PostgreSQL Host-Based Authentication Configuration

rules, i.e., numbers before letters, and uppercase letters before lowercase ones). </para> </listitem> </varlistentry> </variablelist> </para> <para> Files included by <literal>@</literal> constructs are read as lists of names, which can be separated by either whitespace or commas. Comments are introduced by <literal>#</literal>, just as in <filename>pg_hba.conf</filename>, and nested <literal>@</literal> constructs are allowed. Unless the file name following <literal>@</literal> is an absolute path, it is taken to be relative to the directory containing the referencing file. </para> <para> Since the <filename>pg_hba.conf</filename> records are examined sequentially for each connection attempt, the order of the records is significant. Typically, earlier records will have tight connection match parameters and weaker authentication methods, while later records will have looser match parameters and stronger authentication methods. For example, one might wish to use <literal>trust</literal> authentication for local TCP/IP connections but require a password for remote TCP/IP connections. In this case a record specifying <literal>trust</literal> authentication for connections from 127.0.0.1 would appear before a record specifying password authentication for a wider range of allowed client IP addresses. </para> <tip> <para> To connect to a particular database, a user must not only pass the <filename>pg_hba.conf</filename> checks, but must have the <literal>CONNECT</literal> privilege for the database. If you wish to restrict which users can connect to which databases, it's usually easier to control this by granting/revoking <literal>CONNECT</literal> privilege than to put the rules in <filename>pg_hba.conf</filename> entries. </para> </tip> <para> Some examples of <filename>pg_hba.conf</filename> entries are shown in <xref linkend="example-pg-hba.conf"/>. See the next section for details on the different authentication methods. </para> <example id="example-pg-hba.conf"> <title>Example <filename>pg_hba.conf</filename> Entries</title> <programlisting> # Allow any user on the local system to connect to any database with # any database user name using Unix-domain sockets (the default for local # connections). # # TYPE DATABASE USER ADDRESS METHOD local all all trust # The same using local loopback TCP/IP connections. # # TYPE DATABASE USER ADDRESS METHOD host all all 127.0.0.1/32 trust # The same as the previous line, but using a separate netmask column # # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD host all all 127.0.0.1 255.255.255.255 trust # The same over IPv6. # # TYPE DATABASE USER ADDRESS METHOD host all all ::1/128 trust # The same using a host name (would typically cover both IPv4 and IPv6). # # TYPE DATABASE USER ADDRESS METHOD host all all localhost trust # The same using a regular expression for DATABASE, that allows connection # to any databases with a name beginning with "db" and finishing with a # number using two to four digits (like "db1234" or "db12"). # # TYPE DATABASE USER ADDRESS METHOD host "/^db\d{2,4}$" all localhost trust # Allow any user from any host with IP address 192.168.93.x to connect # to database "postgres" as the same user name that ident reports for # the connection (typically the operating system user name). # # TYPE DATABASE USER ADDRESS METHOD host postgres

The pg_hba.conf file is used to configure host-based authentication in PostgreSQL, allowing administrators to control access to databases based on factors such as user identity, database name, client IP address, and authentication method. The order of records in the file is significant, with earlier records taking precedence over later ones. Examples of pg_hba.conf entries are provided to illustrate how to configure different authentication scenarios, including trusting local connections and requiring passwords for remote connections.