Skip to content

P
Postgres FD Implementation
Commit 461ea6b7 authored by Bruce Momjian's avatar Bruce Momjian
Browse files
Options

Better document use of ident on localhost, per Tom Lane's idea.

parent 357d9bdc
Hide whitespace changes
Inline Side-by-side
Showing with 30 additions and 26 deletions
doc/src/sgml/client-auth.sgml
View file @ 461ea6b7
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.11 2001/05/12 22:51:34 petere Exp $ --> <!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.12 2001/07/11 20:32:10 momjian Exp $ -->
<chapter id="client-authentication"> <chapter id="client-authentication">
<title>Client Authentication</title> <title>Client Authentication</title>
...@@ -242,7 +242,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable ...@@ -242,7 +242,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
of the connecting user. <productname>Postgres</productname> of the connecting user. <productname>Postgres</productname>
then verifies whether the so identified operating system user then verifies whether the so identified operating system user
is allowed to connect as the database user that is requested. is allowed to connect as the database user that is requested.
This is only available for TCP/IP connections. This is only available for TCP/IP connections. It can be used
on the local machine by specifying the localhost address 127.0.0.1.
</para>
<para>
The <replaceable>authentication option</replaceable> following The <replaceable>authentication option</replaceable> following
the <literal>ident</> keyword specifies the name of an the <literal>ident</> keyword specifies the name of an
<firstterm>ident map</firstterm> that specifies which operating <firstterm>ident map</firstterm> that specifies which operating
...@@ -553,7 +556,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron ...@@ -553,7 +556,8 @@ host all 192.168.0.0 255.255.0.0 ident omicron
<attribution>RFC 1413</attribution> <attribution>RFC 1413</attribution>
<para> <para>
The Identification Protocol is not intended as an authorization The Identification Protocol is not intended as an authorization
or access control protocol. or access control protocol. You must trust the machine running the
ident server.
</para> </para>
</blockquote> </blockquote>
</para> </para>
......
src/backend/libpq/pg_hba.conf.sample
View file @ 461ea6b7
# #
# PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE # PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
# #
# #
# This file controls: # This file controls:
...@@ -101,9 +101,9 @@ ...@@ -101,9 +101,9 @@
# be use only for machines where all users are truested. # be use only for machines where all users are truested.
# #
# password: Authentication is done by matching a password supplied # password: Authentication is done by matching a password supplied
# in clear by the host. If no AUTH_ARGUMENT is used, the # in clear by the host. If no AUTH_ARGUMENT is used, the
# password is compared with the user's entry in the # password is compared with the user's entry in the
# pg_shadow table. # pg_shadow table.
# #
# If AUTH_ARGUMENT is specified, the username is looked up # If AUTH_ARGUMENT is specified, the username is looked up
# in that file in the $PGDATA directory. If the username # in that file in the $PGDATA directory. If the username
...@@ -118,30 +118,30 @@ ...@@ -118,30 +118,30 @@
# passwords. # passwords.
# #
# crypt: Same as "password", but authentication is done by # crypt: Same as "password", but authentication is done by
# encrypting the password sent over the network. This is # encrypting the password sent over the network. This is
# always preferable to "password" except for old clients # always preferable to "password" except for old clients
# that don't support "crypt". Also, crypt can use # that don't support "crypt". Also, crypt can use
# usernames stored in secondary password files but not # usernames stored in secondary password files but not
# secondary passwords. # secondary passwords.
# #
# ident: Authentication is done by the ident server on the local # ident: Authentication is done by the ident server on the local
# or remote host. AUTH_ARGUMENT is required and maps names # (127.0.0.1) or remote host. AUTH_ARGUMENT is required and
# found in the $PGDATA/pg_ident.conf file. The connection # maps names found in the $PGDATA/pg_ident.conf file. The
# is accepted if the file contains an entry for this map # connection is accepted if the file contains an entry for
# name with the ident-supplied username and the requested # this map name with the ident-supplied username and the
# PostgreSQL username. The special map name "sameuser" # requested PostgreSQL username. The special map name
# indicates an implied map (not in pg_ident.conf) that # "sameuser" indicates an implied map (not in pg_ident.conf)
# maps each ident username to the identical PostgreSQL # that maps each ident username to the identical PostgreSQL
# username. # username.
# #
# krb4: Kerberos V4 authentication is used. # krb4: Kerberos V4 authentication is used.
# #
# krb5: Kerberos V5 authentication is used. # krb5: Kerberos V5 authentication is used.
# #
# reject: Reject the connection. This is used to reject certain hosts # reject: Reject the connection. This is used to reject certain hosts
# that are part of a network specified later in the file. # that are part of a network specified later in the file.
# To be effective, "reject" must appear before the later # To be effective, "reject" must appear before the later
# entries. # entries.
# #
# Local UNIX-domain socket connections support only the AUTH_TYPEs of # Local UNIX-domain socket connections support only the AUTH_TYPEs of
# "trust", "password", "crypt", and "reject". # "trust", "password", "crypt", and "reject".
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment