@ -1,5 +1,5 @@
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.65 2004/03/23 01:23:48 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.66 2004/08/26 16:50:05 momjian Exp $
--> -->
<chapter id="client-authentication"> <chapter id="client-authentication">
@ -86,12 +86,12 @@ $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.65 2004/03/23 01:23:48 tgl
A record may have one of the seven formats A record may have one of the seven formats
<synopsis> <synopsis>
local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional> hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable>/<replaceable>IP-masklen</replaceable> <replaceable>authentication-method</replaceable> <optional><replaceable>authentication-option</replaceable></optional>
</synopsis> </synopsis>
The meaning of the fields is as follows: The meaning of the fields is as follows:
@ -196,19 +196,23 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>IP-address</replaceable></term> <term><replaceable>CIDR-address</replaceable></term>
<term><replaceable>IP-mask</replaceable></term>
<listitem> <listitem>
<para> <para>
These two fields contain IP address and mask values in standard specifies the client machine IP addresses that this record
dotted decimal notation. (IP addresses can only be specified matches. It contains an IP address in standard dotted decimal
numerically, not as domain or host names.) Taken together they notation and a CIDR mask length. (IP addresses can only be
specify the client machine IP addresses that this record specified numerically, not as domain or host names.) For example,
matches. The precise logic is that an IPv4 CIDR mask of 8 is equivalent to an IP mask of 255.0.0.0,
<programlisting> an IPv6 CIDR mask of 64 is equivalent to an IP mask of
(<replaceable>actual-IP-address</replaceable> xor <replaceable>IP-address-field</replaceable>) and <replaceable>IP-mask-field</replaceable> ffff:ffff:ffff:ffff::. A IPv4 CIDR mask of 32 is used for single
</programlisting> hosts.
must be zero for the record to match. </para>
<para>
A typical CIDR address is <literal>172.20.143.89/32</literal>.
There should be no white space between the IP address, the
<literal>/</literal>, and the CIDR mask length.
</para> </para>
<para> <para>
@ -229,26 +233,17 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>IP-address</replaceable></term>
<term><replaceable>IP-masklen</replaceable></term> <term><replaceable>IP-masklen</replaceable></term>
<listitem> <listitem>
<para> <para>
This field may be used as an alternative to the This may be used as an alternative to the
<replaceable>IP-mask</replaceable> notation. It is an integer <replaceable>CIDR-address</replaceable> notation. Instead of
specifying the number of high-order bits to set in the mask. specifying the mask length, the actual mask is specified in a
The number must be between 0 and 32 (in the case of an IPv4 separate column. For example, 255.0.0.0 represents a IPv4 CIDR
address) or 128 (in the case of an IPv6 address) inclusive. 0 mask length of 8, and 255.255.255.255 represents a CIDR mask
will match any address, while 32 (or 128, respectively) will length of 32. The same matching logic is used as for a dotted
match only the exact host specified. The same matching logic notation <replaceable>IP-mask</replaceable>.
is used as for a dotted notation
<replaceable>IP-mask</replaceable>.
</para>
<para>
There must be no white space between the
<replaceable>IP-address</replaceable> and the
<literal>/</literal> or the <literal>/</literal> and the
<replaceable>IP-masklen</replaceable>, or the file will not be
parsed correctly.
</para> </para>
<para> <para>
@ -458,36 +453,36 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
# any user name using Unix-domain sockets (the default for local # any user name using Unix-domain sockets (the default for local
# connections). # connections).
# #
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
local all all trust local all all trust
# The same using local loopback TCP/IP connections. # The same using local loopback TCP/IP connections.
# #
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 127.0.0.1 255.255.255.255 trust host all all 127.0.0.1/32 trust
# The same as the last line but using a CIDR mask # The same as the last line but using a separate netmask column
# #
# TYPE DATABASE USER IP-ADDRESS/CIDR-mask METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 127.0.0.1/32 trust host all all 127.0.0.1 255.255.255.255 trust
# Allow any user from any host with IP address 192.168.93.x to connect # Allow any user from any host with IP address 192.168.93.x to connect
# to database "template1" as the same user name that ident reports for # to database "template1" as the same user name that ident reports for
# the connection (typically the Unix user name). # the connection (typically the Unix user name).
# #
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
host template1 all 192.168.93.0 255.255.255.0 ident sameuser host template1 all 192.168.93.0/24 ident sameuser
# The same as the last line but using a CIDR mask # The same as the last line but using a separate netmask column
# #
# TYPE DATABASE USER IP-ADDRESS/CIDR-mask METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
host template1 all 192.168.93.0/24 ident sameuser host template1 all 192.168.93.0 255.255.255.0 ident sameuser
# Allow a user from host 192.168.12.10 to connect to database # Allow a user from host 192.168.12.10 to connect to database
# "template1" if the user's password is correctly supplied. # "template1" if the user's password is correctly supplied.
# #
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
host template1 all 192.168.12.10 255.255.255.255 md5 host template1 all 192.168.12.10/32 md5
# In the absence of preceding "host" lines, these two lines will # In the absence of preceding "host" lines, these two lines will
# reject all connection from 192.168.54.1 (since that entry will be # reject all connection from 192.168.54.1 (since that entry will be
@ -495,9 +490,9 @@ host template1 all 192.168.12.10 255.255.255.255 md5
# on the Internet. The zero mask means that no bits of the host IP # on the Internet. The zero mask means that no bits of the host IP
# address are considered so it matches any host. # address are considered so it matches any host.
# #
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 192.168.54.1 255.255.255.255 reject host all all 192.168.54.1/32 reject
host all all 0.0.0.0 0.0.0.0 krb5 host all all 0.0.0.0/0 krb5
# Allow users from 192.168.x.x hosts to connect to any database, if # Allow users from 192.168.x.x hosts to connect to any database, if
# they pass the ident check. If, for example, ident says the user is # they pass the ident check. If, for example, ident says the user is
@ -505,8 +500,8 @@ host all all 0.0.0.0 0.0.0.0 krb5
# connection is allowed if there is an entry in pg_ident.conf for map # connection is allowed if there is an entry in pg_ident.conf for map
# "omicron" that says "bryanh" is allowed to connect as "guest1". # "omicron" that says "bryanh" is allowed to connect as "guest1".
# #
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 192.168.0.0 255.255.0.0 ident omicron host all all 192.168.0.0/16 ident omicron
# If these are the only three lines for local connections, they will # If these are the only three lines for local connections, they will
# allow local users to connect only to their own databases (databases # allow local users to connect only to their own databases (databases
@ -515,7 +510,7 @@ host all all 192.168.0.0 255.255.0.0 ident omicro
# $PGDATA/admins contains a list of user names. Passwords are required in # $PGDATA/admins contains a list of user names. Passwords are required in
# all cases. # all cases.
# #
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD # TYPE DATABASE USER CIDR-ADDRESS METHOD
local sameuser all md5 local sameuser all md5
local all @admins md5 local all @admins md5
local all +support md5 local all +support md5
@ -959,3 +954,4 @@ FATAL: database "testdb" does not exist
</sect1> </sect1>
</chapter> </chapter>
Bruce Momjian
21 years ago