1# PostgreSQL Client Authentication Configuration File 2# =================================================== 3# 4# Refer to the "Client Authentication" section in the PostgreSQL 5# documentation for a complete description of this file. A short 6# synopsis follows. 7# 8# This file controls: which hosts are allowed to connect, how clients 9# are authenticated, which PostgreSQL user names they can use, which 10# databases they can access. Records take one of these forms: 11# 12# local DATABASE USER METHOD [OPTIONS] 13# host DATABASE USER ADDRESS METHOD [OPTIONS] 14# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] 15# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] 16# 17# (The uppercase items must be replaced by actual values.) 18# 19# The first field is the connection type: "local" is a Unix-domain 20# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, 21# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a 22# plain TCP/IP socket. 23# 24# DATABASE can be "all", "sameuser", "samerole", "replication", a 25# database name, or a comma-separated list thereof. The "all" 26# keyword does not match "replication". Access to replication 27# must be enabled in a separate record (see example below). 28# 29# USER can be "all", a user name, a group name prefixed with "+", or a 30# comma-separated list thereof. In both the DATABASE and USER fields 31# you can also write a file name prefixed with "@" to include names 32# from a separate file. 33# 34# ADDRESS specifies the set of hosts the record matches. It can be a 35# host name, or it is made up of an IP address and a CIDR mask that is 36# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that 37# specifies the number of significant bits in the mask. A host name 38# that starts with a dot (.) matches a suffix of the actual host name. 39# Alternatively, you can write an IP address and netmask in separate 40# columns to specify the set of hosts. Instead of a CIDR-address, you 41# can write "samehost" to match any of the server's own IP addresses, 42# or "samenet" to match any address in any subnet that the server is 43# directly connected to. 44# 45# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", 46# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". 47# Note that "password" sends passwords in clear text; "md5" or 48# "scram-sha-256" are preferred since they send encrypted passwords. 49# 50# OPTIONS are a set of options for the authentication in the format 51# NAME=VALUE. The available options depend on the different 52# authentication methods -- refer to the "Client Authentication" 53# section in the documentation for a list of which options are 54# available for which authentication methods. 55# 56# Database and user names containing spaces, commas, quotes and other 57# special characters must be quoted. Quoting one of the keywords 58# "all", "sameuser", "samerole" or "replication" makes the name lose 59# its special character, and just match a database or username with 60# that name. 61# 62# This file is read on server startup and when the server receives a 63# SIGHUP signal. If you edit the file on a running system, you have to 64# SIGHUP the server for the changes to take effect, run "pg_ctl reload", 65# or execute "SELECT pg_reload_conf()". 66# 67# Put your actual configuration here 68# ---------------------------------- 69# 70# If you want to allow non-local connections, you need to add more 71# "host" records. In that case you will also need to make PostgreSQL 72# listen on a non-local interface via the listen_addresses 73# configuration parameter, or via the -i or -h command line switches. 74 75@authcomment@ 76 77# TYPE DATABASE USER ADDRESS METHOD 78 79@remove-line-for-nolocal@# "local" is for Unix domain socket connections only 80@remove-line-for-nolocal@local all all @authmethodlocal@ 81# IPv4 local connections: 82host all all 127.0.0.1/32 @authmethodhost@ 83# IPv6 local connections: 84host all all ::1/128 @authmethodhost@ 85# Allow replication connections from localhost, by a user with the 86# replication privilege. 87@remove-line-for-nolocal@local replication all @authmethodlocal@ 88host replication all 127.0.0.1/32 @authmethodhost@ 89host replication all ::1/128 @authmethodhost@ 90