| # PostgreSQL Client Authentication Configuration File | |
| # =================================================== | |
| # | |
| # Refer to the "Client Authentication" section in the PostgreSQL | |
| # documentation for a complete description of this file. A short | |
| # synopsis follows. | |
| # | |
| # This file controls: which hosts are allowed to connect, how clients | |
| # are authenticated, which PostgreSQL user names they can use, which | |
| # databases they can access. Records take one of these forms: | |
| # | |
| # local DATABASE USER METHOD [OPTIONS] | |
| # host DATABASE USER ADDRESS METHOD [OPTIONS] | |
| # hostssl DATABASE USER ADDRESS METHOD [OPTIONS] | |
| # hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] | |
| # hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] | |
| # hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] | |
| # | |
| # (The uppercase items must be replaced by actual values.) | |
| # | |
| # The first field is the connection type: | |
| # - "local" is a Unix-domain socket | |
| # - "host" is a TCP/IP socket (encrypted or not) | |
| # - "hostssl" is a TCP/IP socket that is SSL-encrypted | |
| # - "hostnossl" is a TCP/IP socket that is not SSL-encrypted | |
| # - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted | |
| # - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted | |
| # | |
| # DATABASE can be "all", "sameuser", "samerole", "replication", a | |
| # database name, or a comma-separated list thereof. The "all" | |
| # keyword does not match "replication". Access to replication | |
| # must be enabled in a separate record (see example below). | |
| # | |
| # USER can be "all", a user name, a group name prefixed with "+", or a | |
| # comma-separated list thereof. In both the DATABASE and USER fields | |
| # you can also write a file name prefixed with "@" to include names | |
| # from a separate file. | |
| # | |
| # ADDRESS specifies the set of hosts the record matches. It can be a | |
| # host name, or it is made up of an IP address and a CIDR mask that is | |
| # an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that | |
| # specifies the number of significant bits in the mask. A host name | |
| # that starts with a dot (.) matches a suffix of the actual host name. | |
| # Alternatively, you can write an IP address and netmask in separate | |
| # columns to specify the set of hosts. Instead of a CIDR-address, you | |
| # can write "samehost" to match any of the server's own IP addresses, | |
| # or "samenet" to match any address in any subnet that the server is | |
| # directly connected to. | |
| # | |
| # METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", | |
| # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". | |
| # Note that "password" sends passwords in clear text; "md5" or | |
| # "scram-sha-256" are preferred since they send encrypted passwords. | |
| # | |
| # OPTIONS are a set of options for the authentication in the format | |
| # NAME=VALUE. The available options depend on the different | |
| # authentication methods -- refer to the "Client Authentication" | |
| # section in the documentation for a list of which options are | |
| # available for which authentication methods. | |
| # | |
| # Database and user names containing spaces, commas, quotes and other | |
| # special characters must be quoted. Quoting one of the keywords | |
| # "all", "sameuser", "samerole" or "replication" makes the name lose | |
| # its special character, and just match a database or username with | |
| # that name. | |
| # | |
| # This file is read on server startup and when the server receives a | |
| # SIGHUP signal. If you edit the file on a running system, you have to | |
| # SIGHUP the server for the changes to take effect, run "pg_ctl reload", | |
| # or execute "SELECT pg_reload_conf()". | |
| # | |
| # Put your actual configuration here | |
| # ---------------------------------- | |
| # | |
| # If you want to allow non-local connections, you need to add more | |
| # "host" records. In that case you will also need to make PostgreSQL | |
| # listen on a non-local interface via the listen_addresses | |
| # configuration parameter, or via the -i or -h command line switches. | |
| # CAUTION: Configuring the system for local "trust" authentication | |
| # allows any local user to connect as any PostgreSQL user, including | |
| # the database superuser. If you do not trust all your local users, | |
| # use another authentication method. | |
| # TYPE DATABASE USER ADDRESS METHOD | |
| # "local" is for Unix domain socket connections only | |
| local all all trust | |
| # IPv4 local connections: | |
| host all all 127.0.0.1/32 trust | |
| # IPv6 local connections: | |
| host all all ::1/128 trust | |
| # Allow replication connections from localhost, by a user with the | |
| # replication privilege. | |
| local replication all trust | |
| host replication all 127.0.0.1/32 trust | |
| host replication all ::1/128 trust | |
| host all all all scram-sha-256 | |