pg_hba.conf configuration file

Sep 8, 2007 10:56 GMT  ·  By

In PostgreSQL the client authentication is managed by a configuration file which is stored in the directory from the database cluster. The file is named pg_hba.conf and it is installed when the data directory is initialized by initdb. The format of the configuration file is by default a set of rules, one per line. Blank lines are ignored, just like any text after the # comment character. A record is made up of a number of fields which are separated by spaces and tabs. Fields can contain white space if the field value is quoted. Records cannot be continued across lines.

A record may have one of the following formats:

local database user auth-method [auth-option]

host database user CIDR-address auth-method [auth-option]

hostssl database user CIDR-address auth-method [auth-option]

hostnossl database user CIDR-address auth-method [auth-option]

host database user IP-address IP-mask auth-method [auth-option]

hostssl database user IP-address IP-mask auth-method [auth-option]

hostnossl database user IP-address IP-mask auth-method [auth-option]

As you can see, a record specifies the following:

- local - if you don't use this kind of record, all UNIX-domain socket connection will be rejected - host - you will need it if you make TCP/IP connections - hostssl - the connection to the database uses SSL encrypted TCP/IP connections - hostnossl - the connection to the database uses TCP/IP connection not encrypted SSL - database - database name and the value all will match all databases. - user - specifies the username for the database. To specify all usernames, use all value. - CIDR-address - specify the client machine IP address range. For example, for a single host use 192.168.230.5/32, 192.168.230.0/24 for small network and 10.5.10.0/16 for a larger network. - auth-method - specify the authentication method for the connection. Use trust if you want to permit the connections unconditionally, reject to disallow all connections, md5 requires the client to provide an md5 encrypted password and to provide an unencrypted password use password value.