1- <!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.26 2001/11/12 19:19:39 petere Exp $ -->
1+ <!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.27 2001/11/18 23:24:16 tgl Exp $ -->
22
33<chapter id="client-authentication">
44 <title>Client Authentication</title>
2727 </para>
2828
2929 <para>
30- <productname>Postgres</productname> offers client authentication by
31- (client) host and by database, with a number of different
32- authentication methods available.
30+ <productname>Postgres</productname> offers a number of different
31+ client authentication methods. The method to be used can be selected
32+ on the basis of (client) host and database; some authentication methods
33+ allow you to restrict by user name as well.
3334 </para>
3435
3536 <para>
@@ -197,16 +198,15 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
197198 <term><literal>password</></term>
198199 <listitem>
199200 <para>
200- The client is required to supply a password with the connection
201- attempt which is required to match the password that was set up
202- for the user.
201+ The client is required to supply a password which is required to
202+ match the database password that was set up for the user.
203203 </para>
204204
205205 <para>
206206 An optional file name may be specified after the
207207 <literal>password</literal> keyword. This file is expected to
208- contain a list of usersthat this record pertains to, and
209- optionally alternative passwords.
208+ contain a list of userswho may connect using this record,
209+ and optionally alternative passwords for them .
210210 </para>
211211
212212 <para>
@@ -224,9 +224,14 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
224224 Like the <literal>password</literal> method, but the password
225225 is sent over the wire encrypted using a simple
226226 challenge-response protocol. This protects against incidental
227- wire-sniffing. The name of a file may follow the
227+ wire-sniffing. This is now the recommended choice for
228+ password-based authentication.
229+ </para>
230+
231+ <para>
232+ The name of a file may follow the
228233 <literal>md5</literal> keyword. It contains a list of users
229- for this record.
234+ who may connect using this record.
230235 </para>
231236 </listitem>
232237 </varlistentry>
@@ -236,9 +241,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
236241 <listitem>
237242 <para>
238243 Like the <literal>md5</literal> method but uses older crypt
239- authentication for pre-7.2 clients. <literal>md5</literal> is
244+ encryption, which is needed for pre-7.2
245+ clients. <literal>md5</literal> is
240246 preferred for 7.2 and later clients. The <literal>crypt</>
241- method isalso not compatible with encrypting passwords in
247+ method is not compatible with encrypting passwords in
242248 <filename>pg_shadow</>, and may fail if client and server
243249 machines have different implementations of the crypt() library
244250 routine.
@@ -333,7 +339,7 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
333339 <listitem>
334340 <para>
335341 This field is interpreted differently depending on the
336- authentication method, as describedthere .
342+ authentication method, as describedabove .
337343 </para>
338344 </listitem>
339345 </varlistentry>
@@ -412,6 +418,17 @@ host all 0.0.0.0 0.0.0.0 krb5
412418# says "bryanh" is allowed to connect as "guest1":
413419
414420host all 192.168.0.0 255.255.0.0 ident omicron
421+
422+ # If these are the only two lines for local connections, they will allow
423+ # local users to connect only to their own databases (database named the
424+ # same as the user name), except for administrators who may connect to
425+ # all databases. The file $PGDATA/admins lists the user names who are
426+ # permitted to connect to all databases. Passwords are required in all
427+ # cases. (If you prefer to use ident authorization, an ident map can
428+ # serve a parallel purpose to the password list file used here.)
429+
430+ local sameuser md5
431+ local all md5 admins
415432</programlisting>
416433 </example>
417434 </para>
@@ -434,7 +451,7 @@ host all 192.168.0.0 255.255.0.0 ident omicron
434451 </indexterm>
435452
436453 <para>
437- <productname>Postgres</> database passwords are separate from any
454+ <productname>Postgres</> database passwords are separate from
438455 operating system user passwords. Ordinarily, the password for each
439456 database user is stored in the pg_shadow system catalog table.
440457 Passwords can be managed with the query language commands
@@ -453,8 +470,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
453470 <literal>password</>, <literal>md5</>, or <literal>crypt</> keyword,
454471 respectively, in <filename>pg_hba.conf</>. If you do not use this
455472 feature, then any user that is known to the database system can
456- connect to any database (so long as hepasses password
457- authentication, of course).
473+ connect to any database (so long as hesupplies the correct password,
474+ of course).
458475 </para>
459476
460477 <para>
@@ -492,8 +509,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
492509 <para>
493510 Note that using alternative passwords like this means that one can
494511 no longer use <command>ALTER USER</command> to change one's
495- password. It willstill appear to work but the password one is
496- actually changing is not the password that the system will end up
512+ password. It will appear to work but the password one is
513+ changing is not the password that the system will end up
497514 using.
498515 </para>
499516