host 192.168.12.10 to connect to database +# "template1" if the user's password is correctly supplied. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host template1 all 192.168.12.10 255.255.255.255 md5 -local all all trust +# In the absence of preceding "host" lines, these two lines will +# reject all connection from 192.168.54.1 (since that entry will be +# matched first), but allow Kerberos V connections from anywhere else +# on the Internet. The zero mask means that no bits of the host IP +# address are considered so it matches any host. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host all all 192.168.54.1 255.255.255.255 reject +host all all 0.0.0.0 0.0.0.0 krb5 -# Allow any user from any host with IP address 192.168.93.x to -# connect to database "template1" as the same user name that ident on that -# host identifies him as (typically his Unix user name): +# Allow users from 192.168.x.x hosts to connect to any database, if +# they pass the ident check. If, for example, ident says the user is +# "bryanh" and he requests to connect as PostgreSQL user "guest1", the +# connection is allowed if there is an entry in pg_ident.conf for map +# "omicron" that says "bryanh" is allowed to connect as "guest1". +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host all all 192.168.0.0 255.255.0.0 ident omicron -host template1 all 192.168.93.0 255.255.255.0 ident sameuser +# If these are the only three lines for local connections, they will +# allow local users to connect only to their own databases (databases +# with the same name as their user name) except for administrators and +# members of group "support" who may connect to all databases. The file +# $PGDATA/admins contains a list of user names. Passwords are required in +# all cases. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +local sameuser all md5 +local all @admins md5 +local all +support md5 -# Allow a user from host 192.168.12.10 to connect to database "template1" -# if the user's password is correctly supplied: +# The last two lines above can be combined into a single line: +local all @admins,+support md5 -host template1 all 192.168.12.10 255.255.255.255 md5 - -# In the absence of preceding "host" lines, these two lines will reject -# all connection attempts from 192.168.54.1 (since that entry will be -# matched first), but allow Kerberos V5-validated connections from anywhere -# else on the Internet. The zero mask means that no bits of the host IP -# address are considered, so it matches any host: - -host all all 192.168.54.1 255.255.255.255 reject -host all all 0.0.0.0 0.0.0.0 krb5 - -# Allow users from 192.168.x.x hosts to connect to any database, if they -# pass the ident check. If, for example, ident says the user is "bryanh" -# and he requests to connect as PostgreSQL user "guest1", the connection -# is allowed if there is an entry in pg_ident.conf for map "omicron" that -# says "bryanh" is allowed to connect as "guest1": - -host all all 192.168.0.0 255.255.0.0 ident omicron - -# If these are the only two lines for local connections, they will allow -# local users to connect only to their own databases (database named the -# same as the user name), except for administrators who may connect to -# all databases. The file $PGDATA/admins lists the user names who are -# permitted to connect to all databases. Passwords are required in all -# cases. (If you prefer to use ident authorization, an ident map can -# serve a parallel purpose to the password list file used here.) - -local sameuser all md5 -local all @admins md5 +# The database column can also use lists and file names, but not groups: +local db1,db2,@demodbs all md5 @@ -542,10 +574,10 @@ local all @admins md5 Kerberos system is far beyond the scope of this document; in all generality it can be quite complex (yet powerful). The Kerb - eros FAQ or MIT Project Athena can be a - good starting point for exploration. Several sources for + url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerberos + FAQ or MIT Project Athena can be + a good starting point for exploration. Several sources for Kerberos distributions exist. @@ -620,13 +652,25 @@ local all @admins md5 - + Ident-based authentication ident + + The ident authentication method works by inspecting the client's + operating system user name and determining the allowed database + user names by using a map file that lists the permitted + corresponding user name pairs. The determination of the client's + user name is the security-critical point, and it works differently + depending on the connection type. + + + + Ident Authentication over TCP/IP + The Identification Protocol is described in RFC 1413. Virtually every Unix-like @@ -660,15 +704,35 @@ local all @admins md5 + + + + Ident Authentication over Local Sockets On systems supporting SO_PEERCRED requests for - Unix-domain sockets, ident authentication can also be applied to - local connections. In this case, no security risk is added by using - ident authentication; indeed it is a preferable choice for local - connections on such systems. + Unix-domain sockets (currently Linux, FreeBSD, + NetBSD, and BSD/OS, ident authentication can also be applied + to local connections. In this case, no security risk is added by + using ident authentication; indeed it is a preferable choice for + local connections on such systems. + + On systems without SO_PEERCRED requests, ident + authentication is only available for TCP/IP connections. As a + work around, it is possible to specify the localhost address 127.0.0.1 and make connections to this + address. + + + + + Ident Maps + When using ident-based authentication, after having determined the name of the operating system user that initiated the connection, @@ -731,16 +795,35 @@ local all @admins md5 An example <filename>pg_ident.conf</> file -#MAP IDENT-NAME POSTGRESQL-NAME +# MAPNAME IDENT-USERNAME PG-USERNAME -omicron bryanh bryanh -omicron ann ann +omicron bryanh bryanh +omicron ann ann # bob has user name robert on these machines -omicron robert bob +omicron robert bob # bryanh can also connect as guest1 -omicron bryanh guest1 +omicron bryanh guest1 + + + + + PAM Authentication + + + This authentication type operates similarly to + password except that it uses PAM (Pluggable + Authentication Modules) as the authentication mechanism. The + default PAM service name is postgresql. You can + optionally supply you own service name after the pam + keyword in the file. For more information about PAM, please read + the Linux-PAM + Page and the Solaris PAM Page. + diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index 05e6959b4de..5338c79104b 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -1,259 +1,48 @@ -# -# PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE -# -# -# This file controls: -# o which hosts are allowed to connect -# o how users are authenticated on each host -# o databases accessible by each host -# -# It is read on postmaster startup and when the postmaster receives a SIGHUP. -# If you edit the file on a running system, you have to SIGHUP the postmaster -# for the changes to take effect, or use "pg_ctl reload". -# -# Each line is a new record. Records cannot span multiple lines. -# Comments begin with # and continue to the end of the line. -# Blank lines are ignored. A record consists of tokens separated by -# spaces or tabs. -# -# Each record specifies a connection type and authentication method. Most -# records also can restrict based on database name or IP address. +# PostgreSQL Client Authentication Configuration File +# =================================================== # -# When reading this file, the postmaster finds the first record that -# matches the connection type, client address, and database name, and uses -# that record to perform client authentication. If no record matches, the -# connection is rejected. +# Refer to the PostgreSQL Administrator's Guide, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. # -# The first token of a record indicates the connection type. The -# remainder of the record is interpreted based on that type. -# -# Record Types -# ============ -# -# There are three record types: -# o host -# o hostssl -# o local -# -# host -# ---- -# -# This record identifies hosts that are permitted to connect via TCP/IP. -# -# Format: -# -# host DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# -# DATABASE can be: -# o a database name -# o "sameuser", which means a user can only access a database with the -# same name as their user name -# o "samegroup", which means a user can only access databases when they -# are members of a group with the same name as the database name -# o "all", which matches all databases -# o a list of database names, separated by commas -# o a file name containing database names, starting with '@' +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of three forms: # -# USER can be: -# o a user name -# o "all", which matches all users -# o a list of user names, separated by commas -# o a group name, starting with '+' -# o a file name containing user names, starting with '@' +# local DATABASE USER METHOD [OPTION] +# host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] +# hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # -# Files read using '@' can contain comma-separated database/user names, -# or one name per line. The files can also contain comments using '#'. +# (The uppercase quantities should be replaced by actual values.) +# DATABASE can be "all", "sameuser", "samegroup", a database name (or +# a comma-separated list thereof), or a file name prefixed with "@". +# USER can be "all", an actual user name or a group name prefixed with +# "+" or a list containing either. IP-ADDRESS and IP-MASK specify the +# set of hosts the record matches. METHOD can be "trust", "reject", +# "md5", "crypt", "password", "krb4", "krb5", "ident", or "pam". Note +# that "password" uses clear-text passwords; "md5" is preferred for +# encrypted passwords. OPTION is the ident map or the name of the PAM +# service. # -# IP_ADDRESS and MASK are standard dotted decimal IP address and -# mask values. IP addresses can only be specified numerically, not as -# domain or host names. -# -# Do not prevent the superuser from accessing the template1 database. -# Various utility commands need access to template1. -# -# AUTH_TYPE is described below. -# -# -# hostssl -# ------- -# -# The format of this record is identical to "host". -# -# It specifies hosts that require connection via secure SSL. "host" -# allows SSL connections too, but "hostssl" requires SSL-secured -# connections. -# -# This keyword is only available if the server was compiled with SSL -# support. -# -# -# local -# ----- -# -# This record identifies the authentication for local UNIX domain socket -# connections. Without this record, UNIX-socket connections are disallowed -# -# Format: -# local DATABASE USER AUTH_TYPE -# -# This format is identical to the "host" record type except there are no -# IP_ADDRESS and MASK fields. -# -# -# -# Authentication Types (AUTH_TYPE) -# ================================ -# -# AUTH_TYPE indicates the method used to authenticate users. Each record -# has an AUTH_TYPE. -# -# trust: -# No authentication is done. Any valid user name is accepted, -# including the PostgreSQL superuser. This option should -# be used only for hosts where all users are trusted. -# -# md5: -# Requires the client to supply an MD5 encrypted password for -# authentication. This is the only method that allows encrypted -# passwords to be stored in pg_shadow. -# -# crypt: -# Same as "md5", but uses crypt for pre-7.2 clients. -# -# password: -# Same as "md5", but the password is sent in cleartext over -# the network. This should not be used on untrusted -# networks. -# -# ident: -# For TCP/IP connections, authentication is done by contacting the -# ident server on the client host. This is only as secure as the -# client machine. You must specify the map name after the 'ident' -# keyword. It determines how to map remote user names to -# PostgreSQL user names. If you use "sameuser", the user names are -# assumed to be identical. If not, the map name is looked up -# in the $PGDATA/pg_ident.conf file. The connection is accepted if -# that file contains an entry for this map name with the -# ident-supplied username and the requested PostgreSQL username. -# -# On machines that support unix-domain socket credentials -# (currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows -# reliable authentication of 'local' connections without ident -# running on the local machine. -# -# krb4: -# Kerberos V4 authentication is used. Allowed only for -# TCP/IP connections, not for local UNIX-domain sockets. -# -# krb5: -# Kerberos V5 authentication is used. Allowed only for -# TCP/IP connections, not for local UNIX-domain sockets. -# -# pam: -# Authentication is done by PAM using the default service name -# "postgresql". You can specify your own service name by adding -# the service name after the 'pam' keyword. To use this option, -# PostgreSQL must be configured --with-pam. -# -# reject: -# Reject the connection. This is used to reject certain hosts -# that are part of a network specified later in the file. -# To be effective, "reject" must appear before the later -# entries. -# -# -# -# Examples -# ======== -# -# -# Allow any user on the local system to connect to any database under any -# username using Unix-domain sockets (the default for local connections): -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# local all all trust -# -# The same using local loopback TCP/IP connections: -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# host all all 127.0.0.1 255.255.255.255 trust -# -# Allow any user from any host with IP address 192.168.93.x to -# connect to database "template1" as the same username that ident reports -# for the connection (typically his Unix username): -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# host template1 all 192.168.93.0 255.255.255.0 ident sameuser -# -# Allow a user from host 192.168.12.10 to connect to database "template1" -# if the user's password is correctly supplied: -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# host template1 all 192.168.12.10 255.255.255.255 md5 -# -# In the absence of preceding "host" lines, these two lines will reject -# all connection from 192.168.54.1 (since that entry will be matched -# first), but allow Kerberos V5 connections from anywhere else on the -# Internet. The zero mask means that no bits of the host IP address are -# considered so it matches any host: -# -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# host all all 192.168.54.1 255.255.255.255 reject -# host all all 0.0.0.0 0.0.0.0 krb5 -# -# Allow users from 192.168.x.x hosts to connect to any database if they -# pass the ident check. For example, if ident says the user is "james" and -# he requests to connect as PostgreSQL user "guest", the connection is -# allowed if there is an entry in $PGDATA/pg_ident.conf with map name -# "phoenix" that says "james" is allowed to connect as "guest": -# See $PGDATA/pg_ident.conf for more information on Ident maps. -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# host all all 192.168.0.0 255.255.0.0 ident phoenix -# -# If these are the only three lines for local connections, they will -# allow local users to connect only to their own databases (databases -# with the same name as their user name) except for administrators and -# members of group 'support' who may connect to all databases . The file -# $PGDATA/admins contains a list of user names. Passwords are required in -# all cases. -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE -# local sameuser all md5 -# local all @admins md5 -# local all +support md5 -# -# The last two lines above can be combined into a single line: -# -# local all @admins,+support md5 -# -# The database column can also use lists and file names, but not groups: -# -# local db1,db2,@demodbs all md5 -# -# -# -# -# -# -# Put your actual configuration here -# ================================== -# -# The default configuration allows any local user to connect using any -# PostgreSQL username, including the superuser, over either UNIX domain -# sockets or TCP/IP. -# -# If you want to allow non-local connections, you need to add more "host" -# records. Also, remember TCP/IP connections are only enabled if you -# start the postmaster with the -i flag, or enable "tcpip_socket" in -# $PGDATA/postgresql.conf. -# -# CAUTION: if you are on a multiple-user machine, the default -# configuration is probably too liberal for you. Change it to use -# something other than "trust" authentication. -# -# TYPE DATABASE USER IP_ADDRESS MASK AUTH_TYPE +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect, or use +# "pg_ctl reload". -local all all trust -host all all 127.0.0.1 255.255.255.255 trust +# Put your actual configuration here +# ---------------------------------- +# +# CAUTION: The default configuration allows any local user to connect +# using any PostgreSQL user name, including the superuser, over either +# Unix-domain sockets or TCP/IP. If you are on a multiple-user +# machine, the default configuration is probably too liberal for you. +# Change it to use something other than "trust" authentication. +# +# If you want to allow non-local connections, you need to add more +# "host" records. Also, remember TCP/IP connections are only enabled +# if you enable "tcpip_socket" in postgresql.conf. + +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD + +local all all trust +host all all 127.0.0.1 255.255.255.255 trust diff --git a/src/backend/libpq/pg_ident.conf.sample b/src/backend/libpq/pg_ident.conf.sample index 3f00226f14d..4a7334c7763 100644 --- a/src/backend/libpq/pg_ident.conf.sample +++ b/src/backend/libpq/pg_ident.conf.sample @@ -1,35 +1,35 @@ -# -# PostgreSQL IDENT-BASED AUTHENTICATION MAPS -# -# This file controls PostgreSQL ident-based authentication. It maps ident -# usernames (typically Unix usernames) to their corresponding PostgreSQL -# usernames. Entries are grouped by map name. Each record consists of -# three fields: -# -# o map name -# o ident username -# o PostgreSQL username -# -# It is read on postmaster startup and when the postmaster receives a SIGHUP. -# If you edit the file on a running system, you have to SIGHUP the postmaster -# for the changes to take effect. +# PostgreSQL Ident Authentication Maps +# ==================================== # -# For example, the following entry equates user "james" on a remote system -# to PostgreSQL user "guest" in the map named "phoenix": -# -# MAP IDENT PGUSERNAME -# phoenix james guest -# -# "phoenix" can now be used by an "ident" record in $DATA/pg_hba.conf. -# -# Multiple maps may be specified in this file and used by pg_hba.conf. -# -# Note that it is possible for a remote user to map to multiple PostgreSQL -# usernames. The PostgreSQL username specified at connection time controls -# which one is used. -# -# If all ident usernames and PostgreSQL usernames are the same, you don't -# need this file. Instead, use the special map name "sameuser" in +# Refer to the PostgreSQL Administrator's Guide, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls PostgreSQL ident-based authentication. It maps +# ident user names (typically Unix user names) to their corresponding +# PostgreSQL user names. Records are of the form: +# +# MAPNAME IDENT-USERNAME PG-USERNAME +# +# (The uppercase quantities should be replaced by actual values.) +# MAPNAME is the (otherwise freely chosen) map name that was used in +# pg_hba.conf. IDENT-USERNAME is the detected user name of the +# client. PG-USERNAME is the request PostgreSQL user name. The +# existence of a record specifies that IDENT-USERNAME may connect as +# PG-USERNAME. Multiple maps may be specified in this file and used +# by pg_hba.conf. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect, or use +# "pg_ctl reload". + +# Put your actual configuration here +# ---------------------------------- +# +# No map names are defined in the default configuration. If all ident +# user names and PostgreSQL user names are the same, you don't need +# this file. Instead, use the special map name "sameuser" in # pg_hba.conf. -# -# MAP IDENT PGUSERNAME + +# MAPNAME IDENT-USERNAME PG-USERNAME