Re: Adding usernames to pg_hba.conf

From: "Rod Taylor" <rbt(at)zort(dot)ca>
To: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: "PostgreSQL-patches" <pgsql-patches(at)postgresql(dot)org>
Subject: Re: Adding usernames to pg_hba.conf
Date: 2002-03-19 12:21:38
Message-ID: 038a01c1cf40$9f1effb0$8001a8c0@jester
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

I see.. @ denotes a list of users in a file.

Wouldn't it make more sense to simply allow groups to be specified
(groups from pg_group)?

In my case any group I would specify for connection purposes I've
already created for permission purposes.

--
Rod Taylor

This message represents the official view of the voices in my head

----- Original Message -----
From: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: "PostgreSQL-patches" <pgsql-patches(at)postgresql(dot)org>
Sent: Tuesday, March 19, 2002 1:06 AM
Subject: Re: [PATCHES] Adding usernames to pg_hba.conf

>
> Sorry, the previous posting didn't have the full patch. This one
does.
>
> --------------------------------------------------------------------
-------
>
> pgman wrote:
> > This patch completes the following TODO item:
> >
> > * Allow usernames to be specified directly in pg_hba.conf (Bruce)
> >
> > Currently, we allow usernames in secondary password files, but
this is a
> > very confusing feature. This patch:
> >
> > o removes secondary password file support
> > o adds a user name column just after the database column
> > o allows a comma separated list of usernames or databases
> > o allows another file to contain a list of username/databases
> > by preceding the pg_hba.conf entry with '@'
> > o allow single or double-quoting of user/database names
> >
> > See the documentation changes and new pg_hba.conf diffs for
samples.
> >
> > Is the '@' sign a good way to identify a file name? Is putting
the
> > username column just after the database column the right place for
it?
>
> --
> Bruce Momjian | http://candle.pha.pa.us
> pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
> + If your life is a hard drive, | 830 Blythe Avenue
> + Christ can be your backup. | Drexel Hill, Pennsylvania
19026
>

----------------------------------------------------------------------
----------

> Index: doc/src/sgml/client-auth.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
> retrieving revision 1.32
> diff -c -r1.32 client-auth.sgml
> *** doc/src/sgml/client-auth.sgml 20 Jan 2002 22:19:55 -0000 1.32
> --- doc/src/sgml/client-auth.sgml 19 Mar 2002 05:51:45 -0000
> ***************
> *** 10,23 ****
> </indexterm>
>
> <para>
> ! When a client application connects to the database server, it
specifies which
> ! <productname>PostgreSQL</productname> user name it wants to
connect as,
> ! much the same way one logs into a Unix computer as a particular
user.
> ! Within the SQL environment the active
> ! database user name determines access privileges to database
> ! objects -- see <xref linkend="user-manag"> for more information
> ! about that. It is therefore obviously essential to restrict
which
> ! database user name(s) a given client can connect as.
> </para>
>
> <para>
> --- 10,23 ----
> </indexterm>
>
> <para>
> ! When a client application connects to the database server, it
> ! specifies which <productname>PostgreSQL</productname> user name
it
> ! wants to connect as, much the same way one logs into a Unix
computer
> ! as a particular user. Within the SQL environment the active
database
> ! user name determines access privileges to database objects --
see
> ! <xref linkend="user-manag"> for more information about that. It
is
> ! therefore obviously essential to restrict which database user
name(s)
> ! a given client can connect as.
> </para>
>
> <para>
> ***************
> *** 30,49 ****
>
> <para>
> <productname>PostgreSQL</productname> offers a number of
different
> ! client authentication methods. The method to be used can be
selected
> ! on the basis of (client) host and database; some authentication
methods
> ! allow you to restrict by user name as well.
> </para>
>
> <para>
> ! <productname>PostgreSQL</productname> database user names are
logically
> separate from user names of the operating system in which the
server
> ! runs. If all the users of a particular server also have
accounts on
> the server's machine, it makes sense to assign database user
names
> ! that match their operating system user names. However, a server
that accepts remote
> ! connections may have many users who have no local account, and
in such
> ! cases there need be no connection between database user names
and OS
> ! user names.
> </para>
>
> <sect1 id="pg-hba-conf">
> --- 30,48 ----
>
> <para>
> <productname>PostgreSQL</productname> offers a number of
different
> ! client authentication methods. The method to be used can be
selected
> ! on the basis of (client) host, database, and user.
> </para>
>
> <para>
> ! <productname>PostgreSQL</productname> user names are logically
> separate from user names of the operating system in which the
server
> ! runs. If all the users of a particular server also have accounts
on
> the server's machine, it makes sense to assign database user
names
> ! that match their operating system user names. However, a server
that
> ! accepts remote connections may have many users who have no local
> ! account, and in such cases there need be no connection between
> ! database user names and OS user names.
> </para>
>
> <sect1 id="pg-hba-conf">
> ***************
> *** 56,94 ****
> <para>
> Client authentication is controlled by the file
> <filename>pg_hba.conf</filename> in the data directory, e.g.,
> ! <filename>/usr/local/pgsql/data/pg_hba.conf</filename>.
(<acronym>HBA</> stands
> ! for host-based authentication.) A default
<filename>pg_hba.conf</filename>
> ! file is installed when the
> ! data area is initialized by <command>initdb</command>.
> </para>
>
> <para>
> ! The general format of the <filename>pg_hba.conf</filename> file
is
> ! of a set of records, one per line. Blank lines and lines
beginning
> ! with a hash character (<quote>#</quote>) are ignored. A record
is
> ! made up of a number of fields which are separated by spaces
and/or
> ! tabs. Records cannot be continued across lines.
> </para>
>
> <para>
> Each record specifies a connection type, a client IP address
range
> ! (if relevant for the connection type), a database name or
names,
> and the authentication method to be used for connections
matching
> ! these parameters.
> ! The first record that matches the type, client address, and
requested
> ! database name of a connection attempt is used to do the
> ! authentication step. There is no <quote>fall-through</> or
> <quote>backup</>: if one record is chosen and the
authentication
> ! fails, the following records are not considered. If no record
> ! matches, the access will be denied.
> </para>
>
> <para>
> A record may have one of the three formats
> <synopsis>
> ! local <replaceable>database</replaceable>
<replaceable>authentication-method</replaceable> [
<replaceable>authentication-option</replaceable> ]
> ! host <replaceable>database</replaceable>
<replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> [
<replaceable>authentication-option</replaceable> ]
> ! hostssl <replaceable>database</replaceable>
<replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable> [
<replaceable>authentication-option</replaceable> ]
> </synopsis>
> The meaning of the fields is as follows:
>
> --- 55,93 ----
> <para>
> Client authentication is controlled by the file
> <filename>pg_hba.conf</filename> in the data directory, e.g.,
> ! <filename>/usr/local/pgsql/data/pg_hba.conf</filename>.
> ! (<acronym>HBA</> stands for host-based authentication.) A
default
> ! <filename>pg_hba.conf</filename> file is installed when the
data area
> ! is initialized by <command>initdb</command>.
> </para>
>
> <para>
> ! The general format of the <filename>pg_hba.conf</filename> file
is of
> ! a set of records, one per line. Blank lines are ignored, as is
any
> ! text after the <quote>#</quote> comment character. A record is
made
> ! up of a number of fields which are separated by spaces and/or
tabs.
> ! Fields can contain white space if the field value is quoted.
Records
> ! cannot be continued across lines.
> </para>
>
> <para>
> Each record specifies a connection type, a client IP address
range
> ! (if relevant for the connection type), a database name, a user
name,
> and the authentication method to be used for connections
matching
> ! these parameters. The first record with a matching connection
type,
> ! client address, requested database, and user name is used to
peform
> ! authentication. There is no <quote>fall-through</> or
> <quote>backup</>: if one record is chosen and the
authentication
> ! fails, subsequent records are not considered. If no record
matches,
> ! access is denied.
> </para>
>
> <para>
> A record may have one of the three formats
> <synopsis>
> ! local <replaceable>database</replaceable>
<replaceable>user</replaceable>
<replaceable>authentication-method</replaceable> [
<replaceable>authentication-option</replaceable> ]
> ! host <replaceable>database</replaceable>
<replaceable>user</replaceable> <replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable>
> ! hostssl <replaceable>database</replaceable>
<replaceable>user</replaceable> <replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>
<replaceable>authentication-method</replaceable>
> </synopsis>
> The meaning of the fields is as follows:
>
> ***************
> *** 97,103 ****
> <term><literal>local</literal></term>
> <listitem>
> <para>
> ! This record pertains to connection attempts over Unix
domain
> sockets.
> </para>
> </listitem>
> --- 96,102 ----
> <term><literal>local</literal></term>
> <listitem>
> <para>
> ! This record applies to connection attempts using Unix
domain
> sockets.
> </para>
> </listitem>
> ***************
> *** 107,116 ****
> <term><literal>host</literal></term>
> <listitem>
> <para>
> ! This record pertains to connection attempts over TCP/IP
> ! networks. Note that TCP/IP connections are completely
disabled
> ! unless the server is started with the <option>-i</option>
switch or
> ! the equivalent configuration parameter is set.
> </para>
> </listitem>
> </varlistentry>
> --- 106,116 ----
> <term><literal>host</literal></term>
> <listitem>
> <para>
> ! This record applied to connection attempts using TCP/IP
networks.
> ! Note that TCP/IP connections are disabled unless the server
is
> ! started with the <option>-i</option> option or the
> ! <literal>tcpip_socket</> <filename>postgresql.conf</>
> ! configuration parameter is enabled.
> </para>
> </listitem>
> </varlistentry>
> ***************
> *** 119,131 ****
> <term><literal>hostssl</literal></term>
> <listitem>
> <para>
> ! This record pertains to connection attempts with SSL over
> TCP/IP. To make use of this option the server must be
> built with SSL support enabled. Furthermore, SSL must be
> enabled with the <option>-l</> option or equivalent
configuration
> setting when the server is started. (Note:
<literal>host</literal>
> records will match either SSL or non-SSL connection
attempts, but
> ! <literal>hostssl</literal> records match only SSL
connections.)
> </para>
> </listitem>
> </varlistentry>
> --- 119,131 ----
> <term><literal>hostssl</literal></term>
> <listitem>
> <para>
> ! This record applies to connection attempts using SSL over
> TCP/IP. To make use of this option the server must be
> built with SSL support enabled. Furthermore, SSL must be
> enabled with the <option>-l</> option or equivalent
configuration
> setting when the server is started. (Note:
<literal>host</literal>
> records will match either SSL or non-SSL connection
attempts, but
> ! <literal>hostssl</literal> records requires SSL
connections.)
> </para>
> </listitem>
> </varlistentry>
> ***************
> *** 134,145 ****
> <term><replaceable>database</replaceable></term>
> <listitem>
> <para>
> ! Specifies the database that this record applies to. The
value
> <literal>all</literal> specifies that it applies to all
> databases, while the value <literal>sameuser</> identifies
the
> ! database with the same name as the connecting user.
Otherwise,
> ! this is the name of a specific
<productname>PostgreSQL</productname>
> ! database.
> </para>
> </listitem>
> </varlistentry>
> --- 134,165 ----
> <term><replaceable>database</replaceable></term>
> <listitem>
> <para>
> ! Specifies the database for this record. The value
> <literal>all</literal> specifies that it applies to all
> databases, while the value <literal>sameuser</> identifies
the
> ! database with the same name as the connecting user.
Otherwise,
> ! this is the name of a specific
> ! <productname>PostgreSQL</productname> database. Multiple
database
> ! names can be supplied by separating them with commas. A
file
> ! containing database names can be specified by preceding the
file
> ! name with <literal>@</>. The file must be in the same
directory
> ! as <filename>pg_hba.conf</>.
> ! </para>
> ! </listitem>
> ! </varlistentry>
> !
> ! <varlistentry>
> ! <term><replaceable>user</replaceable></term>
> ! <listitem>
> ! <para>
> ! Specifies the user for this record. The value
> ! <literal>all</literal> specifies that it applies to all
users.
> ! Otherwise, this is the name of a specific
> ! <productname>PostgreSQL</productname> user. Multiple user
> ! names can be supplied by separating them with commas. A
file
> ! containing user names can be specified by preceding the
file
> ! name with <literal>@</>. The file must be in the same
directory
> ! as <filename>pg_hba.conf</>.
> </para>
> </listitem>
> </varlistentry>
> ***************
> *** 149,158 ****
> <term><replaceable>IP mask</replaceable></term>
> <listitem>
> <para>
> ! These two fields specify to which client machines a
> ! <literal>host</literal> or <literal>hostssl</literal>
> ! record applies, based on their IP
> ! address. (Of course IP addresses can be spoofed but this
> consideration is beyond the scope of
> <productname>PostgreSQL</productname>.) The precise logic
is that
> <blockquote>
> --- 169,177 ----
> <term><replaceable>IP mask</replaceable></term>
> <listitem>
> <para>
> ! These two fields specify the client machine IP addresses
> ! (<literal>host</literal> or <literal>hostssl</literal>) for
this
> ! record. (Of course IP addresses can be spoofed but this
> consideration is beyond the scope of
> <productname>PostgreSQL</productname>.) The precise logic
is that
> <blockquote>
> ***************
> *** 169,178 ****
> <term><replaceable>authentication method</replaceable></term>
> <listitem>
> <para>
> ! Specifies the method that users must use to authenticate
themselves
> ! when connecting under the control of this authentication
record.
> ! The possible choices are summarized here,
> ! details are in <xref linkend="auth-methods">.
>
> <variablelist>
> <varlistentry>
> --- 188,196 ----
> <term><replaceable>authentication method</replaceable></term>
> <listitem>
> <para>
> ! Specifies the authentication method to use when connecting
via
> ! this record. The possible choices are summarized here;
details
> ! are in <xref linkend="auth-methods">.
>
> <variablelist>
> <varlistentry>
> ***************
> *** 190,255 ****
> <term><literal>reject</></term>
> <listitem>
> <para>
> ! The connection is rejected unconditionally. This is
mostly
> ! useful to <quote>filter out</> certain hosts from a
group.
> </para>
> </listitem>
> </varlistentry>
>
> <varlistentry>
> ! <term><literal>password</></term>
> <listitem>
> <para>
> ! The client is required to supply a password which is
required to
> ! match the database password that was set up for the user.
> ! </para>
> !
> ! <para>
> ! An optional file name may be specified after the
> ! <literal>password</literal> keyword. This file is
expected to
> ! contain a list of users who may connect using this
record,
> ! and optionally alternative passwords for them.
> ! </para>
> !
> ! <para>
> ! The password is sent over the wire in clear text. For
better
> ! protection, use the <literal>md5</literal> or
> ! <literal>crypt</literal> methods.
> </para>
> </listitem>
> </varlistentry>
>
> <varlistentry>
> ! <term><literal>md5</></term>
> <listitem>
> <para>
> ! Like the <literal>password</literal> method, but the
password
> ! is sent over the wire encrypted using a simple
> ! challenge-response protocol. This protects against
incidental
> ! wire-sniffing. This is now the recommended choice for
> ! password-based authentication.
> ! </para>
> !
> ! <para>
> ! The name of a file may follow the
> ! <literal>md5</literal> keyword. It contains a list of
users
> ! who may connect using this record.
> </para>
> </listitem>
> </varlistentry>
>
> <varlistentry>
> ! <term><literal>crypt</></term>
> <listitem>
> <para>
> ! Like the <literal>md5</literal> method but uses older
crypt
> ! encryption, which is needed for pre-7.2
> ! clients. <literal>md5</literal> is
> ! preferred for 7.2 and later clients. The
<literal>crypt</>
> ! method is not compatible with encrypting passwords in
> ! <filename>pg_shadow</>, and may fail if client and
server
> ! machines have different implementations of the crypt()
library
> ! routine.
> </para>
> </listitem>
> </varlistentry>
> --- 208,248 ----
> <term><literal>reject</></term>
> <listitem>
> <para>
> ! The connection is rejected unconditionally. This is
useful for
> ! <quote>filtering out</> certain hosts from a group.
> </para>
> </listitem>
> </varlistentry>
>
> <varlistentry>
> ! <term><literal>md5</></term>
> <listitem>
> <para>
> ! Requires the client to supply an MD5 encrypted password
for
> ! authentication. This is the only method that allows
encrypted
> ! passwords to be stored in pg_shadow.
> </para>
> </listitem>
> </varlistentry>
>
> <varlistentry>
> ! <term><literal>crypt</></term>
> <listitem>
> <para>
> ! Like <literal>md5</literal> method but uses older crypt
> ! encryption, which is needed for pre-7.2 clients.
> ! <literal>md5</literal> is preferred for 7.2 and later
clients.
> </para>
> </listitem>
> </varlistentry>
>
> <varlistentry>
> ! <term><literal>password</></term>
> <listitem>
> <para>
> ! Same as "md5", but the password is sent in cleartext
over the
> ! network. This should not be used on untrusted networks.
> ! </para>
> </para>
> </listitem>
> </varlistentry>
> ***************
> *** 278,311 ****
> <term><literal>ident</></term>
> <listitem>
> <para>
> ! The identity of the user as determined on login to the
> ! operating system is used by
<productname>PostgreSQL</productname>
> ! to determine whether the user
> ! is allowed to connect as the requested database user.
> ! For TCP/IP connections the user's identity is determined by
> ! contacting the <firstterm>ident</firstterm> server on the client
> ! host. (Note that this is only as reliable as the remote ident
> ! server; ident authentication should never be used for remote
hosts
> ! whose administrators are not trustworthy.)
> ! On operating systems
> ! supporting <symbol>SO_PEERCRED</> requests for Unix domain
sockets,
> ! ident authentication is possible for local connections;
> ! the system is then asked for the connecting user's identity.
> </para>
> <para>
> ! On systems without <symbol>SO_PEERCRED</> requests, ident
authentication
> ! is only available for TCP/IP connections. As a workaround,
> ! it is possible to
> ! specify the <systemitem class="systemname">localhost</> address
> ! <systemitem class="systemname">127.0.0.1</> and make
connections
> ! to this address.
> ! </para>
> ! <para>
> ! The <replaceable>authentication option</replaceable>
following
> ! the <literal>ident</> keyword specifies the name of an
> ! <firstterm>ident map</firstterm> that specifies which
operating
> ! system users equate with which database users. See below
for
> ! details.
> </para>
> </listitem>
> </varlistentry>
> --- 271,306 ----
> <term><literal>ident</></term>
> <listitem>
> <para>
> ! For TCP/IP connections, authentication is done by
contacting
> ! the <firstterm>ident</firstterm> server on the client
host.
> ! This is only as secure as the client machine. You must
specify
> ! the map name after the 'ident' keyword. It determines
how to
> ! map remote user names to PostgreSQL user names. If you
use
> ! "sameuser", the user names are assumed to be identical.
If
> ! not, the map name is looked up in the
$PGDATA/pg_ident.conf
> ! file. The connection is accepted if that file contains
an
> ! entry for this map name with the ident-supplied username
and
> ! the requested PostgreSQL username.
> ! </para>
> ! <para>
> ! On machines that support unix-domain socket credentials
> ! (currently Linux, FreeBSD, NetBSD, and BSD/OS), ident
allows
> ! reliable authentication of 'local' connections without
ident
> ! running on the local machine.
> ! </para>
> ! <para>
> ! On systems without <symbol>SO_PEERCRED</> requests, ident
> ! authentication is only available for TCP/IP connections. As a
> ! work around, it is possible to specify the <systemitem
> ! class="systemname">localhost</> address <systemitem
> ! class="systemname">127.0.0.1</> and make connections to this
> ! address.
> </para>
> <para>
> ! Following the <literal>ident</> keyword, an
<firstterm>ident
> ! map</firstterm> name should be supplied which specifies
which
> ! operating system users equate with which database users.
See
> ! below for details.
> </para>
> </listitem>
> </varlistentry>
> ***************
> *** 315,331 ****
> <listitem>
> <para>
> This authentication type operates similarly to
> ! <firstterm>password</firstterm>, with the main
difference that
> ! it will use PAM (Pluggable Authentication Modules) as
the
> ! authentication mechanism. The
<replaceable>authentication
> ! option</replaceable> following the <literal>pam</>
keyword
> ! specifies the service name that will be passed to PAM.
The
> ! default service name is <literal>postgresql</literal>.
> ! For more information about PAM, please read the <ulink
> !
url="http://www.kernel.org/pub/linux/libs/pam/"><productname>Linux-PAM
</productname>
> ! Page</ulink> and/or the <ulink
> !
url="http://www.sun.com/software/solaris/pam/"><systemitem
class="osname">Solaris</> PAM
> ! Page</ulink>.
> </para>
> </listitem>
> </varlistentry>
> --- 310,325 ----
> <listitem>
> <para>
> This authentication type operates similarly to
> ! <firstterm>password</firstterm> except that it uses PAM
> ! (Pluggable Authentication Modules) as the authentication
> ! mechanism. The default PAM service name is
> ! <literal>postgresql</literal>. You can optionally supply
you
> ! own service name after the <literal>pam</> keyword in
the
> ! file. For more information about PAM, please read the
<ulink
> !
url="http://www.kernel.org/pub/linux/libs/pam/"><productname>L
> ! inux-PAM</productname> Page</ulink> and the <ulink
> !
url="http://www.sun.com/software/solaris/pam/"><systemitem
> ! class="osname">Solaris</> PAM Page</ulink>.
> </para>
> </listitem>
> </varlistentry>
> ***************
> *** 336,377 ****
> </listitem>
> </varlistentry>
>
> - <varlistentry>
> - <term><replaceable>authentication option</replaceable></term>
> - <listitem>
> - <para>
> - This field is interpreted differently depending on the
> - authentication method, as described above.
> - </para>
> - </listitem>
> - </varlistentry>
> </variablelist>
> </para>
>
> <para>
> Since the <filename>pg_hba.conf</filename> records are examined
> sequentially for each connection attempt, the order of the
records is
> ! very significant. Typically, earlier records will have tight
> ! connection match parameters and weaker authentication methods,
> ! while later records will have looser match parameters and
stronger
> ! authentication methods. For example, one might wish to use
> ! <literal>trust</> authentication for local TCP connections but
> ! require a password for remote TCP connections. In this case a
> ! record specifying <literal>trust</> authentication for
connections
> ! from 127.0.0.1 would appear before a record specifying password
> ! authentication for a wider range of allowed client IP
addresses.
> </para>
>
> <para>
> <indexterm>
> <primary>SIGHUP</primary>
> </indexterm>
> ! The <filename>pg_hba.conf</filename> file is read on startup
> ! and when the <application>postmaster</> receives a
> <systemitem>SIGHUP</systemitem> signal. If you edit the file on
an
> active system, you will need to signal the
<application>postmaster</>
> ! (using <literal>pg_ctl reload</> or <literal>kill -HUP</>)
> ! to make it re-read the file.
> </para>
>
> <para>
> --- 330,362 ----
> </listitem>
> </varlistentry>
>
> </variablelist>
> </para>
>
> <para>
> Since the <filename>pg_hba.conf</filename> records are examined
> sequentially for each connection attempt, the order of the
records is
> ! significant. Typically, earlier records will have tight
connection
> ! match parameters and weaker authentication methods, while later
> ! records will have looser match parameters and stronger
authentication
> ! methods. For example, one might wish to use <literal>trust</>
> ! authentication for local TCP connections but require a password
for
> ! remote TCP connections. In this case a record specifying
> ! <literal>trust</> authentication for connections from 127.0.0.1
would
> ! appear before a record specifying password authentication for a
wider
> ! range of allowed client IP addresses.
> </para>
>
> <para>
> <indexterm>
> <primary>SIGHUP</primary>
> </indexterm>
> ! The <filename>pg_hba.conf</filename> file is read on startup
and when
> ! the <application>postmaster</> receives a
> <systemitem>SIGHUP</systemitem> signal. If you edit the file on
an
> active system, you will need to signal the
<application>postmaster</>
> ! (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to
make it
> ! re-read the file.
> </para>
>
> <para>
> ***************
> *** 382,408 ****
> <example id="example-pg-hba.conf">
> <title>An example <filename>pg_hba.conf</filename>
file</title>
> <programlisting>
> ! # TYPE DATABASE IP_ADDRESS MASK AUTHTYPE
MAP
>
> # Allow any user on the local system to connect to any
> # database under any username, but only via an IP connection:
>
> ! host all 127.0.0.1 255.255.255.255 trust
>
> # The same, over Unix-socket connections:
>
> ! local all trust
>
> # Allow any user from any host with IP address 192.168.93.x to
> # connect to database "template1" as the same username that ident
on that
> # host identifies him as (typically his Unix username):
>
> ! host template1 192.168.93.0 255.255.255.0 ident
sameuser
>
> # Allow a user from host 192.168.12.10 to connect to database
"template1"
> ! # if the user's password in pg_shadow is correctly supplied:
>
> ! host template1 192.168.12.10 255.255.255.255 md5
>
> # In the absence of preceding "host" lines, these two lines will
reject
> # all connection attempts from 192.168.54.1 (since that entry will
be
> --- 367,393 ----
> <example id="example-pg-hba.conf">
> <title>An example <filename>pg_hba.conf</filename>
file</title>
> <programlisting>
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTHTYPE
>
> # Allow any user on the local system to connect to any
> # database under any username, but only via an IP connection:
>
> ! host all all 127.0.0.1 255.255.255.255
trust
>
> # The same, over Unix-socket connections:
>
> ! local all all
trust
>
> # Allow any user from any host with IP address 192.168.93.x to
> # connect to database "template1" as the same username that ident
on that
> # host identifies him as (typically his Unix username):
>
> ! host template1 all 192.168.93.0 255.255.255.0
ident sameuser
>
> # Allow a user from host 192.168.12.10 to connect to database
"template1"
> ! # if the user's password is correctly supplied:
>
> ! host template1 all 192.168.12.10 255.255.255.255
md5
>
> # In the absence of preceding "host" lines, these two lines will
reject
> # all connection attempts from 192.168.54.1 (since that entry will
be
> ***************
> *** 410,417 ****
> # else on the Internet. The zero mask means that no bits of the
host IP
> # address are considered, so it matches any host:
>
> ! host all 192.168.54.1 255.255.255.255 reject
> ! host all 0.0.0.0 0.0.0.0 krb5
>
> # Allow users from 192.168.x.x hosts to connect to any database,
if they
> # pass the ident check. If, for example, ident says the user is
"bryanh"
> --- 395,402 ----
> # else on the Internet. The zero mask means that no bits of the
host IP
> # address are considered, so it matches any host:
>
> ! host all all 192.168.54.1 255.255.255.255
reject
> ! host all all 0.0.0.0 0.0.0.0
krb5
>
> # Allow users from 192.168.x.x hosts to connect to any database,
if they
> # pass the ident check. If, for example, ident says the user is
"bryanh"
> ***************
> *** 419,425 ****
> # is allowed if there is an entry in pg_ident.conf for map
"omicron" that
> # says "bryanh" is allowed to connect as "guest1":
>
> ! host all 192.168.0.0 255.255.0.0 ident
omicron
>
> # If these are the only two lines for local connections, they will
allow
> # local users to connect only to their own databases (database
named the
> --- 404,410 ----
> # is allowed if there is an entry in pg_ident.conf for map
"omicron" that
> # says "bryanh" is allowed to connect as "guest1":
>
> ! host all all 192.168.0.0 255.255.0.0
ident omicron
>
> # If these are the only two lines for local connections, they will
allow
> # local users to connect only to their own databases (database
named the
> ***************
> *** 429,436 ****
> # cases. (If you prefer to use ident authorization, an ident map
can
> # serve a parallel purpose to the password list file used here.)
>
> ! local sameuser md5
> ! local all md5
admins
> </programlisting>
> </example>
> </para>
> --- 414,421 ----
> # cases. (If you prefer to use ident authorization, an ident map
can
> # serve a parallel purpose to the password list file used here.)
>
> ! local sameuser all
md5
> ! local all @admins
md5
> </programlisting>
> </example>
> </para>
> ***************
> *** 490,575 ****
> <title>Password authentication</title>
>
> <indexterm>
> ! <primary>password</primary>
> </indexterm>
> <indexterm>
> ! <primary>MD5</>
> </indexterm>
>
> <para>
> Password-based authentication methods include <literal>md5</>,
> ! <literal>crypt</>, and <literal>password</>. These methods
operate
> similarly except for the way that the password is sent across
the
> ! connection. If you are at all concerned about password
<quote>sniffing</>
> ! attacks then <literal>md5</> is preferred, with
<literal>crypt</> a
> ! second choice if you must support obsolete clients. Plain
> ! <literal>password</> should especially be avoided for
connections over
> ! the open Internet (unless you use SSL, SSH, or other
communications
> ! security wrappers around the connection).
> </para>
>
> <para>
> ! <productname>PostgreSQL</productname> database passwords are
separate from
> ! operating system user passwords. Ordinarily, the password for
each
> ! database user is stored in the pg_shadow system catalog table.
> ! Passwords can be managed with the query language commands
> ! <command>CREATE USER</command> and <command>ALTER
USER</command>,
> ! e.g., <userinput>CREATE USER foo WITH PASSWORD
> ! 'secret';</userinput>. By default, that is, if no password has
> ! been set up, the stored password is <literal>NULL</literal>
> ! and password authentication will always fail for that user.
> </para>
>
> <para>
> To restrict the set of users that are allowed to connect to
certain
> ! databases, list the set of users in a separate file (one user
name
> ! per line) in the same directory that <filename>pg_hba.conf</>
is in,
> ! and mention the (base) name of the file after the
> ! <literal>password</>, <literal>md5</>, or <literal>crypt</>
keyword,
> ! respectively, in <filename>pg_hba.conf</>. If you do not use
this
> ! feature, then any user that is known to the database system
can
> ! connect to any database (so long as he supplies the correct
password,
> ! of course).
> ! </para>
> !
> ! <para>
> ! These files can also be used to apply a different set of
passwords
> ! to a particular database or set thereof. In that case, the
files
> ! have a format similar to the standard Unix password file
> ! <filename>/etc/passwd</filename>, that is,
> ! <synopsis>
> !
<replaceable>username</replaceable>:<replaceable>password</replaceable
>
> ! </synopsis>
> ! Any extra colon-separated fields following the password are
> ! ignored. The password is expected to be encrypted using the
> ! system's <function>crypt()</function> function. The utility
> ! program <application>pg_passwd</application> that is installed
> ! with <productname>PostgreSQL</productname> can be used to
manage
> ! these password files.
> ! </para>
> !
> ! <para>
> ! Lines with and without passwords can be mixed in secondary
> ! password files. Lines without password indicate use of the
main
> ! password in <literal>pg_shadow</> that is managed by
> ! <command>CREATE USER</> and <command>ALTER USER</>. Lines with
> ! passwords will cause that password to be used. A password
entry of
> ! <quote>+</quote> also means using the pg_shadow password.
> ! </para>
> !
> ! <para>
> ! Alternative passwords cannot be used when using the
<literal>md5</>
> ! or <literal>crypt</> methods. The file will be read as
> ! usual, but the password field will simply be ignored and the
> ! <literal>pg_shadow</> password will always be used.
> ! </para>
> !
> ! <para>
> ! Note that using alternative passwords like this means that one
can
> ! no longer use <command>ALTER USER</command> to change one's
> ! password. It will appear to work but the password one is
> ! changing is not the password that the system will end up
> ! using.
> </para>
>
> </sect2>
> --- 475,522 ----
> <title>Password authentication</title>
>
> <indexterm>
> ! <primary>MD5</>
> </indexterm>
> <indexterm>
> ! <primary>crypt</>
> ! </indexterm>
> ! <indexterm>
> ! <primary>password</primary>
> </indexterm>
>
> <para>
> Password-based authentication methods include <literal>md5</>,
> ! <literal>crypt</>, and <literal>password</>. These methods
operate
> similarly except for the way that the password is sent across
the
> ! connection. If you are at all concerned about password
> ! <quote>sniffing</> attacks then <literal>md5</> is preferred,
with
> ! <literal>crypt</> a second choice if you must support pre-7.2
> ! clients. Plain <literal>password</> should especially be
avoided for
> ! connections over the open Internet (unless you use SSL, SSH,
or
> ! other communications security wrappers around the connection).
> </para>
>
> <para>
> ! <productname>PostgreSQL</productname> database passwords are
> ! separate from operating system user passwords. Ordinarily, the
> ! password for each database user is stored in the pg_shadow
system
> ! catalog table. Passwords can be managed with the query
language
> ! commands <command>CREATE USER</command> and <command>ALTER
> ! USER</command>, e.g., <userinput>CREATE USER foo WITH PASSWORD
> ! 'secret';</userinput>. By default, that is, if no password has
been
> ! set up, the stored password is <literal>NULL</literal> and
password
> ! authentication will always fail for that user.
> </para>
>
> <para>
> To restrict the set of users that are allowed to connect to
certain
> ! databases, list the users separated by commas, or in a
separate
> ! file. The file should contain user names separated by commas
or one
> ! user name per line, and be in the same directory as
> ! <filename>pg_hba.conf</>. Mention the (base) name of the file
> ! preceded by <literal>@</>in the <literal>USER</> column. The
> ! <literal>DATABASE</> column can similarly accept a list of
values or
> ! a file name.
> </para>
>
> </sect2>
> ***************
> *** 588,597 ****
> <productname>Kerberos</productname> system is far beyond the
scope
> of this document; in all generality it can be quite complex
(yet
> powerful). The <ulink
> !
url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerber
os
> ! <acronym>FAQ</></ulink> or <ulink
> ! url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink> can
be
> ! a good starting point for exploration. Several sources for
> <productname>Kerberos</> distributions exist.
> </para>
>
> --- 535,544 ----
> <productname>Kerberos</productname> system is far beyond the
scope
> of this document; in all generality it can be quite complex
(yet
> powerful). The <ulink
> !
url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerb
> ! eros <acronym>FAQ</></ulink> or <ulink
> ! url="ftp://athena-dist.mit.edu">MIT Project Athena</ulink> can
be a
> ! good starting point for exploration. Several sources for
> <productname>Kerberos</> distributions exist.
> </para>
>
> ***************
> *** 606,639 ****
> <para>
> <productname>PostgreSQL</> operates like a normal Kerberos
service.
> The name of the service principal is
> ! <replaceable>servicename/hostname(at)realm</>, where
> ! <replaceable>servicename</> is <literal>postgres</literal>
> ! (unless a different service name was selected at configure
time
> ! with <literal>./configure --with-krb-srvnam=whatever</>).
> ! <replaceable>hostname</> is the fully qualified domain name of
the server
> ! machine. The service principal's realm is the preferred realm
of the
> ! server machine.
> </para>
>
> <para>
> ! Client principals must have their <productname>PostgreSQL</>
user name as
> ! their first component, for example
> ! <replaceable>pgusername/otherstuff(at)realm</>.
> ! At present the realm of the client is not checked by
> ! <productname>PostgreSQL</>; so
> ! if you have cross-realm authentication enabled, then any
principal
> ! in any realm that can communicate with yours will be accepted.
> </para>
>
> <para>
> ! Make sure that your server key file is readable (and
> ! preferably only readable) by the
> ! <productname>PostgreSQL</productname> server account (see
> ! <xref linkend="postgres-user">). The location of the key file
> ! is specified with the <varname>krb_server_keyfile</> run time
> ! configuration parameter. (See also <xref
linkend="runtime-config">.)
> ! The default is <filename>/etc/srvtab</> if you are using
Kerberos 4
> ! and <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</> (or
whichever
> directory was specified as <varname>sysconfdir</> at build
time)
> with Kerberos 5.
> </para>
> --- 553,585 ----
> <para>
> <productname>PostgreSQL</> operates like a normal Kerberos
service.
> The name of the service principal is
> ! <replaceable>servicename/hostname(at)realm</>, where
> ! <replaceable>servicename</> is <literal>postgres</literal>
(unless a
> ! different service name was selected at configure time with
> ! <literal>./configure --with-krb-srvnam=whatever</>).
> ! <replaceable>hostname</> is the fully qualified domain name of
the
> ! server machine. The service principal's realm is the preferred
realm
> ! of the server machine.
> </para>
>
> <para>
> ! Client principals must have their <productname>PostgreSQL</>
user
> ! name as their first component, for example
> ! <replaceable>pgusername/otherstuff(at)realm</>. At present the
realm of
> ! the client is not checked by <productname>PostgreSQL</>; so if
you
> ! have cross-realm authentication enabled, then any principal in
any
> ! realm that can communicate with yours will be accepted.
> </para>
>
> <para>
> ! Make sure that your server key file is readable (and
preferably only
> ! readable) by the <productname>PostgreSQL</productname> server
> ! account (see <xref linkend="postgres-user">). The location of
the
> ! key file is specified with the <varname>krb_server_keyfile</>
run
> ! time configuration parameter. (See also <xref
> ! linkend="runtime-config">.) The default is
<filename>/etc/srvtab</>
> ! if you are using Kerberos 4 and
> ! <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</> (or
whichever
> directory was specified as <varname>sysconfdir</> at build
time)
> with Kerberos 5.
> </para>
> ***************
> *** 649,666 ****
>
> <para>
> When connecting to the database make sure you have a ticket
for a
> ! principal matching the requested database user name.
> ! An example: For database user name <literal>fred</>, both
principal
> <literal>fred(at)EXAMPLE(dot)COM</> and
> ! <literal>fred/users(dot)example(dot)com(at)EXAMPLE(dot)COM</> can be
> ! used to authenticate to the database server.
> </para>
>
> <para>
> ! If you use <application>mod_auth_krb</application> and
<application>mod_perl</application> on your
<productname>Apache</productname> web server,
> ! you can use <literal>AuthType
KerberosV5SaveCredentials</literal> with a
<application>mod_perl</application>
> ! script. This gives secure database access over the web, no
extra
> ! passwords required.
> </para>
>
> </sect2>
> --- 595,614 ----
>
> <para>
> When connecting to the database make sure you have a ticket
for a
> ! principal matching the requested database user name. An
example: For
> ! database user name <literal>fred</>, both principal
> <literal>fred(at)EXAMPLE(dot)COM</> and
> ! <literal>fred/users(dot)example(dot)com(at)EXAMPLE(dot)COM</> can be used to
> ! authenticate to the database server.
> </para>
>
> <para>
> ! If you use <application>mod_auth_krb</application> and
> ! <application>mod_perl</application> on your
> ! <productname>Apache</productname> web server, you can use
> ! <literal>AuthType KerberosV5SaveCredentials</literal> with a
> ! <application>mod_perl</application> script. This gives secure
> ! database access over the web, no extra passwords required.
> </para>
>
> </sect2>
> ***************
> *** 707,761 ****
> </para>
>
> <para>
> ! On systems supporting <symbol>SO_PEERCRED</symbol> requests
for Unix-domain sockets,
> ! ident authentication can also be applied to local connections.
In this
> ! case, no security risk is added by using ident authentication;
indeed
> ! it is a preferable choice for local connections on such a
system.
> </para>
>
> <para>
> When using ident-based authentication, after having determined
the
> name of the operating system user that initiated the
connection,
> ! <productname>PostgreSQL</productname> checks whether that user
is allowed
> ! to connect as the database user he is requesting to connect
as.
> ! This is controlled by the ident map
> ! argument that follows the <literal>ident</> keyword in the
> ! <filename>pg_hba.conf</filename> file. There is a predefined
ident map
> ! <literal>sameuser</literal>, which allows any operating system
> ! user to connect as the database user of the same name (if the
> ! latter exists). Other maps must be created manually.
> </para>
>
> <para>
> ! <indexterm><primary>pg_ident.conf</primary></indexterm>
> ! Ident maps other than <literal>sameuser</literal> are defined
> ! in the file <filename>pg_ident.conf</filename>
> ! in the data directory, which contains lines of the general
form:
> <synopsis>
> <replaceable>map-name</> <replaceable>ident-username</>
<replaceable>database-username</>
> </synopsis>
> ! Comments and whitespace are handled in the usual way.
> ! The <replaceable>map-name</> is an arbitrary name that will be
> ! used to refer to this mapping in
<filename>pg_hba.conf</filename>.
> ! The other two fields specify which operating system user is
> ! allowed to connect as which database user. The same
> ! <replaceable>map-name</> can be used repeatedly to specify
more
> ! user-mappings within a single map. There is no restriction
regarding
> ! how many
> ! database users a given operating system user may correspond to
and vice
> ! versa.
> </para>
>
> <para>
> <indexterm>
> <primary>SIGHUP</primary>
> </indexterm>
> ! The <filename>pg_ident.conf</filename> file is read on startup
> ! and when the <application>postmaster</> receives a
> <systemitem>SIGHUP</systemitem> signal. If you edit the file on
an
> active system, you will need to signal the
<application>postmaster</>
> ! (using <literal>pg_ctl reload</> or <literal>kill -HUP</>)
> ! to make it re-read the file.
> </para>
>
> <para>
> --- 655,708 ----
> </para>
>
> <para>
> ! On systems supporting <symbol>SO_PEERCRED</symbol> requests
for
> ! Unix-domain sockets, ident authentication can also be applied
to
> ! local connections. In this case, no security risk is added by
using
> ! ident authentication; indeed it is a preferable choice for
local
> ! connections on such systems.
> </para>
>
> <para>
> When using ident-based authentication, after having determined
the
> name of the operating system user that initiated the
connection,
> ! <productname>PostgreSQL</productname> checks whether that user
is
> ! allowed to connect as the database user he is requesting to
connect
> ! as. This is controlled by the ident map argument that follows
the
> ! <literal>ident</> keyword in the
<filename>pg_hba.conf</filename>
> ! file. There is a predefined ident map
<literal>sameuser</literal>,
> ! which allows any operating system user to connect as the
database
> ! user of the same name (if the latter exists). Other maps must
be
> ! created manually.
> </para>
>
> <para>
> ! <indexterm><primary>pg_ident.conf</primary></indexterm> Ident
maps
> ! other than <literal>sameuser</literal> are defined in the file
> ! <filename>pg_ident.conf</filename> in the data directory,
which
> ! contains lines of the general form:
> <synopsis>
> <replaceable>map-name</> <replaceable>ident-username</>
<replaceable>database-username</>
> </synopsis>
> ! Comments and whitespace are handled in the usual way. The
> ! <replaceable>map-name</> is an arbitrary name that will be
used to
> ! refer to this mapping in <filename>pg_hba.conf</filename>. The
other
> ! two fields specify which operating system user is allowed to
connect
> ! as which database user. The same <replaceable>map-name</> can
be
> ! used repeatedly to specify more user-mappings within a single
map.
> ! There is no restriction regarding how many database users a
given
> ! operating system user may correspond to and vice versa.
> </para>
>
> <para>
> <indexterm>
> <primary>SIGHUP</primary>
> </indexterm>
> ! The <filename>pg_ident.conf</filename> file is read on startup
and
> ! when the <application>postmaster</> receives a
> <systemitem>SIGHUP</systemitem> signal. If you edit the file on
an
> active system, you will need to signal the
<application>postmaster</>
> ! (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to
make it
> ! re-read the file.
> </para>
>
> <para>
> ***************
> *** 763,775 ****
> conjunction with the <filename>pg_hba.conf</> file in <xref
> linkend="example-pg-hba.conf"> is shown in <xref
> linkend="example-pg-ident.conf">. In this example setup,
anyone
> ! logged in to a machine on the 192.168 network that does not
have
> ! the Unix user name <systemitem>bryanh</>, <systemitem>ann</>,
or <systemitem>robert</> would not be granted access.
> ! Unix user <systemitem>robert</> would only be allowed access
when he tries to
> ! connect as <productname>PostgreSQL</> user <systemitem>bob</>,
> ! not as <systemitem>robert</>
> ! or anyone else. <systemitem>ann</> would only be allowed to
connect as
> ! <systemitem>ann</>. User <systemitem>bryanh</> would be
allowed to connect as either
> <systemitem>bryanh</> himself or as <systemitem>guest1</>.
> </para>
>
> --- 710,723 ----
> conjunction with the <filename>pg_hba.conf</> file in <xref
> linkend="example-pg-hba.conf"> is shown in <xref
> linkend="example-pg-ident.conf">. In this example setup,
anyone
> ! logged in to a machine on the 192.168 network that does not
have the
> ! Unix user name <systemitem>bryanh</>, <systemitem>ann</>, or
> ! <systemitem>robert</> would not be granted access. Unix user
> ! <systemitem>robert</> would only be allowed access when he
tries to
> ! connect as <productname>PostgreSQL</> user <systemitem>bob</>,
not
> ! as <systemitem>robert</> or anyone else. <systemitem>ann</>
would
> ! only be allowed to connect as <systemitem>ann</>. User
> ! <systemitem>bryanh</> would be allowed to connect as either
> <systemitem>bryanh</> himself or as <systemitem>guest1</>.
> </para>
>
> ***************
> *** 799,828 ****
>
> <para>
> <ProgramListing>
> ! No pg_hba.conf entry for host 123.123.123.123, user joeblow,
database testdb
> </ProgramListing>
> ! This is what you are most likely to get if you succeed in
> ! contacting the server, but it does not want to talk to you. As
the
> ! message suggests, the server refused the connection request
> ! because it found no authorizing entry in its
<filename>pg_hba.conf</filename>
> configuration file.
> </para>
>
> <para>
> <ProgramListing>
> ! Password authentication failed for user 'joeblow'
> </ProgramListing>
> ! Messages like this indicate that you contacted the server, and
> ! it is willing to talk to you, but not until you pass the
> ! authorization method specified in the
> ! <filename>pg_hba.conf</filename> file. Check the password you
are
> ! providing, or check your Kerberos or ident software if the
> ! complaint mentions one of those authentication types.
> </para>
>
> <para>
> <ProgramListing>
> ! FATAL 1: user "joeblow" does not exist
> </ProgramListing>
> The indicated user name was not found.
> </para>
> --- 747,776 ----
>
> <para>
> <ProgramListing>
> ! No pg_hba.conf entry for host 123.123.123.123, user andym,
database testdb
> </ProgramListing>
> ! This is what you are most likely to get if you succeed in
contacting
> ! the server, but it does not want to talk to you. As the
message
> ! suggests, the server refused the connection request because it
found
> ! no authorizing entry in its <filename>pg_hba.conf</filename>
> configuration file.
> </para>
>
> <para>
> <ProgramListing>
> ! Password authentication failed for user 'andym'
> </ProgramListing>
> ! Messages like this indicate that you contacted the server, and
it is
> ! willing to talk to you, but not until you pass the
authorization
> ! method specified in the <filename>pg_hba.conf</filename> file.
Check
> ! the password you are providing, or check your Kerberos or
ident
> ! software if the complaint mentions one of those authentication
> ! types.
> </para>
>
> <para>
> <ProgramListing>
> ! FATAL 1: user "andym" does not exist
> </ProgramListing>
> The indicated user name was not found.
> </para>
> ***************
> *** 837,845 ****
> </para>
>
> <para>
> ! Note that the server log may contain more information
> ! about an authentication failure than is reported to the
client.
> ! If you are confused about the reason for a failure, check the
log.
> </para>
> </sect1>
>
> --- 785,793 ----
> </para>
>
> <para>
> ! Note that the server log may contain more information about an
> ! authentication failure than is reported to the client. If you
are
> ! confused about the reason for a failure, check the log.
> </para>
> </sect1>
>
> Index: doc/src/sgml/reference.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/reference.sgml,v
> retrieving revision 1.24
> diff -c -r1.24 reference.sgml
> *** doc/src/sgml/reference.sgml 19 Mar 2002 02:18:11 -0000 1.24
> --- doc/src/sgml/reference.sgml 19 Mar 2002 05:51:45 -0000
> ***************
> *** 191,197 ****
> &initlocation;
> &ipcclean;
> &pgCtl;
> - &pgPasswd;
> &postgres;
> &postmaster;
>
> --- 191,196 ----
> Index: doc/src/sgml/ref/allfiles.sgml
> ===================================================================
> RCS file: /cvsroot/pgsql/doc/src/sgml/ref/allfiles.sgml,v
> retrieving revision 1.36
> diff -c -r1.36 allfiles.sgml
> *** doc/src/sgml/ref/allfiles.sgml 19 Mar 2002 02:18:12 -0000 1.36
> --- doc/src/sgml/ref/allfiles.sgml 19 Mar 2002 05:51:45 -0000
> ***************
> *** 125,131 ****
> <!entity pgCtl system "pg_ctl-ref.sgml">
> <!entity pgDump system "pg_dump.sgml">
> <!entity pgDumpall system "pg_dumpall.sgml">
> - <!entity pgPasswd system "pg_passwd.sgml">
> <!entity pgRestore system "pg_restore.sgml">
> <!entity pgTclSh system "pgtclsh.sgml">
> <!entity pgTkSh system "pgtksh.sgml">
> --- 125,130 ----
> Index: src/backend/libpq/Makefile
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/Makefile,v
> retrieving revision 1.29
> diff -c -r1.29 Makefile
> *** src/backend/libpq/Makefile 4 Mar 2002 01:46:02 -0000 1.29
> --- src/backend/libpq/Makefile 19 Mar 2002 05:51:45 -0000
> ***************
> *** 14,22 ****
>
> # be-fsstubs is here for historical reasons, probably belongs
elsewhere
>
> ! OBJS = be-fsstubs.o \
> ! auth.o crypt.o hba.o md5.o password.o \
> ! pqcomm.o pqformat.o pqsignal.o
>
>
> all: SUBSYS.o
> --- 14,20 ----
>
> # be-fsstubs is here for historical reasons, probably belongs
elsewhere
>
> ! OBJS = be-fsstubs.o auth.o crypt.o hba.o md5.o pqcomm.o pqformat.o
pqsignal.o
>
>
> all: SUBSYS.o
> Index: src/backend/libpq/auth.c
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
> retrieving revision 1.79
> diff -c -r1.79 auth.c
> *** src/backend/libpq/auth.c 5 Mar 2002 07:57:45 -0000 1.79
> --- src/backend/libpq/auth.c 19 Mar 2002 05:51:57 -0000
> ***************
> *** 34,40 ****
> #include "miscadmin.h"
>
> static void sendAuthRequest(Port *port, AuthRequest areq);
> - static int checkPassword(Port *port, char *user, char *password);
> static int old_be_recvauth(Port *port);
> static int map_old_to_new(Port *port, UserAuth old, int status);
> static void auth_failed(Port *port, int status);
> --- 34,39 ----
> ***************
> *** 381,387 ****
> saved = port->auth_method;
> port->auth_method = uaPassword;
>
> ! status = checkPassword(port, user, password);
>
> port->auth_method = saved;
>
> --- 380,386 ----
> saved = port->auth_method;
> port->auth_method = uaPassword;
>
> ! status = md5_crypt_verify(port, user, password);
>
> port->auth_method = saved;
>
> ***************
> *** 663,669 ****
>
> initStringInfo(&buf);
> pq_getstr(&buf);
> !
> /* Do not echo failed password to logs, for security. */
> elog(DEBUG5, "received PAM packet");
>
> --- 662,668 ----
>
> initStringInfo(&buf);
> pq_getstr(&buf);
> !
> /* Do not echo failed password to logs, for security. */
> elog(DEBUG5, "received PAM packet");
>
> ***************
> *** 810,832 ****
> /* Do not echo failed password to logs, for security. */
> elog(DEBUG5, "received password packet");
>
> ! result = checkPassword(port, port->user, buf.data);
> pfree(buf.data);
> return result;
> - }
> -
> -
> - /*
> - * Handle `password' and `crypt' records. If an auth argument was
> - * specified, use the respective file. Else use pg_shadow
passwords.
> - */
> - static int
> - checkPassword(Port *port, char *user, char *password)
> - {
> - if (port->auth_arg[0] != '\0')
> - return verify_password(port, user, password);
> -
> - return md5_crypt_verify(port, user, password);
> }
>
>
> --- 809,818 ----
> /* Do not echo failed password to logs, for security. */
> elog(DEBUG5, "received password packet");
>
> ! result = md5_crypt_verify(port, port->user, buf.data);
> !
> pfree(buf.data);
> return result;
> }
>
>
> Index: src/backend/libpq/hba.c
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/hba.c,v
> retrieving revision 1.80
> diff -c -r1.80 hba.c
> *** src/backend/libpq/hba.c 4 Mar 2002 01:46:03 -0000 1.80
> --- src/backend/libpq/hba.c 19 Mar 2002 05:51:58 -0000
> ***************
> *** 54,59 ****
> --- 54,60 ----
> static List *hba_lines = NIL; /* pre-parsed contents of hba file
*/
> static List *ident_lines = NIL; /* pre-parsed contents of ident
file */
>
> + static List *tokenize_file(FILE *file);
>
> /*
> * Some standard C libraries, including GNU, have an isblank()
function.
> ***************
> *** 79,111 ****
> next_token(FILE *fp, char *buf, const int bufsz)
> {
> int c;
> ! char *eb = buf + (bufsz - 1);
>
> ! /* Move over initial token-delimiting blanks */
> ! while ((c = getc(fp)) != EOF && isblank(c))
> ! ;
> !
> ! if (c != EOF && c != '\n')
> {
> ! /*
> ! * build a token in buf of next characters up to EOF, eol, or
> ! * blank. If the token gets too long, we still parse it
> ! * correctly, but the excess characters are not stored into *buf.
> ! */
> ! while (c != EOF && c != '\n' && !isblank(c))
> {
> ! if (buf < eb)
> ! *buf++ = c;
> ! c = getc(fp);
> }
>
> ! /*
> ! * Put back the char right after the token (critical in case it is
> ! * eol, since we need to detect end-of-line at next call).
> ! */
> ! if (c != EOF)
> ! ungetc(c, fp);
> ! }
> *buf = '\0';
> }
>
> --- 80,136 ----
> next_token(FILE *fp, char *buf, const int bufsz)
> {
> int c;
> ! char *end_buf = buf + (bufsz - 1);
> ! char quote = '\0';
> ! bool is_quote;
>
> ! do
> {
> ! /* Move over initial token-delimiting blanks */
> ! while ((c = getc(fp)) != EOF && isblank(c))
> ! ;
> !
> ! if (c != EOF && c != '\n')
> {
> ! /*
> ! * build a token in buf of next characters up to EOF, eol, or
> ! * blank. If the token gets too long, we still parse it
> ! * correctly, but the excess characters are not stored into *buf.
> ! */
> ! while (c != EOF && c != '\n' && (!isblank(c) || quote != '\0'))
> ! {
> ! is_quote = false;
> ! if (c == '"' || c == '\'')
> ! {
> ! /* Allow single or double quoted strings, strip quotes */
> ! if (quote == '\0')
> ! {
> ! quote = c;
> ! is_quote = true;
> ! }
> ! else if (c == quote)
> ! {
> ! quote = '\0';
> ! is_quote = true;
> ! }
> ! }
> !
> ! if (!is_quote && buf < end_buf)
> ! *buf++ = c;
> ! c = getc(fp);
> ! }
> !
> ! /*
> ! * Put back the char right after the token (critical in case it is
> ! * eol, since we need to detect end-of-line at next call).
> ! */
> ! if (c != EOF)
> ! ungetc(c, fp);
> }
>
> ! /* If the token has a trailing comma, get another token */
> ! } while (*buf == ',' && c != EOF && c != '\n');
> !
> *buf = '\0';
> }
>
> ***************
> *** 121,126 ****
> --- 146,241 ----
>
>
> /*
> + * Free memory used by lines/tokens (ie, structure built by
tokenize_file)
> + */
> + static void
> + free_lines(List **lines)
> + {
> + if (*lines)
> + {
> + List *line,
> + *token;
> +
> + foreach(line, *lines)
> + {
> + List *ln = lfirst(line);
> +
> + /* free the pstrdup'd tokens (don't try it on the line number) */
> + foreach(token, lnext(ln))
> + pfree(lfirst(token));
> + /* free the sublist structure itself */
> + freeList(ln);
> + }
> + /* free the list structure itself */
> + freeList(*lines);
> + /* clear the static variable */
> + *lines = NIL;
> + }
> + }
> +
> +
> + static char *
> + tokenize_at_file(const char *at_filename)
> + {
> + char *at_fullname;
> + FILE *at_file;
> + List *at_lines;
> + List *line;
> + char *comma_str = NULL;
> + List *token;
> +
> + at_fullname = (char *) palloc(strlen(DataDir) +
> + strlen(at_filename) + 2);
> + strcpy(at_fullname, DataDir);
> + strcat(at_fullname, "/");
> + strcat(at_fullname, at_filename);
> +
> + at_file = AllocateFile(at_fullname, PG_BINARY_R);
> + if (!at_file)
> + {
> + elog(LOG, "tokenize_at_file: Unable to open secondary
authentication file \"@%s\" as \"%s\": %m",
> + at_filename, at_fullname);
> + pfree(at_fullname);
> +
> + /* return empty string, it matches nothing */
> + return pstrdup("");
> + }
> + pfree(at_fullname);
> +
> + /* There is possible recursion here if the file contains @ */
> + at_lines = tokenize_file(at_file);
> +
> + /* Create comma-separate string from List */
> + foreach(line, at_lines)
> + {
> + List *ln = lfirst(line);
> +
> + /* First entry is line number */
> + foreach(token, lnext(ln))
> + {
> + if (comma_str != NULL)
> + {
> + comma_str = repalloc(comma_str,
> + strlen(comma_str) + strlen(lfirst(token)) + 2);
> + strcat(comma_str, ",");
> + strcat(comma_str, lfirst(token));
> + }
> + else
> + {
> + comma_str = palloc(strlen(lfirst(token))+1);
> + strcpy(comma_str, lfirst(token));
> + }
> +
> + }
> + }
> + free_lines(&at_lines);
> + FreeFile(at_file);
> +
> + return comma_str;
> + }
> +
> +
> + /*
> * Read the given file and create a list of line sublists.
> */
> static List *
> ***************
> *** 150,157 ****
> next_line = makeListi1(line_number);
> lines = lappend(lines, next_line);
> }
> ! /* append token to current line's list */
> ! next_line = lappend(next_line, pstrdup(buf));
> }
> else
> {
> --- 265,277 ----
> next_line = makeListi1(line_number);
> lines = lappend(lines, next_line);
> }
> ! /* Is this referencing a file? */
> ! if (buf[0] != '@')
> ! /* append token to current line's list */
> ! next_line = lappend(next_line, pstrdup(buf));
> ! else
> ! /* Already palloc'ed */
> ! next_line = lappend(next_line, tokenize_at_file(buf+1));
> }
> else
> {
> ***************
> *** 175,206 ****
> }
>
>
> ! /*
> ! * Free memory used by lines/tokens (ie, structure built by
tokenize_file)
> ! */
> ! static void
> ! free_lines(List **lines)
> {
> ! if (*lines)
> {
> ! List *line,
> ! *token;
>
> - foreach(line, *lines)
> - {
> - List *ln = lfirst(line);
>
> ! /* free the pstrdup'd tokens (don't try it on the line number) */
> ! foreach(token, lnext(ln))
> ! pfree(lfirst(token));
> ! /* free the sublist structure itself */
> ! freeList(ln);
> ! }
> ! /* free the list structure itself */
> ! freeList(*lines);
> ! /* clear the static variable */
> ! *lines = NIL;
> }
> }
>
>
> --- 295,329 ----
> }
>
>
> ! static int
> ! check_db(char *dbname, char *user, char *param_str)
> {
> ! char *tok;
> !
> ! for (tok = strtok(param_str, ","); tok != NULL; tok = strtok(NULL,
","))
> {
> ! if (strcmp(tok, dbname) == 0 ||
> ! strcmp(tok, "all") == 0 ||
> ! (strcmp(tok, "sameuser") == 0 &&
> ! strcmp(dbname, user) == 0))
> ! return 1;
> ! }
> ! return 0;
> ! }
>
>
> ! static int
> ! check_user(char *user, char *param_str)
> ! {
> ! char *tok;
> !
> ! for (tok = strtok(param_str, ","); tok != NULL; tok = strtok(NULL,
","))
> ! {
> ! if (strcmp(tok, user) == 0 ||
> ! strcmp(tok, "all") == 0)
> ! return 1;
> }
> + return 0;
> }
>
>
> ***************
> *** 278,283 ****
> --- 401,407 ----
> int line_number;
> char *token;
> char *db;
> + char *user;
>
> Assert(line != NIL);
> line_number = lfirsti(line);
> ***************
> *** 293,302 ****
> goto hba_syntax;
> db = lfirst(line);
>
> ! /* Read the rest of the line. */
> line = lnext(line);
> if (!line)
> goto hba_syntax;
> parse_hba_auth(line, &port->auth_method, port->auth_arg, error_p);
> if (*error_p)
> goto hba_syntax;
> --- 417,433 ----
> goto hba_syntax;
> db = lfirst(line);
>
> ! /* Get the user. */
> ! line = lnext(line);
> ! if (!line)
> ! goto hba_syntax;
> ! user = lfirst(line);
> !
> line = lnext(line);
> if (!line)
> goto hba_syntax;
> +
> + /* Read the rest of the line. */
> parse_hba_auth(line, &port->auth_method, port->auth_arg, error_p);
> if (*error_p)
> goto hba_syntax;
> ***************
> *** 308,322 ****
> port->auth_method == uaKrb5)
> goto hba_syntax;
>
> ! /*
> ! * If this record doesn't match the parameters of the connection
> ! * attempt, ignore it.
> ! */
> ! if ((strcmp(db, port->database) != 0 &&
> ! strcmp(db, "all") != 0 &&
> ! (strcmp(db, "sameuser") != 0 ||
> ! strcmp(port->database, port->user) != 0)) ||
> ! port->raddr.sa.sa_family != AF_UNIX)
> return;
> }
> else if (strcmp(token, "host") == 0 || strcmp(token, "hostssl") ==
0)
> --- 439,445 ----
> port->auth_method == uaKrb5)
> goto hba_syntax;
>
> ! if (port->raddr.sa.sa_family != AF_UNIX)
> return;
> }
> else if (strcmp(token, "host") == 0 || strcmp(token, "hostssl") ==
0)
> ***************
> *** 347,352 ****
> --- 470,481 ----
> goto hba_syntax;
> db = lfirst(line);
>
> + /* Get the user. */
> + line = lnext(line);
> + if (!line)
> + goto hba_syntax;
> + user = lfirst(line);
> +
> /* Read the IP address field. */
> line = lnext(line);
> if (!line)
> ***************
> *** 371,390 ****
> if (*error_p)
> goto hba_syntax;
>
> ! /*
> ! * If this record doesn't match the parameters of the connection
> ! * attempt, ignore it.
> ! */
> ! if ((strcmp(db, port->database) != 0 &&
> ! strcmp(db, "all") != 0 &&
> ! (strcmp(db, "sameuser") != 0 ||
> ! strcmp(port->database, port->user) != 0)) ||
> ! port->raddr.sa.sa_family != AF_INET ||
> ((file_ip_addr.s_addr ^ port->raddr.in.sin_addr.s_addr) &
mask.s_addr) != 0)
> return;
> }
> else
> goto hba_syntax;
>
> /* Success */
> *found_p = true;
> --- 500,517 ----
> if (*error_p)
> goto hba_syntax;
>
> ! /* Must meet network restrictions */
> ! if (port->raddr.sa.sa_family != AF_INET ||
> ((file_ip_addr.s_addr ^ port->raddr.in.sin_addr.s_addr) &
mask.s_addr) != 0)
> return;
> }
> else
> goto hba_syntax;
> +
> + if (!check_db(port->database, port->user, db))
> + return;
> + if (!check_user(port->user, user))
> + return;
>
> /* Success */
> *found_p = true;
> Index: src/backend/libpq/pg_hba.conf.sample
> ===================================================================
> RCS file: /cvsroot/pgsql/src/backend/libpq/pg_hba.conf.sample,v
> retrieving revision 1.35
> diff -c -r1.35 pg_hba.conf.sample
> *** src/backend/libpq/pg_hba.conf.sample 8 Mar 2002 20:36:58 -0000
1.35
> --- src/backend/libpq/pg_hba.conf.sample 19 Mar 2002 05:51:58 -0000
> ***************
> *** 42,63 ****
> #
> # Format:
> #
> ! # host DBNAME IP_ADDRESS ADDRESS_MASK AUTH_TYPE
[AUTH_ARGUMENT]
> #
> ! # DBNAME can be:
> ! # o a database name
> ! # o "all", which means the record matches all databases
> ! # o "sameuser", which means users can only access databases
whose name
> ! # is the same as their username
> #
> ! # IP_ADDRESS and ADDRESS_MASK are standard dotted decimal IP
address and
> # mask values. IP addresses can only be specified numerically, not
as
> # domain or host names.
> #
> # Do not prevent the superuser from accessing the template1
database.
> # Various utility commands need access to template1.
> #
> ! # AUTH_TYPE and AUTH_ARGUMENT are described below.
> #
> #
> # hostssl
> --- 42,74 ----
> #
> # Format:
> #
> ! # host DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> #
> ! # DATABASE can be:
> ! # o a database name
> ! # o "sameuser", which means users can only access databases with
the
> ! # same name as their user name
> ! # o "all", which matches all databases
> ! # o a list of database names, separated by commas
> ! # o a file name containing database names, starting with '@'
> ! #
> ! # USER can be:
> ! # o a user name
> ! # o "all", which matches all users
> ! # o a list of user names, separated by commas
> ! # o a file name containing user names, starting with '@'
> #
> ! # Files read using '@' can contain comma-separated database/user
names,
> ! # or one name per line. The files can also contain comments using
'#'.
> ! #
> ! # IP_ADDRESS and MASK are standard dotted decimal IP address and
> # mask values. IP addresses can only be specified numerically, not
as
> # domain or host names.
> #
> # Do not prevent the superuser from accessing the template1
database.
> # Various utility commands need access to template1.
> #
> ! # AUTH_TYPE is described below.
> #
> #
> # hostssl
> ***************
> *** 65,74 ****
> #
> # The format of this record is identical to "host".
> #
> ! #
> ! #
> ! # It specifies hosts that required connection via secure SSL.
"host"
> ! # records allow SSL connections too, but "hostssl" only allows
SSL-secured
> # connections.
> #
> # This keyword is only available if the server was compiled with
SSL
> --- 76,83 ----
> #
> # The format of this record is identical to "host".
> #
> ! # It specifies hosts that require connection via secure SSL.
"host"
> ! # allows SSL connections too, but "hostssl" requires SSL-secured
> # connections.
> #
> # This keyword is only available if the server was compiled with
SSL
> ***************
> *** 82,91 ****
> # connections. Without this record, UNIX-socket connections are
disallowed
> #
> # Format:
> ! # local DBNAME AUTH_TYPE [AUTH_ARGUMENT]
> #
> # This format is identical to the "host" record type except there
are no
> ! # IP_ADDRESS and ADDRESS_MASK fields.
> #
> #
> #
> --- 91,100 ----
> # connections. Without this record, UNIX-socket connections are
disallowed
> #
> # Format:
> ! # local DATABASE USER AUTH_TYPE
> #
> # This format is identical to the "host" record type except there
are no
> ! # IP_ADDRESS and MASK fields.
> #
> #
> #
> ***************
> *** 96,152 ****
> # has an AUTH_TYPE.
> #
> # trust:
> ! # No authentication is done. Any valid username is accepted,
> # including the PostgreSQL superuser. This option should
> # be used only for hosts where all users are trusted.
> #
> - # password:
> - # Authentication is done by matching a password supplied
> - # in clear by the host. If no AUTH_ARGUMENT is used, the
> - # password is compared with the user's entry in the
> - # pg_shadow table.
> - #
> - # If AUTH_ARGUMENT is specified, the username is looked up
> - # in that file in the $PGDATA directory. If the username
> - # is found but there is no password, the password is looked
> - # up in pg_shadow. If a password exists in the file, it is
> - # used instead. These secondary files allow fine-grained
> - # control over who can access which databases and whether
> - # a non-default password is required. The same file can be
> - # used in multiple records for easier administration.
> - # Password files can be maintained with the pg_passwd(1)
> - # utility. Remember, these passwords override pg_shadow
> - # passwords. Also, such passwords are passed over the network
> - # in cleartext, meaning this should not be used on untrusted
> - # networks.
> - #
> # md5:
> ! # Same as "password", except the password is encrypted over the
> ! # network. This method is preferable to "password" and "crypt"
> ! # except for pre-7.2 clients that don't support it. NOTE: md5
can
> ! # use usernames stored in secondary password files but ignores
> ! # passwords stored there. The pg_shadow password will always be
> ! # used.
> #
> # crypt:
> ! # Same as "md5", but uses crypt for pre-7.2 clients. You can
> ! # not store encrypted passwords in pg_shadow if you use this
> ! # method.
> #
> # ident:
> # For TCP/IP connections, authentication is done by contacting the
> # ident server on the client host. This is only as secure as the
> ! # client machine. On machines that support unix-domain socket
> ! # credentials (currently Linux, FreeBSD, NetBSD, and BSD/OS), this
> ! # method also works for "local" connections.
> ! #
> ! # AUTH_ARGUMENT is required. It determines how to map remote user
> ! # names to PostgreSQL user names. If you use "sameuser", the user
> ! # names are assumed to be the identical. If not, AUTH_ARGUMENT is
> ! # assumed to be a map name found in the $PGDATA/pg_ident.conf
> ! # file. The connection is accepted if that file contains an entry
> ! # for this map name with the ident-supplied username and the
> ! # requested PostgreSQL username.
> #
> # krb4:
> # Kerberos V4 authentication is used. Allowed only for
> --- 105,142 ----
> # has an AUTH_TYPE.
> #
> # trust:
> ! # No authentication is done. Any valid user name is accepted,
> # including the PostgreSQL superuser. This option should
> # be used only for hosts where all users are trusted.
> #
> # md5:
> ! # Requires the client to supply an MD5 encrypted password for
> ! # authentication. This is the only method that allows encrypted
> ! # passwords to be stored in pg_shadow.
> #
> # crypt:
> ! # Same as "md5", but uses crypt for pre-7.2 clients.
> #
> + # password:
> + # Same as "md5", but the password is sent in cleartext over
> + # the network. This should not be used on untrusted
> + # networks.
> + #
> # ident:
> # For TCP/IP connections, authentication is done by contacting the
> # ident server on the client host. This is only as secure as the
> ! # client machine. You must specify the map name after the 'ident'
> ! # keyword. It determines how to map remote user names to
> ! # PostgreSQL user names. If you use "sameuser", the user names are
> ! # assumed to be identical. If not, the map name is looked up
> ! # in the $PGDATA/pg_ident.conf file. The connection is accepted if
> ! # that file contains an entry for this map name with the
> ! # ident-supplied username and the requested PostgreSQL username.
> ! #
> ! # On machines that support unix-domain socket credentials
> ! # (currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows
> ! # reliable authentication of 'local' connections without ident
> ! # running on the local machine.
> #
> # krb4:
> # Kerberos V4 authentication is used. Allowed only for
> ***************
> *** 157,166 ****
> # TCP/IP connections, not for local UNIX-domain sockets.
> #
> # pam:
> ! # Authentication is passed off to PAM (PostgreSQL must be
> ! # configured --with-pam), using the default service name
> ! # "postgresql" - you can specify your own service name by
> ! # setting AUTH_ARGUMENT to the desired service name.
> #
> # reject:
> # Reject the connection. This is used to reject certain hosts
> --- 147,156 ----
> # TCP/IP connections, not for local UNIX-domain sockets.
> #
> # pam:
> ! # Authentication is done by PAM using the default service name
> ! # "postgresql". You can specify your own service name by adding
> ! # the service name after the 'pam' keyword. To use this option,
> ! # PostgreSQL must be configured --with-pam.
> #
> # reject:
> # Reject the connection. This is used to reject certain hosts
> ***************
> *** 177,236 ****
> # Allow any user on the local system to connect to any database
under any
> # username using Unix-domain sockets (the default for local
connections):
> #
> ! # TYPE DATABASE IP_ADDRESS MASK
AUTH_TYPE AUTH_ARGUMENT
> ! # local all trust
> #
> # The same using local loopback TCP/IP connections:
> #
> ! # TYPE DATABASE IP_ADDRESS MASK
AUTH_TYPE AUTH_ARGUMENT
> ! # host all 127.0.0.1 255.255.255.255 trust
> #
> # Allow any user from any host with IP address 192.168.93.x to
> # connect to database "template1" as the same username that ident
reports
> # for the connection (typically his Unix username):
> #
> ! # TYPE DATABASE IP_ADDRESS MASK
AUTH_TYPE AUTH_ARGUMENT
> ! # host template1 192.168.93.0 255.255.255.0 ident
sameuser
> #
> # Allow a user from host 192.168.12.10 to connect to database
"template1"
> ! # if the user's password in pg_shadow is correctly supplied:
> #
> ! # TYPE DATABASE IP_ADDRESS MASK
AUTH_TYPE AUTH_ARGUMENT
> ! # host template1 192.168.12.10 255.255.255.255 md5
> #
> # In the absence of preceding "host" lines, these two lines will
reject
> # all connection from 192.168.54.1 (since that entry will be
matched
> # first), but allow Kerberos V5 connections from anywhere else on
the
> # Internet. The zero mask means that no bits of the host IP
address are
> ! # considered, so it matches any host:
> #
> #
> ! # TYPE DATABASE IP_ADDRESS MASK
AUTH_TYPE AUTH_ARGUMENT
> ! # host all 192.168.54.1 255.255.255.255 reject
> ! # host all 0.0.0.0 0.0.0.0 krb5
> #
> # Allow users from 192.168.x.x hosts to connect to any database if
they
> # pass the ident check. For example, if ident says the user is
"james" and
> # he requests to connect as PostgreSQL user "guest", the
connection is
> # allowed if there is an entry in $PGDATA/pg_ident.conf with map
name
> # "phoenix" that says "james" is allowed to connect as "guest":
> #
> ! # TYPE DATABASE IP_ADDRESS MASK
AUTH_TYPE AUTH_ARGUMENT
> ! # host all 192.168.0.0 255.255.0.0 ident
phoenix
> #
> # If these are the only two lines for local connections, they will
allow
> # local users to connect only to their own databases (databases
with the
> # same name as their user name) except for administrators who may
connect
> # to all databases. The file $PGDATA/admins lists the user names
who are
> # permitted to connect to all databases. Passwords are required in
all
> ! # cases. (If you prefer to use ident authorization, an ident map
can
> ! # serve a parallel purpose to the password list file used here.)
> #
> ! # TYPE DATABASE IP_ADDRESS MASK
AUTH_TYPE AUTH_ARGUMENT
> ! # local sameuser md5
> ! # local all md5
admins
> #
> - # See $PGDATA/pg_ident.conf for more information on Ident maps.
> #
> #
> #
> --- 167,225 ----
> # Allow any user on the local system to connect to any database
under any
> # username using Unix-domain sockets (the default for local
connections):
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> ! # local all all
trust
> #
> # The same using local loopback TCP/IP connections:
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> ! # host all all 127.0.0.1 255.255.255.255
trust
> #
> # Allow any user from any host with IP address 192.168.93.x to
> # connect to database "template1" as the same username that ident
reports
> # for the connection (typically his Unix username):
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> ! # host template1 all 192.168.93.0 255.255.255.0
ident sameuser
> #
> # Allow a user from host 192.168.12.10 to connect to database
"template1"
> ! # if the user's password is correctly supplied:
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> ! # host template1 all 192.168.12.10 255.255.255.255
md5
> #
> # In the absence of preceding "host" lines, these two lines will
reject
> # all connection from 192.168.54.1 (since that entry will be
matched
> # first), but allow Kerberos V5 connections from anywhere else on
the
> # Internet. The zero mask means that no bits of the host IP
address are
> ! # considered so it matches any host:
> #
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> ! # host all all 192.168.54.1 255.255.255.255
reject
> ! # host all all 0.0.0.0 0.0.0.0
krb5
> #
> # Allow users from 192.168.x.x hosts to connect to any database if
they
> # pass the ident check. For example, if ident says the user is
"james" and
> # he requests to connect as PostgreSQL user "guest", the
connection is
> # allowed if there is an entry in $PGDATA/pg_ident.conf with map
name
> # "phoenix" that says "james" is allowed to connect as "guest":
> + # See $PGDATA/pg_ident.conf for more information on Ident maps.
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> ! # host all all 192.168.0.0 255.255.0.0
ident phoenix
> #
> # If these are the only two lines for local connections, they will
allow
> # local users to connect only to their own databases (databases
with the
> # same name as their user name) except for administrators who may
connect
> # to all databases. The file $PGDATA/admins lists the user names
who are
> # permitted to connect to all databases. Passwords are required in
all
> ! # cases.
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
> ! # local sameuser all
md5
> ! # local all @admins
md5
> #
> #
> #
> #
> ***************
> *** 250,256 ****
> # configuration is probably too liberal for you. Change it to use
> # something other than "trust" authentication.
> #
> ! # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE
AUTH_ARGUMENT
>
> ! local all trust
> ! host all 127.0.0.1 255.255.255.255 trust
> --- 239,245 ----
> # configuration is probably too liberal for you. Change it to use
> # something other than "trust" authentication.
> #
> ! # TYPE DATABASE USER IP_ADDRESS MASK
AUTH_TYPE
>
> ! local all all
trust
> ! host all all 127.0.0.1 255.255.255.255
trust
> Index: src/bin/Makefile
> ===================================================================
> RCS file: /cvsroot/pgsql/src/bin/Makefile,v
> retrieving revision 1.34
> diff -c -r1.34 Makefile
> *** src/bin/Makefile 18 Feb 2001 18:33:59 -0000 1.34
> --- src/bin/Makefile 19 Mar 2002 05:51:59 -0000
> ***************
> *** 14,20 ****
> include $(top_builddir)/src/Makefile.global
>
> DIRS := initdb initlocation ipcclean pg_ctl pg_dump pg_id \
> ! pg_passwd psql scripts pg_config
>
> ifdef MULTIBYTE
> DIRS += pg_encoding
> --- 14,20 ----
> include $(top_builddir)/src/Makefile.global
>
> DIRS := initdb initlocation ipcclean pg_ctl pg_dump pg_id \
> ! psql scripts pg_config
>
> ifdef MULTIBYTE
> DIRS += pg_encoding
>

----------------------------------------------------------------------
----------

>
> ---------------------------(end of
broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
> (send "unregister YourEmailAddressHere" to
majordomo(at)postgresql(dot)org)
>

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Rod Taylor 2002-03-19 12:35:20 Fixes gram.y
Previous Message Leif Mortenson 2002-03-19 06:51:36 JDBC PreparedStatement Memory Leak.