Chapter 2. Client Authentication

When a client application connects to the database server, it specifies which PostgreSQL user name it wants to connect as, much the same way one logs into Linux as a particular user. Within the SQL environment, the active database user name determines access privileges to database objects. It is therefore essential to restrict which database user names a given client can connect as.

Authentication is the process by which the database server establishes the identity of the client, and by extension determines whether the client application (or the user who runs the client application) is permitted to connect with the user name that was requested.

PostgreSQL offers client authentication by (client) host and by database, with a number of different authentication methods available.

PostgreSQL database user names are logically separate from user names of the operating system in which the server runs. If all the users of a particular server also have accounts on the server's machine, it makes sense to assign database user names that match their Linux user names. However, a server that accepts remote connections may have many users who have no local account, and in such cases there need be no connection between database usernames and Linux usernames.

The pg_hba.conf File

Client authentication is controlled by the file pg_hba.conf in the PGDATA directory, for example, /usr/local/pgsql/data/pg_hba.conf. (HBA stands for host-based authentication.) A default pg_hba.conf file is installed when the data area is initialized by initdb.

The general format of the pg_hba.conf file is of a set of records, one per line. Blank lines and lines beginning with a hash character ("#") are ignored. A record is made up of a number of fields which are separated by spaces and/or tabs. Records cannot be continued across lines.

A record can have one of the three formats:
local   database authentication-method [ authentication-option ]
host    database IP-address IP-mask authentication-method [ authentication-option ]
hostssl database IP-address IP-mask authentication-method [ authentication-option ]
    
The meaning of the fields is as follows:

local

This record pertains to connection attempts over UNIX domain sockets.

host

This record pertains to connection attempts over TCP/IP networks. Note that TCP/IP connections are completely disabled unless the server is started with the -i switch or the equivalent configuration parameter is set.

hostssl

This record pertains to connection attempts with SSL over TCP/IP. To make use of this option the server must be built with SSL support enabled. Furthermore, SSL must be enabled with the -l option or equivalent configuration setting when the server is started.

database

Specifies the database that this record applies to. The value all specifies that it applies to all databases, while the value sameuser identifies the database with the same name as the connecting user. Otherwise, this is the name of a specific PostgreSQL database.

IP address, IP mask

These two fields control to which hosts a host record applies, based on their IP address. The precise logic is that

(actual-IP-address xor IP-address-field) and IP-mask-field

must be zero for the record to match.

authentication method

Specifies the method that users must use to authenticate themselves when connecting to that database. The possible choices follow, details are in "Authentication Methods".

trust

The connection is allowed unconditionally. This method allows any user that has login access to the client host to connect as any PostgreSQL user whatsoever.

reject

The connection is rejected unconditionally. This is mostly useful to "filter out" certain hosts from a group.

password

The client is required to supply a password with the connection attempt which is required to match the password that was set up for the user.

An optional file name may be specified after the password keyword. This file is expected to contain a list of users that this record pertains to, and optionally alternative passwords.

The password is sent over the wire in clear text. For better protection, use the crypt method.

crypt

Similar to the password method, but the password is sent over the wire encrypted using a simple challenge-response protocol. This is still not cryptographically secure but it protects against incidental wire-sniffing. The name of a file may follow the crypt keyword that contains a list of users that this record pertains to.

krb4

Kerberos V4 is used to authenticate the user. This is available only for TCP/IP connections.

krb5

Kerberos V5 is used to authenticate the user. This is available only for TCP/IP connections.

ident

The ident server on the client host is asked for the identity of the connecting user. PostgreSQL then verifies whether the so identified operating system user is allowed to connect as the database user that is requested. This is available only for TCP/IP connections. The authentication option following the ident keyword specifies the name of an ident map that specifies which operating system users equate with which database users. See below for details.

authentication option

This field is interpreted differently depending on the authentication method, as described there.

The first record that matches a connection attempt's client IP address and requested database name is used to perform the authentication step. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, the following records are not considered. If no record matches, the access is denied.

The pg_hba.conf file is re-read during each connection attempt. It is therefore trivial to modify access permissions while the server is running: just edit the file.

An example of a pg_hba.conf file is shown below. See "Authentication Methods" for details on the different authentication methods.

Example 2-1. An example pg_hba.conf File

# TYPE   DATABASE   IP_ADDRESS   MASK     AUTHTYPE  MAP

# Allow any user on the local system to connect to any
# database under any username, but only via an IP connection:

host    all   127.0.0.1   255.255.255.255  trust     

# The same, over UNIX-socket connections:

local      all                             trust

# Allow any user from any host with IP address 192.168.93.x to
# connect to database "template1" as the same username that 
# ident on that host identifies him as (typically his UNIX 
# username):

host  template1  192.168.93.0  255.255.255.0  ident  sameuser

# Allow a user from host 192.168.12.10 to connect to database
# "template1" if the user's password in pg_shadow is correctly
# supplied:

host  template1  192.168.12.10 255.255.255.255    crypt

# In the absence of preceding "host" lines, these two lines
# will reject all connection attempts from 192.168.54.1 (since
# that entry will be matched first), but allow Kerberos
# V5-validated connections from anywhere else on the Internet.
# The zero mask means that no bits of the host IP
# address are considered, so it matches any host:

host      all     192.168.54.1   255.255.255.255    reject
host      all     0.0.0.0        0.0.0.0            krb5

# Allow users from 192.168.x.x hosts to connect to any database,
# if they pass the ident check.  If, for example, ident says the
# user is "bryanh" and he requests to connect as PostgreSQL
# user "guest1", the connection is allowed if there is an entry
# in pg_ident.conf for map "omicron" that says "bryanh" is
# allowed to connect as "guest1":

host     all     192.168.0.0    255.255.0.0   ident    omicron