Re: Using both ident and password in pg_hba.conf

"D'Arcy J.M. Cain" <darcy(at)druid(dot)net> writes:
> On Mon, 09 May 2016 17:12:22 -0400
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> If the same user id + database combinations might be valid in both
>> cases (from both PHP and manual connections) I think your only other
>> option for distinguishing which auth method to use is to make them
>> come in on different addresses. Can you set up a secondary IP
>> interface that only the PHP server uses, for example?

> I did think of that but how do I define that in pg_hba? The host field
> only specifies the remote IP, not the local one.

Right, but you'd be using it essentially as a loopback interface.
Say you set it up as 192.168.0.42 --- you'd tell PHP to connect to
Postgres on 192.168.0.42, and Postgres would also see the PHP connections
as coming in from 192.168.0.42.

I think on most modern OSes you can set up this sort of thing entirely in
software, not even needing a spare NIC card. I haven't done it that way
though.

> I had an idea that that wouldn't be so easy else we would have had it
> by now. However, I am not sure that that is what is needed. I was
> thinking of something like this:

> host all joe(at)nobody 192.168.151.75/32 password
> host all all 192.168.151.75/32 ident

> The "all(at)nobody" field is meant to specify that the remote user is
> nobody but that they are connecting as user joe.

As John noted, we don't have any idea what the "remote username" is
at the time we're scanning pg_hba.conf.

regards, tom lane