| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Kris Deugau <kdeugau(at)vianet(dot)ca> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Need reference doc on precedence/ordering for pg_hba.conf |
| Date: | 2006-03-01 23:01:01 |
| Message-ID: | 16668.1141254061@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Kris Deugau <kdeugau(at)vianet(dot)ca> writes:
> Failing that, a diagnostic poke to the head to tell me where in this
> config I should put entries that refer to both local socket connections
> and remote TCP/IP connections for one specific database that I want MD5
> (or crypt, for the old 6.x client :/ ) authentication on:
The rule is very simple: the first entry that is able to match an
incoming connection request is the one that's used. "Match" is on
the basis of connection type (local or TCP) and the requested database
name and user name. When the match occurs, the connection is checked
using the specified auth method, and if that fails then it's rejected.
The relative positioning of "local" and "host" entries is therefore
irrelevant, because they can never both match the same connection
request. The relative order of "local" entries is important, and
so is the relative order of "host" entries.
> # From Debian Sarge stock install
> local all postgres ident sameuser
> local all all ident sameuser
The first one is really redundant since the second one would match
all the same connections (ie, local connections with username postgres)
and it specifies the same handling.
> # Added for local software using PG
> local template1 all ident
> local sameuser all md5
> local all root trust
These three are all complete no-ops where you have them, because the
local/all/all entry will already have siphoned off every possible local
connection. You'd need to put them in front of the local/all/all entry
if you want them to do anything. Note however that you almost certainly
do not want that "trust" entry, since it'd allow anyone local to connect
by saying eg "psql -U root". There's not a lot of point in intermixing
trust and non-trust methods for connections from the same machine.
> # More entries from stock Debian package
> host all all 127.0.0.1 255.255.255.255 ident sameuser
> host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ident sameuser
> host all all ::ffff:127.0.0.1/128 ident sameuser
>
> # another local config - the real entry contains a real IP
> host all all [host IP] 255.255.255.255 trust
These seem reasonably sane assuming that's what you want. Their
relative order doesn't matter since no two can match the same
connection. (I think --- I don't recall at the moment if 127.0.0.1
can match an IPv6 connection on ::ffff:127.0.0.1.)
> # Last stock entry
> host all all 0.0.0.0 0.0.0.0 reject
This one is a waste of space, since the default is to reject anyway
if there's no match.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Aniko.Badzong | 2006-03-02 14:17:14 | sql copy does not work |
| Previous Message | Kris Deugau | 2006-03-01 22:14:27 | Need reference doc on precedence/ordering for pg_hba.conf |