NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9f07cb7

committed

Add example of using 'sameuser' followed by 'all' pg_hba records to

enforce a limit on who can connect to databases other than their own.From a recent discussion in pg-admin.

1 parent09bf48c commit9f07cb7Copy full SHA for 9f07cb7

File tree

2 files changed

+75

-43

lines changed

doc/src/sgml
- client-auth.sgml
src/backend/libpq
- pg_hba.conf.sample

2 files changed

+75

-43

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 36 additions & 19 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.26 2001/11/12 19:19:39 petere Exp $ -->`
	`1`	`+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.27 2001/11/18 23:24:16 tgl Exp $ -->`
`2`	`2`
`3`	`3`	`<chapter id="client-authentication">`
`4`	`4`	`<title>Client Authentication</title>`
`@@ -27,9 +27,10 @@`
`27`	`27`	`</para>`
`28`	`28`
`29`	`29`	`<para>`
`30`		`- <productname>Postgres</productname> offers client authentication by`
`31`		`- (client) host and by database, with a number of different`
`32`		`- authentication methods available.`
	`30`	`+ <productname>Postgres</productname> offers a number of different`
	`31`	`+ client authentication methods. The method to be used can be selected`
	`32`	`+ on the basis of (client) host and database; some authentication methods`
	`33`	`+ allow you to restrict by user name as well.`
`33`	`34`	`</para>`
`34`	`35`
`35`	`36`	`<para>`
`@@ -197,16 +198,15 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable`
`197`	`198`	`<term><literal>password</></term>`
`198`	`199`	`<listitem>`
`199`	`200`	`<para>`
`200`		`- The client is required to supply a password with the connection`
`201`		`- attempt which is required to match the password that was set up`
`202`		`- for the user.`
	`201`	`+ The client is required to supply a password which is required to`
	`202`	`+ match the database password that was set up for the user.`
`203`	`203`	`</para>`
`204`	`204`
`205`	`205`	`<para>`
`206`	`206`	`An optional file name may be specified after the`
`207`	`207`	`<literal>password</literal> keyword. This file is expected to`
`208`		`- contain a list of usersthat this record pertains to, and`
`209`		`- optionally alternative passwords.`
	`208`	`+ contain a list of userswho may connect using this record,`
	`209`	`+andoptionally alternative passwords for them.`
`210`	`210`	`</para>`
`211`	`211`
`212`	`212`	`<para>`
`@@ -224,9 +224,14 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable`
`224`	`224`	`Like the <literal>password</literal> method, but the password`
`225`	`225`	`is sent over the wire encrypted using a simple`
`226`	`226`	`challenge-response protocol. This protects against incidental`
`227`		`- wire-sniffing. The name of a file may follow the`
	`227`	`+ wire-sniffing. This is now the recommended choice for`
	`228`	`+ password-based authentication.`
	`229`	`+ </para>`
	`230`	`+`
	`231`	`+ <para>`
	`232`	`+ The name of a file may follow the`
`228`	`233`	`<literal>md5</literal> keyword. It contains a list of users`
`229`		`-for this record.`
	`234`	`+who may connect using this record.`
`230`	`235`	`</para>`
`231`	`236`	`</listitem>`
`232`	`237`	`</varlistentry>`
`@@ -236,9 +241,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable`
`236`	`241`	`<listitem>`
`237`	`242`	`<para>`
`238`	`243`	`Like the <literal>md5</literal> method but uses older crypt`
`239`		`- authentication for pre-7.2 clients. <literal>md5</literal> is`
	`244`	`+ encryption, which is needed for pre-7.2`
	`245`	`+ clients. <literal>md5</literal> is`
`240`	`246`	`preferred for 7.2 and later clients. The <literal>crypt</>`
`241`		`- method isalsonot compatible with encrypting passwords in`
	`247`	`+ method is not compatible with encrypting passwords in`
`242`	`248`	`<filename>pg_shadow</>, and may fail if client and server`
`243`	`249`	`machines have different implementations of the crypt() library`
`244`	`250`	`routine.`
`@@ -333,7 +339,7 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable`
`333`	`339`	`<listitem>`
`334`	`340`	`<para>`
`335`	`341`	`This field is interpreted differently depending on the`
`336`		`- authentication method, as describedthere.`
	`342`	`+ authentication method, as describedabove.`
`337`	`343`	`</para>`
`338`	`344`	`</listitem>`
`339`	`345`	`</varlistentry>`
`@@ -412,6 +418,17 @@ host all 0.0.0.0 0.0.0.0 krb5`
`412`	`418`	`# says "bryanh" is allowed to connect as "guest1":`
`413`	`419`
`414`	`420`	`host all 192.168.0.0 255.255.0.0 ident omicron`
	`421`	`+`
	`422`	`+# If these are the only two lines for local connections, they will allow`
	`423`	`+# local users to connect only to their own databases (database named the`
	`424`	`+# same as the user name), except for administrators who may connect to`
	`425`	`+# all databases. The file $PGDATA/admins lists the user names who are`
	`426`	`+# permitted to connect to all databases. Passwords are required in all`
	`427`	`+# cases. (If you prefer to use ident authorization, an ident map can`
	`428`	`+# serve a parallel purpose to the password list file used here.)`
	`429`	`+`
	`430`	`+local sameuser md5`
	`431`	`+local all md5 admins`
`415`	`432`	`</programlisting>`
`416`	`433`	`</example>`
`417`	`434`	`</para>`
`@@ -434,7 +451,7 @@ host all 192.168.0.0 255.255.0.0 ident omicron`
`434`	`451`	`</indexterm>`
`435`	`452`
`436`	`453`	`<para>`
`437`		`- <productname>Postgres</> database passwords are separate from any`
	`454`	`+ <productname>Postgres</> database passwords are separate from`
`438`	`455`	`operating system user passwords. Ordinarily, the password for each`
`439`	`456`	`database user is stored in the pg_shadow system catalog table.`
`440`	`457`	`Passwords can be managed with the query language commands`
`@@ -453,8 +470,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron`
`453`	`470`	`<literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,`
`454`	`471`	`respectively, in <filename>pg_hba.conf</>. If you do not use this`
`455`	`472`	`feature, then any user that is known to the database system can`
`456`		`- connect to any database (so long as hepassespassword`
`457`		`-authentication,of course).`
	`473`	`+ connect to any database (so long as hesupplies the correctpassword,`
	`474`	`+ of course).`
`458`	`475`	`</para>`
`459`	`476`
`460`	`477`	`<para>`
`@@ -492,8 +509,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron`
`492`	`509`	`<para>`
`493`	`510`	`Note that using alternative passwords like this means that one can`
`494`	`511`	`no longer use <command>ALTER USER</command> to change one's`
`495`		`- password. It willstillappear to work but the password one is`
`496`		`-actuallychanging is not the password that the system will end up`
	`512`	`+ password. It will appear to work but the password one is`
	`513`	`+ changing is not the password that the system will end up`
`497`	`514`	`using.`
`498`	`515`	`</para>`
`499`	`516`

`‎src/backend/libpq/pg_hba.conf.sample`

Lines changed: 39 additions & 24 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,13 @@`
`16`	`16`	`# Blank lines are ignored. A record consists of tokens separated by`
`17`	`17`	`# multiple spaces or tabs.`
`18`	`18`	`#`
	`19`	`+# Each record specifies the authentication method to be used for connections`
	`20`	`+# of a certain type that match a certain set of IP addresses (if relevant`
	`21`	`+# for the connection type) and a certain database or databases. The`
	`22`	`+# postmaster finds the first record that matches the connection type,`
	`23`	`+# client address, and database name, and uses that record to perform client`
	`24`	`+# authentication. If no record matches, the connection is rejected.`
	`25`	`+#`
`19`	`26`	`# The first token of a record indicates its type. The remainder of the`
`20`	`27`	`# record is interpreted based on its type.`
`21`	`28`	`#`
`@@ -30,7 +37,7 @@`
`30`	`37`	`# host`
`31`	`38`	`# ----`
`32`	`39`	`#`
`33`		`-# This record identifiesthenetworked hosts that are permitted to connect`
	`40`	`+# This record identifies networked hosts that are permitted to connect`
`34`	`41`	`# via IP connections.`
`35`	`42`	`#`
`36`	`43`	`# Format:`
`@@ -48,12 +55,7 @@`
`48`	`55`	`# domain or host names.`
`49`	`56`	`#`
`50`	`57`	`# AUTH_TYPE and AUTH_ARGUMENT are described below.`
`51`		`-#`
`52`		`-# There can be multiple "host" records, possibly with overlapping sets of`
`53`		`-# host addresses. The postmaster finds the first entry that matches the`
`54`		`-# connecting host IP address and the requested database name. If no entry`
`55`		`-# matches the database/hostname combination, the connection is rejected.`
`56`		`-#`
	`58`	`+#`
`57`	`59`	`#`
`58`	`60`	`# hostssl`
`59`	`61`	`# -------`
`@@ -62,8 +64,8 @@`
`62`	`64`	`#`
`63`	`65`	`# This record identifies a set of network hosts that are permitted to`
`64`	`66`	`# connect to databases over secure SSL IP connections. Note that a "host"`
`65`		`-# record will also allow SSL connections. "hostssl"forces these`
`66`		`-#hosts to use onlySSL-secured connections.`
	`67`	`+# record will also allow SSL connections. "hostssl"matches only`
	`68`	`+# SSL-secured connections.`
`67`	`69`	`#`
`68`	`70`	`# This keyword is only available if the server was compiled with SSL`
`69`	`71`	`# support enabled.`
`@@ -81,10 +83,7 @@`
`81`	`83`	`#`
`82`	`84`	`# This format is identical to the "host" record type except the IP_ADDRESS`
`83`	`85`	`# and ADDRESS_MASK fields are omitted.`
`84`		`-#`
`85`		`-# As with "host" records, the first "local" record matching the requested`
`86`		`-# database name is used.`
`87`		`-#`
	`86`	`+#`
`88`	`87`	`#`
`89`	`88`	`#`
`90`	`89`	`# Authentication Types (AUTH_TYPE)`
`@@ -105,24 +104,26 @@`
`105`	`104`	`#`
`106`	`105`	`# If AUTH_ARGUMENT is specified, the username is looked up`
`107`	`106`	`# in that file in the $PGDATA directory. If the username`
`108`		`-#exists but there is no password, the password is looked`
	`107`	`+#is found but there is no password, the password is looked`
`109`	`108`	`# up in pg_shadow. If a password exists in the file, it is`
`110`		`-#itused instead. These secondary files allow fine-grained`
	`109`	`+# used instead. These secondary files allow fine-grained`
`111`	`110`	`# control over who can access which databases and whether`
`112`		`-# a non-defaultpasswords are required. The same file can be`
	`111`	`+# a non-defaultpassword is required. The same file can be`
`113`	`112`	`# used in multiple records for easier administration.`
`114`	`113`	`# Password files can be maintained with the pg_passwd(1)`
`115`	`114`	`# utility. Remember, these passwords override pg_shadow`
`116`	`115`	`# passwords.`
`117`	`116`	`#`
`118`		`-# md5: Same as "password", but authentication is done by`
`119`		`-#encrypting the password sent over the network. This is`
`120`		`-#always preferable to "password" except for pre-7.2 clients`
`121`		`-#that don't support it. Also, md5 can use usernames stored`
`122`		`-#in secondary password files but not passwords stored there.`
	`117`	`+# md5: Same as "password", but the password is encrypted while`
	`118`	`+#being sent over the network. This method is preferable to`
	`119`	`+#"password" except for pre-7.2 clients that don't support it.`
	`120`	`+#NOTE: md5 can use usernames stored in secondary password`
	`121`	`+#files but ignores passwords stored there. The pg_shadow`
	`122`	`+#password will always be used.`
`123`	`123`	`#`
`124`	`124`	`# crypt: Same as "md5", but uses crypt for pre-7.2 clients. You can`
`125`		`-#not store encrypted passwords if you use this option.`
	`125`	`+#not store encrypted passwords in pg_shadow if you use this`
	`126`	`+#method.`
`126`	`127`	`#`
`127`	`128`	`# ident:For TCP/IP connections, authentication is done by contacting`
`128`	`129`	`#the ident server on the client host. Remember, this is`
`@@ -168,7 +169,7 @@`
`168`	`169`	`# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT`
`169`	`170`	`# local all trust`
`170`	`171`	`#`
`171`		`-# The same usingIP connections on the same machine:`
	`172`	`+# The same usinglocal loopback IP connections:`
`172`	`173`	`# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT`
`173`	`174`	`# host all 127.0.0.1 255.255.255.255 trust`
`174`	`175`	`#`
`@@ -204,14 +205,28 @@`
`204`	`205`	`#`
`205`	`206`	`# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT`
`206`	`207`	`# host all 192.168.0.0 255.255.0.0 ident phoenix`
	`208`	`+#`
	`209`	`+# If these are the only two lines for local connections, they will allow`
	`210`	`+# local users to connect only to their own databases (database named the`
	`211`	`+# same as the user name), except for administrators who may connect to`
	`212`	`+# all databases. The file $PGDATA/admins lists the user names who are`
	`213`	`+# permitted to connect to all databases. Passwords are required in all`
	`214`	`+# cases. (If you prefer to use ident authorization, an ident map can`
	`215`	`+# serve a parallel purpose to the password list file used here.)`
	`216`	`+#`
	`217`	`+# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT`
	`218`	`+# local sameuser md5`
	`219`	`+# local all md5 admins`
`207`	`220`	`#`
`208`	`221`	`# See $PGDATA/pg_ident.conf for more information on Ident maps.`
	`222`	`+#`
	`223`	`+#`
`209`	`224`	`#`
`210`	`225`	`# Put your actual configuration here`
`211`	`226`	`# ==================================`
`212`	`227`	`#`
`213`	`228`	`# This default configuration allows any local user to connect with any`
`214`		`-# PostgreSQL username, over either UNIX domain sockets or IP:`
	`229`	`+# PostgreSQL username, over either UNIX domain sockets or IP.`
`215`	`230`	`#`
`216`	`231`	`# If you want to allow non-local connections, you will need to add more`
`217`	`232`	`# "host" records. Also, remember IP connections are only enabled if you`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9f07cb7

File tree

2 files changed

2 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎src/backend/libpq/pg_hba.conf.sample`

0 commit comments