Authentication configuration file

pg_hba.conf is a host-based authentication configuration file, hba means host-based authentication. The common format of pg_hba.conf is a set of records, each row for one record. Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, and the authentication method to be used for connections matching these parameters, the format is:

The use of these parameters are introduced below.

• TYPE

  Type records the connection type, there are four types: local, host, hostsll and hostnosll.

  • local: This record matches connection attempts using Unix-domain sockets. Without a record of this type, Unix-domain socket connections are disallowed.
  • host: This record matches connection attempts made using TCP/IP. host records match either SSL or non-SSL connection attempts.

    Remote TCP/IP connections will not be possible unless the server is started with an appropriate value for the listen_addresses configuration parameter, since the default behavior is to listen for TCP/IP connections only on the local loopback address localhost.

  • hostssl: This record matches connection attempts made using TCP/IP, but only when the connection is made with SSL encryption. To make use of this option the server must be built with SSL support, that is “ssl = on”.
  • hostnossl: This record type has the opposite behavior of hostssl; it only matches connection attempts made over TCP/IP that do not use SSL.
• DATABASE

  Specifies which database name(s) this record matches. The value all specifies that it matches all databases. The value sameuser specifies that the record matches if the requested database has the same name as the requested user. The value samerole specifies that the requested user must be a member of the role with the same name as the requested database. (samegroup is an obsolete but still accepted spelling of samerole.) Otherwise, this is the name of a specific PostgreSQL database. Multiple database names can be supplied by separating them with commas. A separate file containing database names can be specified by preceding the file name with @.

• USER

  Specifies which database user name(s) this record matches. The value all specifies that it matches all users. Otherwise, this is either the name of a specific database user, or a group name preceded by +. (Recall that there is no real distinction between users and groups in PostgreSQL; a + mark really means "match any of the roles that are directly or indirectly members of this role", while a name without a + mark matches only that specific role.) Multiple user names can be supplied by separating them with commas. A separate file containing user names can be specified by preceding the file name with @.

• CIDR-ADDRESS

  Specifies the client machine IP addresses that this record matches. An IP address is specified in standard dotted decimal IP address and a CIDR mask length (the IP address can only be declared with numerical values, not field or host name). The mask length indicates the number of high-order bits of the client IP address that must match. Bits to the right of this should be zero in the given IP address. There must not be any white space between the IP address, the /, and the CIDR mask length.

  Typical examples of an CIDR-ADDRESS are 172.20.143.89/32 for a single host, or 172.20.143.0/24 for a network. To specify a single host, use a CIDR mask of 32 for IPv4 or 128 for IPv6.

  An IP address given in IPv4 format will match IPv6 connections that have the corresponding address, for example 127.0.0.1 will match the IPv6 address ::ffff:127.0.0.1. An entry given in IPv6 format will match only IPv6 connections, even if the represented address is in the IPv4-in-IPv6 range. Note that entries in IPv6 format will be rejected if the system's C library does not have support for IPv6 addresses.

  This field only applies to host, hostssl, and hostnossl records.

• METHOD

  Specifies the authentication method to use when a connection matches this record. PostgreSQL provides five authentication methods: trust, reject, md5, crypt and password.

  • trust: Allow the connection unconditionally. This method allows anyone that can connect to the PostgreSQL database server to login as any PostgreSQL user they wish, without the need for a password or any other authentication.
  • reject: Reject the connection unconditionally. This is useful for "filtering out" certain hosts from a group.
  • MD5: Require the client to supply an MD5-encrypted password for authentication.
  • crypt: Require the client to supply an crypt() unencrypted password for authentication. This option is recommended in the communication of the client earlier than 7.2, for the current version, it is recommended to use the MD5 authentication method.
  • password: Require the client to supply an unencrypted password for authentication. Since the password is sent in clear text over the network, this should not be used on untrusted networks, and generally, it can not be used with threaded client application.

For example, allow any user from any host with IP address 192.168.93.x to connect to database "postgres", the password is needed for the connection of these hosts.

Database Configuration File

postgresql.conf is database configuration file, it provides multiple database configuration parameters, including file locations, connections and authentication, resource usage, write ahead log, query tuning, error reporting and logging, runtime statistics, autovacuum parameters, client connection defaults, lock management, version/platform compatibility, error handling and customized options, and all the parameters are annotations before setting, for the settings of these parameter, please refer to the help of PostgreSQL. Here, two parameters that need to be modified when configuring non local connection are introduced: listen_address and port, that is cancel the annotation, the setting method is as the following:

Copy

     
	listen_address='*'
	port = 5432

Related Topics

Server Configuration