Authentication Methods in PostgreSQL

mapping between system and database user names. See <xref linkend="auth-username-maps"/> for details. </para> </listitem> </varlistentry> </variablelist> </para> <para> It is redundant to use the <literal>clientcert</literal> option with <literal>cert</literal> authentication because <literal>cert</literal> authentication is effectively <literal>trust</literal> authentication with <literal>clientcert=verify-full</literal>. </para> </sect1> <sect1 id="auth-pam"> <title>PAM Authentication</title> <indexterm zone="auth-pam"> <primary>PAM</primary> </indexterm> <para> This authentication method operates similarly to <literal>password</literal> except that it uses PAM (Pluggable Authentication Modules) as the authentication mechanism. The default PAM service name is <literal>postgresql</literal>. PAM is used only to validate user name/password pairs and optionally the connected remote host name or IP address. Therefore the user must already exist in the database before PAM can be used for authentication. For more information about PAM, please read the <ulink url="https://www.kernel.org/pub/linux/libs/pam/"> <productname>Linux-PAM</productname> Page</ulink>. </para> <para> The following configuration options are supported for PAM: <variablelist> <varlistentry> <term><literal>pamservice</literal></term> <listitem> <para> PAM service name. </para> </listitem> </varlistentry> <varlistentry> <term><literal>pam_use_hostname</literal></term> <listitem> <para> Determines whether the remote IP address or the host name is provided to PAM modules through the <symbol>PAM_RHOST</symbol> item. By default, the IP address is used. Set this option to 1 to use the resolved host name instead. Host name resolution can lead to login delays. (Most PAM configurations don't use this information, so it is only necessary to consider this setting if a PAM configuration was specifically created to make use of it.) </para> </listitem> </varlistentry> </variablelist> </para> <note> <para> If PAM is set up to read <filename>/etc/shadow</filename>, authentication will fail because the PostgreSQL server is started by a non-root user. However, this is not an issue when PAM is configured to use LDAP or other authentication methods. </para> </note> </sect1> <sect1 id="auth-bsd"> <title>BSD Authentication</title> <indexterm zone="auth-bsd"> <primary>BSD Authentication</primary> </indexterm> <para> This authentication method operates similarly to <literal>password</literal> except that it uses BSD Authentication to verify the password. BSD Authentication is used only to validate user name/password pairs. Therefore the user's role must already exist in the database before BSD Authentication can be used for authentication. The BSD Authentication framework is currently only available on OpenBSD. </para> <para> BSD Authentication in <productname>PostgreSQL</productname> uses the <literal>auth-postgresql</literal> login type and authenticates with the <literal>postgresql</literal> login class if that's defined in <filename>login.conf</filename>. By default that login class does not exist, and <productname>PostgreSQL</productname> will use the default login class. </para> <note> <para> To use BSD Authentication, the PostgreSQL user account (that is, the operating system user running the server) must first be added to the <literal>auth</literal> group. The <literal>auth</literal> group exists by default on OpenBSD systems. </para> </note> </sect1> <sect1 id="auth-oauth"> <title>OAuth Authorization/Authentication</title> <indexterm

This section describes various authentication methods in PostgreSQL, including PAM, BSD Authentication, and OAuth, explaining their configuration options, usage, and requirements, such as PAM service names, BSD login classes, and OAuth authorization flows, to validate user name/password pairs and authenticate database users.