New host-based authentication with ident

4b5c9777 · Bryan Henderson · 57026d60 · 4b5c9777 · 4b5c9777 · 4b5c9777
Commit 4b5c9777 authored Oct 12, 1996 by Bryan Henderson
5 changed files
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
+#
+# Example Postgres95 host access control file.
+#
+# 
+# This file controls what hosts are allowed to connect to what databases
+# and specifies some options on how users on a particular host are identified.
+# 
+# Each line (terminated by a newline character) is a record.  A record cannot
+# be continued across two lines.
+# 
+# There are 3 kinds of records:
+# 
+#   1) comment:  Starts with #.
+# 
+#   2) empty:  Contains nothing excepting spaces and tabs.
+# 
+#   3) content: anything else.  
+# 
+# Unless specified otherwise, "record" from here on means a content
+# record.
+# 
+# A record consists of tokens separated by spaces or tabs.  Spaces and
+# tabs at the beginning and end of a record are ignored as are extra
+# spaces and tabs between two tokens.
+# 
+# The first token in a record is the record type.  The interpretation of the
+# rest of the record depends on the record type.
+# 
+# Record type "host"
+# ------------------
+# 
+# This record identifies a set of hosts that are permitted to connect to
+# databases.  No hosts are permitted to connect except as specified by a
+# "host" record.
+#
+# Format:
+# 
+#   host DBNAME IP_ADDRESS ADDRESS_MASK USERAUTH [MAP]
+# 
+# DBNAME is the name of a Postgres database, or "all" to indicate all 
+# databases.
+# 
+# IP_ADDRESS and ADDRESS_MASK are a standard dotted decimal IP address and
+# mask to identify a set of hosts.  These hosts are allowed to connect to 
+# Database DBNAME. 
+# 
+# USERAUTH is a keyword indicating the method used to authenticate the 
+# user, i.e. to determine that the principal is authorized to connect
+# under the Postgres username he supplies in his connection parameters.
+#
+#   ident:  Authentication is done by the ident server on the remote
+#           host, via the ident (RFC 1413) protocol.
+#
+#   trust:  No authentication is done.  Trust that the user has the 
+#           authority to user whatever username he says he does.
+#           Before Postgres Version 6, all authentication was this way.
+#
+# MAP is the name of a map that matches an authenticated principal with
+# a Postgres username.  If USERNAME is "trust", this value is ignored and
+# may be absent.
+#
+# In the case of USERAUTH=ident, this is a map name to be found in the 
+# pg_ident.conf file.  That table maps from ident usernames to Postgres 
+# usernames.  The special map name "sameuser" indicates an implied map
+# (not found in pg_ident.conf) that maps every ident username to the identical
+# Postgres username.
+# 
+# For backwards compatibility, Postgres also accepts pre-Version 2 records,
+# which look like:
+# 
+#   all         127.0.0.1    0.0.0.0
+# 
+#
+# TYPE       DATABASE    IP_ADDRESS    MASK              USERAUTH  MAP
+host         all         127.0.0.1     255.255.255.255   trust     
+# The above allows any user on the local system to connect to any database
+# under any username.
+host         template1   192.168.0.0   255.255.255.0     ident     sameuser
+# The above allows any user from any host with IP address 192.168.0.x to
+# connect to database template1 as the same username that ident on that host
+# identifies him as (typically his Unix username).  
+#host         all        0.0.0.0       0.0.0.0           trust
+# The above would allow anyone anywhere to connect to any database under
+# any username.
+#host         all        192.168.0.0  255.255.255.0      ident     omicron
+#
+# The above would allow users from 192.168.0.x hosts to connect to any
+# database, but if e.g. Ident says the user is "bryanh" and he requests to
+# connect as Postgres user "guest1", the connection is only allowed if
+# there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is 
+# allowed to connect as "guest1".
--- a/src/backend/libpq/pg_hba.sample
+++ b/src/backend/libpq/pg_hba.sample
-#
-# Example config file for Postgres95 host based access
-#
-# Lines starting with "all" apply to all databases.  Otherwise the first
-# column has to match the name of the database being connected to.  Up to
-# ten config lines can apply to each database.  Mask specifies bits that 
-# aren't counted. After those bits are taken out, the connection address 
-# must match the address in the middle column.
-#
-# <name>	<address>	<mask>
-#
-all		127.0.0.1	0.0.0.0
--- a/src/backend/libpq/pg_ident.conf.sample
+++ b/src/backend/libpq/pg_ident.conf.sample
+# This is the pg_ident.conf file, which is used with Postgres ident-based
+# authentication (a subtype of host-based authentication).
+# This is a table of ident usernames (typically Unix usernames) and 
+# their corresponding Postgres usernames.  For example, user "bryanh" on
+# some particular remote system may equate to Postgres user "guest1".
+# This file contains multiple maps.  Each has a name.  The pg_hba.conf
+# file determines what connections relate to this file and for those that
+# do, which map to use.
+# Each record consists of 3 tokens:
+#
+# 1) map name
+# 2) ident username
+# 3) Postgres username
+# Note that it is possible for one user to map to multiple Postgres usernames.
+# A user always has to specify when he connects what Postgres username he is
+# using.  This file is only used to validate that selection.
+testmap   robert   bob
+testmap   lucy     lucy