PostgreSQL offers a number of different
- client authentication methods. The method to be used can be selected
- on the basis of (client) host, database, and user.
+ client authentication methods. The method used to authenticate a
+ particular client connection can be selected on the basis of
+ (client) host address, database, and user.
pg_hba.conf in the data directory, e.g.,
/usr/local/pgsql/data/pg_hba.conf.
(
HBA stands for host-based authentication.) A default- pg_hba.conf file is installed when the data area
- is initialized by initdb.
+ pg_hba.conf file is installed when the data
+ directory is initialized by initdb.
enabled with the
setting when the server is started. (Note: host
records will match either SSL or non-SSL connection attempts, but
- hostssl records requires SSL connections.)
+ hostssl records require SSL connections.)
trust
- The connection is allowed unconditionally. This method allows
- any user that has login access to the client host to connect as
- any
PostgreSQL user whatsoever.
+ The connection is allowed unconditionally. This method
+ allows anyone that can connect to the
+
PostgreSQL database to login as
+ any
PostgreSQL user they like,
+ without the need for a password.
Requires the client to supply an MD5 encrypted password for
authentication. This is the only method that allows encrypted
- passwords to be stored in pg_shadow.
+ passwords to be stored in pg_shadow.
For TCP/IP connections, authentication is done by contacting
- the ident server on the client host.
- This is only as secure as the client machine. You must specify
- the map name after the 'ident' keyword. It determines how to
- map remote user names to PostgreSQL user names. If you use
+ the ident server on the client
+ host. This is only as secure as the client machine. You must
+ specify the map name after the 'ident' keyword. It
+ determines how to map remote user names to
+
PostgreSQL user names. If you use
"sameuser", the user names are assumed to be identical. If
not, the map name is looked up in the $PGDATA/pg_ident.conf
file. The connection is accepted if that file contains an
- entry for this map name with the ident-supplied user name and
- the requested PostgreSQL user name.
+ entry for this map name with the ident-supplied user name
+ and the requested
PostgreSQL user
+ name.
On machines that support unix-domain socket credentials
postgresql. You can optionally supply you
own service name after the pam keyword in the
file. For more information about PAM, please read the
- url="http://www.kernel.org/pub/linux/libs/pam/">
L-
inux-PAM Page and the
+ url="http://www.kernel.org/pub/linux/libs/pam/">
Linux-PAM+ Page and the
url="http://www.sun.com/software/solaris/pam/">
class="osname">Solaris PAM Page.
projects / postgresql.git / commitdiff