Database Reference
In-Depth Information
rules, the connection is denied. A common mistake people make is to not put the rules
in the proper order. For example, if you put
+0.0.0.0/0 reject+
before
+127.0.0.1/32
trust+
, local users won't be able to connect, even though a rule is in place allowing them
to do so.
“I edited my pg_hba.conf and now my server is broken.”
Don't worry. This happens quite often, but it's easily recoverable. This error is generally
caused by typos or by adding an unavailable authentication scheme. When the
post
gres
service can't parse
pg_hba.conf
file, it blocks all access for safety or won't even start
up. The easiest way to figure out what you did wrong is to read the log file. This is located
in the root of the data folder or in the
pg_log
subfolder. Open the latest file and read the
last line. The error message is usually self-explanatory. If you're prone to slippery fingers,
back up the file prior to editing.
Authentication methods
PostgreSQL gives you many choices for authenticating users—probably more than any
other database product. Most people stick with the most popular ones:
trust
,
peer
,
ident
,
md5
, and
password
. There is also
reject
, which applies an immediate denial.
Authentication methods stipulated in
pg_hba.conf
serve as gatekeepers to the entire
PostgreSQL server. Users or devices must still meet role and database access restrictions
after connecting.
For more information on the various authentication methods, refer to
PostgreSQL Cli‐
ent Authentication
.
The most commonly used authentication methods are:
trust
The least secure of the authentication schemes. It allows people to self-identify and
doesn't ask for a password. As long as the request meets the IP address, user, and
database criteria, the user can connect. You should limit
trust
to local connections
or private network connections. Even then it's possible for someone to spoof IP
addresses, so the more security-minded among us discourage its use entirely. Nev‐
ertheless, it's the most common for PostgreSQL installed on a desktop for single-
user local access where security is not as much of a concern. The username defaults
to the logged-in OS user if not specified.
md5
Very common, requiring an md5-encrypted password to connect.
password
Uses clear-text password authentication.
ident
Uses
pg_ident.conf
to see whether the OS account of the user trying to connect has
a mapping to a PostgreSQL account. No password is checked.