September 26, 2024: PostgreSQL 17 Released!
Supported Versions: Current (17) / 16 / 15 / 14 / 13 / 12
Development Versions: devel
Unsupported versions: 11 / 10 / 9.6 / 9.5 / 9.4 / 9.3 / 9.2 / 9.1 / 9.0 / 8.4 / 8.3 / 8.2 / 8.1 / 8.0 / 7.4 / 7.3 / 7.2 / 7.1
This documentation is for an unsupported version of PostgreSQL.
You may want to view the same page for the current version, or one of the other supported versions listed above instead.

Chapter 4. Client Authentication

When a client application connects to the database server, it specifies which Postgres user name it wants to connect as, much the same way one logs into a Unix computer as a particular user. Within the SQL environment the active database user name determines access privileges to database objects -- see Chapter 7 for more information about that. It is therefore obviously essential to restrict which database user name(s) a given client can connect as.

Authentication is the process by which the database server establishes the identity of the client, and by extension determines whether the client application (or the user who runs the client application) is permitted to connect with the user name that was requested.

Postgres offers client authentication by (client) host and by database, with a number of different authentication methods available.

Postgres database user names are logically separate from user names of the operating system in which the server runs. If all the users of a particular server also have accounts on the server's machine, it makes sense to assign database user names that match their Unix user ids. However, a server that accepts remote connections may have many users who have no local account, and in such cases there need be no connection between database usernames and Unix usernames.

4.1. The pg_hba.conf file

Client authentication is controlled by the file pg_hba.conf in the $PGDATA directory, e.g., /usr/local/pgsql/data/pg_hba.conf. (HBA stands for host-based authentication.) A default pg_hba.conf file is installed when the data area is initialized by initdb.

The general format of the pg_hba.conf file is of a set of records, one per line. Blank lines and lines beginning with a hash character ("#") are ignored. A record is made up of a number of fields which are separated by spaces and/or tabs. Records cannot be continued across lines.

A record may have one of the three formats

local   database authentication-method [ authentication-option ]
host    database IP-address IP-mask authentication-method [ authentication-option ]
hostssl database IP-address IP-mask authentication-method [ authentication-option ]
    
The meaning of the fields is as follows:
local

This record pertains to connection attempts over Unix domain sockets.

host

This record pertains to connection attempts over TCP/IP networks. Note that TCP/IP connections are completely disabled unless the server is started with the -i switch or the equivalent configuration parameter is set.

hostssl

This record pertains to connection attempts with SSL over TCP/IP. To make use of this option the server must be built with SSL support enabled. Furthermore, SSL must be enabled with the -l option or equivalent configuration setting when the server is started.

database

Specifies the database that this record applies to. The value all specifies that it applies to all databases, while the value sameuser identifies the database with the same name as the connecting user. Otherwise, this is the name of a specific Postgres database.

IP address, IP mask

These two fields control to which hosts a host record applies, based on their IP address. (Of course IP addresses can be spoofed but this consideration is beyond the scope of Postgres.) The precise logic is that

(actual-IP-address xor IP-address-field) and IP-mask-field
must be zero for the record to match.
authentication method

Specifies the method that users must use to authenticate themselves when connecting to that database. The possible choices follow, details are in Section 4.2.

trust

The connection is allowed unconditionally. This method allows any user that has login access to the client host to connect as any Postgres user whatsoever.

reject

The connection is rejected unconditionally. This is mostly useful to "filter out" certain hosts from a group.

password

The client is required to supply a password with the connection attempt which is required to match the password that was set up for the user.

An optional file name may be specified after the password keyword. This file is expected to contain a list of users that this record pertains to, and optionally alternative passwords.

The password is sent over the wire in clear text. For better protection, use the crypt method.

crypt

Like the password method, but the password is sent over the wire encrypted using a simple challenge-response protocol. This is still not cryptographically secure but it protects against incidental wire-sniffing. The name of a file may follow the crypt keyword that contains a list of users that this record pertains to.

krb4

Kerberos V4 is used to authenticate the user. This is only available for TCP/IP connections.

krb5

Kerberos V5 is used to authenticate the user. This is only available for TCP/IP connections.

ident

The ident server on the client host is asked for the identity of the connecting user. Postgres then verifies whether the so identified operating system user is allowed to connect as the database user that is requested. This is only available for TCP/IP connections. The authentication option following the ident keyword specifies the name of an ident map that specifies which operating system users equate with which database users. See below for details.

authentication option

This field is interpreted differently depending on the authentication method, as described there.

The first record that matches a connection attempt's client IP address and requested database name is used to do the authentication step. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, the following records are not considered. If no record matches, the access will be denied.

The pg_hba.conf file is re-read during each connection attempt. It is therefore trivial to modify access permissions while the server is running: just edit the file.

An example of a pg_hba.conf file is shown in Example 4-1. See below for details on the different authentication methods.

Example 4-1. An example pg_hba.conf file

# TYPE       DATABASE    IP_ADDRESS    MASK               AUTHTYPE  MAP

# Allow any user on the local system to connect to any
# database under any username, but only via an IP connection:

host         all         127.0.0.1     255.255.255.255    trust     

# The same, over Unix-socket connections:

local        all                                          trust

# Allow any user from any host with IP address 192.168.93.x to
# connect to database "template1" as the same username that ident on that
# host identifies him as (typically his Unix username):

host         template1   192.168.93.0  255.255.255.0      ident     sameuser

# Allow a user from host 192.168.12.10 to connect to database "template1"
# if the user's password in pg_shadow is correctly supplied:

host         template1   192.168.12.10 255.255.255.255    crypt

# In the absence of preceding "host" lines, these two lines will reject
# all connection attempts from 192.168.54.1 (since that entry will be
# matched first), but allow Kerberos V5-validated connections from anywhere
# else on the Internet. The zero mask means that no bits of the host IP
# address are considered, so it matches any host:

host         all        192.168.54.1   255.255.255.255    reject
host         all        0.0.0.0        0.0.0.0            krb5

# Allow users from 192.168.x.x hosts to connect to any database, if they
# pass the ident check.  If, for example, ident says the user is "bryanh"
# and he requests to connect as PostgreSQL user "guest1", the connection
# is allowed if there is an entry in pg_ident.conf for map "omicron" that
# says "bryanh" is allowed to connect as "guest1":

host         all        192.168.0.0    255.255.0.0        ident     omicron