1# PostgreSQL Client Authentication Configuration File 2# =================================================== 3# 4# Refer to the "Client Authentication" section in the PostgreSQL 5# documentation for a complete description of this file. A short 6# synopsis follows. 7# 8# This file controls: which hosts are allowed to connect, how clients 9# are authenticated, which PostgreSQL user names they can use, which 10# databases they can access. Records take one of these forms: 11# 12# local DATABASE USER METHOD [OPTIONS] 13# host DATABASE USER ADDRESS METHOD [OPTIONS] 14# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] 15# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] 16# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] 17# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] 18# 19# (The uppercase items must be replaced by actual values.) 20# 21# The first field is the connection type: "local" is a Unix-domain 22# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, 23# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a 24# non-SSL TCP/IP socket. Similarly, "hostgssenc" uses a 25# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a 26# non-GSSAPI socket. 27# 28# DATABASE can be "all", "sameuser", "samerole", "replication", a 29# database name, or a comma-separated list thereof. The "all" 30# keyword does not match "replication". Access to replication 31# must be enabled in a separate record (see example below). 32# 33# USER can be "all", a user name, a group name prefixed with "+", or a 34# comma-separated list thereof. In both the DATABASE and USER fields 35# you can also write a file name prefixed with "@" to include names 36# from a separate file. 37# 38# ADDRESS specifies the set of hosts the record matches. It can be a 39# host name, or it is made up of an IP address and a CIDR mask that is 40# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that 41# specifies the number of significant bits in the mask. A host name 42# that starts with a dot (.) matches a suffix of the actual host name. 43# Alternatively, you can write an IP address and netmask in separate 44# columns to specify the set of hosts. Instead of a CIDR-address, you 45# can write "samehost" to match any of the server's own IP addresses, 46# or "samenet" to match any address in any subnet that the server is 47# directly connected to. 48# 49# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", 50# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". 51# Note that "password" sends passwords in clear text; "md5" or 52# "scram-sha-256" are preferred since they send encrypted passwords. 53# 54# OPTIONS are a set of options for the authentication in the format 55# NAME=VALUE. The available options depend on the different 56# authentication methods -- refer to the "Client Authentication" 57# section in the documentation for a list of which options are 58# available for which authentication methods. 59# 60# Database and user names containing spaces, commas, quotes and other 61# special characters must be quoted. Quoting one of the keywords 62# "all", "sameuser", "samerole" or "replication" makes the name lose 63# its special character, and just match a database or username with 64# that name. 65# 66# This file is read on server startup and when the server receives a 67# SIGHUP signal. If you edit the file on a running system, you have to 68# SIGHUP the server for the changes to take effect, run "pg_ctl reload", 69# or execute "SELECT pg_reload_conf()". 70# 71# Put your actual configuration here 72# ---------------------------------- 73# 74# If you want to allow non-local connections, you need to add more 75# "host" records. In that case you will also need to make PostgreSQL 76# listen on a non-local interface via the listen_addresses 77# configuration parameter, or via the -i or -h command line switches. 78 79@authcomment@ 80 81# TYPE DATABASE USER ADDRESS METHOD 82 83@remove-line-for-nolocal@# "local" is for Unix domain socket connections only 84@remove-line-for-nolocal@local all all @authmethodlocal@ 85# IPv4 local connections: 86host all all 127.0.0.1/32 @authmethodhost@ 87# IPv6 local connections: 88host all all ::1/128 @authmethodhost@ 89# Allow replication connections from localhost, by a user with the 90# replication privilege. 91@remove-line-for-nolocal@local replication all @authmethodlocal@ 92host replication all 127.0.0.1/32 @authmethodhost@ 93host replication all ::1/128 @authmethodhost@ 94