|
9 | 9 | # |
10 | 10 | # It is read on postmaster startup and when the postmaster receives a SIGHUP. |
11 | 11 | # If you edit the file on a running system, you have to SIGHUP the postmaster |
12 | | -# for the changes to take effect. |
| 12 | +# for the changes to take effect, or use "pg_ctl reload". |
13 | 13 | # |
14 | | -# Each line is a new record. Records cannot be continued across multiple |
15 | | -# lines. Comments begin with # and continue to the end of the line. |
| 14 | +# Each line is a new record. Records cannot span multiple lines. |
| 15 | +# Comments begin with # and continue to the end of the line. |
16 | 16 | # Blank lines are ignored. A record consists of tokens separated by |
17 | | -# multiple spaces or tabs. |
| 17 | +# spaces or tabs. |
18 | 18 | # |
19 | | -# Each record specifies the authentication method to be used for connections |
20 | | -# of a certain type that match a certain set of IP addresses (if relevant |
21 | | -# for the connection type) and a certain database or databases. The |
22 | | -# postmaster finds the first record that matches the connection type, |
23 | | -# client address, and database name, and uses that record to perform client |
24 | | -# authentication. If no record matches, the connection is rejected. |
| 19 | +# Each record specifies a connection type and authentication method. Most |
| 20 | +# records also can restrict based on database name or IP address. |
25 | 21 | # |
26 | | -# The first token of a record indicates its type. The remainder of the |
27 | | -# record is interpreted based on its type. |
| 22 | +# When reading this file, the postmaster finds the first record that |
| 23 | +# matches the connection type, client address, and database name, and uses |
| 24 | +# that record to perform client authentication. If no record matches, the |
| 25 | +# connection is rejected. |
| 26 | +# |
| 27 | +# The first token of a record indicates the connection type. The |
| 28 | +# remainder of the record is interpreted based on that type. |
28 | 29 | # |
29 | 30 | # Record Types |
30 | 31 | # ============ |
31 | 32 | # |
32 | | -# There are three types of records: |
| 33 | +# There are three record types: |
33 | 34 | # o host |
34 | 35 | # o hostssl |
35 | 36 | # o local |
36 | 37 | # |
37 | 38 | # host |
38 | 39 | # ---- |
39 | 40 | # |
40 | | -# This record identifies networked hosts that are permitted to connect |
41 | | -# via IP connections. |
| 41 | +# This record identifies hosts that are permitted to connect via TCP/IP. |
42 | 42 | # |
43 | 43 | # Format: |
44 | 44 | # |
45 | 45 | # host DBNAME IP_ADDRESS ADDRESS_MASK AUTH_TYPE [AUTH_ARGUMENT] |
46 | 46 | # |
47 | 47 | # DBNAME can be: |
48 | | -# o the name of a PostgreSQL database |
49 | | -# o "all" to indicate all databases |
50 | | -# o "sameuser" to allow access only to databases with the same |
51 | | -# name as the connecting user |
| 48 | +# o a database name |
| 49 | +# o "all", which means the record matches all databases |
| 50 | +# o "sameuser", which means users can only access databases whose name |
| 51 | +# is the same as their username |
52 | 52 | # |
53 | | -# The superuser needs access to the 'template1' database because it is used |
54 | | -# by a variety of PostgreSQL utility commands. |
55 | | -# |
56 | 53 | # IP_ADDRESS and ADDRESS_MASK are standard dotted decimal IP address and |
57 | 54 | # mask values. IP addresses can only be specified numerically, not as |
58 | 55 | # domain or host names. |
59 | 56 | # |
| 57 | +# Do not prevent the superuser from accessing the template1 database. |
| 58 | +# Various utility commands need access to template1. |
| 59 | +# |
60 | 60 | # AUTH_TYPE and AUTH_ARGUMENT are described below. |
61 | 61 | # |
62 | 62 | # |
|
65 | 65 | # |
66 | 66 | # The format of this record is identical to "host". |
67 | 67 | # |
68 | | -# This record identifies a set of network hosts that are permitted to |
69 | | -# connect to databases over secure SSL IP connections. Note that a "host" |
70 | | -# record will also allow SSL connections. "hostssl" matches *only* |
71 | | -# SSL-secured connections. |
| 68 | +# |
| 69 | +# |
| 70 | +# It specifies hosts that required connection via secure SSL. "host" |
| 71 | +# records allow SSL connections too, but "hostssl" only allows SSL-secured |
| 72 | +# connections. |
72 | 73 | # |
73 | 74 | # This keyword is only available if the server was compiled with SSL |
74 | | -# support enabled. |
| 75 | +# support. |
75 | 76 | # |
76 | 77 | # |
77 | 78 | # local |
78 | 79 | # ----- |
79 | 80 | # |
80 | | -# This record identifies the authentication to use when connecting to |
81 | | -# the server via a local UNIX domain socket. UNIX-socket connections are |
82 | | -# allowed only if this record type appears. |
| 81 | +# This record identifies the authentication for local UNIX domain socket |
| 82 | +# connections. Without this record, UNIX-socket connections are disallowed |
83 | 83 | # |
84 | 84 | # Format: |
85 | 85 | # local DBNAME AUTH_TYPE [AUTH_ARGUMENT] |
86 | 86 | # |
87 | | -# This format is identical to the "host" record type except the IP_ADDRESS |
88 | | -# and ADDRESS_MASK fields are omitted. |
| 87 | +# This format is identical to the "host" record type except there are no |
| 88 | +# IP_ADDRESS and ADDRESS_MASK fields. |
89 | 89 | # |
90 | 90 | # |
91 | 91 | # |
92 | 92 | # Authentication Types (AUTH_TYPE) |
93 | 93 | # ================================ |
94 | 94 | # |
95 | | -# AUTH_TYPE indicates the method used to authenticate users. The username |
96 | | -# is specified in the connection request. A different AUTH_TYPE can be |
97 | | -# specified for each record in the file. |
98 | | -# |
99 | | -# trust: No authentication is done. Any valid username is accepted, |
| 95 | +# AUTH_TYPE indicates the method used to authenticate users. Each record |
| 96 | +# has an AUTH_TYPE. |
| 97 | +# |
| 98 | +# trust: |
| 99 | +# No authentication is done. Any valid username is accepted, |
100 | 100 | # including the PostgreSQL superuser. This option should |
101 | 101 | # be used only for hosts where all users are trusted. |
102 | 102 | # |
103 | | -# password: Authentication is done by matching a password supplied |
| 103 | +# password: |
| 104 | +# Authentication is done by matching a password supplied |
104 | 105 | # in clear by the host. If no AUTH_ARGUMENT is used, the |
105 | 106 | # password is compared with the user's entry in the |
106 | 107 | # pg_shadow table. |
|
115 | 116 | # used in multiple records for easier administration. |
116 | 117 | # Password files can be maintained with the pg_passwd(1) |
117 | 118 | # utility. Remember, these passwords override pg_shadow |
118 | | -# passwords. |
119 | | -# |
120 | | -# md5: Same as "password", but the password is encrypted while |
121 | | -# being sent over the network. This method is preferable to |
122 | | -# "password" except for pre-7.2 clients that don't support it. |
123 | | -# NOTE: md5 can use usernames stored in secondary password |
124 | | -# files but ignores passwords stored there. The pg_shadow |
125 | | -# password will always be used. |
126 | | -# |
127 | | -# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can |
| 119 | +# passwords. Also, such passwords are passed over the network |
| 120 | +# in cleartext, meaning this should not be used on untrusted |
| 121 | +# networks. |
| 122 | +# |
| 123 | +# md5: |
| 124 | +# Same as "password", except the password is encrypted over the |
| 125 | +# network. This method is preferable to "password" and "crypt" |
| 126 | +# except for pre-7.2 clients that don't support it. NOTE: md5 can |
| 127 | +# use usernames stored in secondary password files but ignores |
| 128 | +# passwords stored there. The pg_shadow password will always be |
| 129 | +# used. |
| 130 | +# |
| 131 | +# crypt: |
| 132 | +# Same as "md5", but uses crypt for pre-7.2 clients. You can |
128 | 133 | # not store encrypted passwords in pg_shadow if you use this |
129 | 134 | # method. |
130 | 135 | # |
131 | | -# ident: For TCP/IP connections, authentication is done by contacting |
132 | | -# the ident server on the client host. Remember, this is |
133 | | -# only as secure as the client machine. On machines that |
134 | | -# support unix-domain socket credentials (currently Linux, |
135 | | -# FreeBSD, NetBSD, and BSD/OS), this method also works for |
136 | | -# "local" connections. |
137 | | -# |
138 | | -# AUTH_ARGUMENT is required: it determines how to map |
139 | | -# remote user names to Postgres user names. The |
140 | | -# AUTH_ARGUMENT is a map name found in the |
141 | | -# $PGDATA/pg_ident.conf file. The connection is accepted |
142 | | -# if that file contains an entry for this map name with |
143 | | -# the ident-supplied username and the requested Postgres |
144 | | -# username. The special map name "sameuser" indicates an |
145 | | -# implied map (not in pg_ident.conf) that maps each ident |
146 | | -# username to the identical PostgreSQL username. |
147 | | -# |
148 | | -# krb4: Kerberos V4 authentication is used. Allowed only for |
| 136 | +# ident: |
| 137 | +# For TCP/IP connections, authentication is done by contacting the |
| 138 | +# ident server on the client host. This is only as secure as the |
| 139 | +# client machine. On machines that support unix-domain socket |
| 140 | +# credentials (currently Linux, FreeBSD, NetBSD, and BSD/OS), this |
| 141 | +# method also works for "local" connections. |
| 142 | +# |
| 143 | +# AUTH_ARGUMENT is required. It determines how to map remote user |
| 144 | +# names to PostgreSQL user names. If you use "sameuser", the user |
| 145 | +# names are assumed to be the identical. If not, AUTH_ARGUMENT is |
| 146 | +# assumed to be a map name found in the $PGDATA/pg_ident.conf |
| 147 | +# file. The connection is accepted if that file contains an entry |
| 148 | +# for this map name with the ident-supplied username and the |
| 149 | +# requested PostgreSQL username. |
| 150 | +# |
| 151 | +# krb4: |
| 152 | +# Kerberos V4 authentication is used. Allowed only for |
149 | 153 | # TCP/IP connections, not for local UNIX-domain sockets. |
150 | 154 | # |
151 | | -# krb5: Kerberos V5 authentication is used. Allowed only for |
| 155 | +# krb5: |
| 156 | +# Kerberos V5 authentication is used. Allowed only for |
152 | 157 | # TCP/IP connections, not for local UNIX-domain sockets. |
153 | 158 | # |
154 | | -# pam: Authentication is passed off to PAM (PostgreSQL must be |
155 | | -# configured --with-pam), using the default service name |
156 | | -# "postgresql" - you can specify your own service name, by |
157 | | -# setting AUTH_ARGUMENT to the desired service name. |
| 159 | +# pam: |
| 160 | +# Authentication is passed off to PAM (PostgreSQL must be |
| 161 | +# configured --with-pam), using the default service name |
| 162 | +# "postgresql" - you can specify your own service name by |
| 163 | +# setting AUTH_ARGUMENT to the desired service name. |
158 | 164 | # |
159 | | -# reject: Reject the connection. This is used to reject certain hosts |
| 165 | +# reject: |
| 166 | +# Reject the connection. This is used to reject certain hosts |
160 | 167 | # that are part of a network specified later in the file. |
161 | 168 | # To be effective, "reject" must appear before the later |
162 | 169 | # entries. |
|
169 | 176 | # |
170 | 177 | # Allow any user on the local system to connect to any database under any |
171 | 178 | # username using Unix-domain sockets (the default for local connections): |
| 179 | +# |
172 | 180 | # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT |
173 | 181 | # local all trust |
174 | 182 | # |
175 | | -# The same using local loopback IP connections: |
| 183 | +# The same using local loopback TCP/IP connections: |
| 184 | +# |
176 | 185 | # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT |
177 | 186 | # host all 127.0.0.1 255.255.255.255 trust |
178 | 187 | # |
|
191 | 200 | # |
192 | 201 | # In the absence of preceding "host" lines, these two lines will reject |
193 | 202 | # all connection from 192.168.54.1 (since that entry will be matched |
194 | | -# first), but allow Kerberos V5-validated connections from anywhere else |
195 | | -# on the Internet. The zero mask means that no bits of the host IP address |
196 | | -# are considered, so it matches any host: |
| 203 | +# first), but allow Kerberos V5 connections from anywhere else on the |
| 204 | +# Internet. The zero mask means that no bits of the host IP address are |
| 205 | +# considered, so it matches any host: |
197 | 206 | # |
198 | 207 | # |
199 | 208 | # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT |
|
210 | 219 | # host all 192.168.0.0 255.255.0.0 ident phoenix |
211 | 220 | # |
212 | 221 | # If these are the only two lines for local connections, they will allow |
213 | | -# local users to connect only to their own databases (database named the |
214 | | -# same as the user name), except for administrators who may connect to |
215 | | -# all databases. The file $PGDATA/admins lists the user names who are |
216 | | -# permitted to connect to all databases. Passwords are required in all |
217 | | -# cases. (If you prefer to use ident authorization, an ident map can |
| 222 | +# local users to connect only to their own databases (databases with the |
| 223 | +# same name as their user name) except for administrators who may connect |
| 224 | +# to all databases. The file $PGDATA/admins lists the user names who are |
| 225 | +# permitted to connect to all databases. Passwords are required in all |
| 226 | +# cases. (If you prefer to use ident authorization, an ident map can |
218 | 227 | # serve a parallel purpose to the password list file used here.) |
219 | 228 | # |
220 | 229 | # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT |
|
228 | 237 | # Put your actual configuration here |
229 | 238 | # ================================== |
230 | 239 | # |
231 | | -# This default configuration allows any local user to connect with any |
232 | | -# PostgreSQL username, over either UNIX domain sockets or IP. |
| 240 | +# The default configuration allows any local user to connect using any |
| 241 | +# PostgreSQL username, including the superuser, over either UNIX domain |
| 242 | +# sockets or TCP/IP. |
233 | 243 | # |
234 | | -# If you want to allow non-local connections, you will need to add more |
235 | | -# "host" records. Also, remember IP connections are only enabled if you |
236 | | -# start the postmaster with the -i option. |
| 244 | +# If you want to allow non-local connections, you need to add more "host" |
| 245 | +# records. Also, remember TCP/IP connections are only enabled if you |
| 246 | +# start the postmaster with the -i flag, or enable "tcpip_socket" in |
| 247 | +# $PGDATA/postgresql.conf. |
237 | 248 | # |
238 | 249 | # CAUTION: if you are on a multiple-user machine, the default |
239 | 250 | # configuration is probably too liberal for you. Change it to use |
|
0 commit comments