# PostgreSQL Client Authentication Configuration File # =================================================== # # Refer to the PostgreSQL Administrator's Guide, chapter "Client # Authentication" for a complete description. A short synopsis # follows. # # This file controls: which hosts are allowed to connect, how clients # are authenticated, which PostgreSQL user names they can use, which # databases they can access. Records take one of seven forms: # # local DATABASE USER METHOD [OPTION] # host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # hostnossl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION] # host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] # hostssl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] # hostnossl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD [OPTION] # # (The uppercase quantities should be replaced by actual values.) # The first field is the connection type: "local" is a Unix-domain socket, # "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an # SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket. # DATABASE can be "all", "sameuser", "samegroup", a database name (or # a comma-separated list thereof), or a file name prefixed with "@". # USER can be "all", an actual user name or a group name prefixed with # "+", an include file prefixed with "@" or a list containing either. # IP-ADDRESS and IP-MASK specify the set of hosts the record matches. # CIDR-MASK is an integer between 0 and 32 (IPv6) or 128(IPv6) # inclusive, that specifies the number of significant bits in the # mask, so an IPv4 CIDR-MASK of 8 is equivalent to an IP-MASK of # 255.0.0.0, and an IPv6 CIDR-MASK of 64 is equivalent to an IP-MASK # of ffff:ffff:ffff:ffff::. METHOD can be "trust", "reject", "md5", # "crypt", "password", "krb5", "ident", or "pam". Note that # "password" uses clear-text passwords; "md5" is preferred for # encrypted passwords. OPTION is the ident map or the name of the PAM # service. # # INCLUDE FILES: # If you use include files for users and/or databases (see PostgreSQL # documentation, section 19.1), these files must be placed in the # database directory. Usually this is /var/lib/postgres/data/, but # that can be changed in /etc/postgresql/postmaster.conf with the # POSTGRES_DATA variable. Putting them in /etc/postgresql/ will NOT # work since the configuration files are only symlinked from # POSTGRES_DATA. # # This file is read on server startup and when the postmaster receives # a SIGHUP signal. If you edit the file on a running system, you have # to SIGHUP the postmaster for the changes to take effect, or use # "pg_ctl reload". # # Upstream default configuration # # The following configuration is the upstream default, which allows # unrestricted access to amy database by any user on the local machine. # # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # #local all all trust # IPv4-style local connections: #host all all 127.0.0.1 255.255.255.255 trust # IPv6-style local connections: # # Put your actual configuration here # ---------------------------------- # # This default configuration allows any local user to connect as himself # without a password, either through a Unix socket or through TCP/IP; users # on other machines are denied access. # # If you want to allow non-local connections, you need to add more # "host" records before the final line that rejects all TCP/IP connections. # Also, remember TCP/IP connections are only enabled if you enable # "tcpip_socket" in /etc/postgresql/postgresql.conf. # # DO NOT DISABLE! # If you change this first entry you will need to make sure the postgres user # can access the database using some other method. The postgres user needs # non-interactive access to all databases during automatic maintenance # (see the vacuum command and the /usr/lib/postgresql/bin/do.maintenance # script). # # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # Database administrative login by UNIX sockets local all postgres ident sameuser # # All other connections by UNIX sockets local all all ident sameuser # # All IPv4 connections from localhost host all all 127.0.0.1 255.255.255.255 ident sameuser # # All IPv6 localhost connections host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ident sameuser host all all ::ffff:127.0.0.1/128 ident sameuser # # reject all other connection attempts host all all 0.0.0.0 0.0.0.0 reject