This chapter documents the fundamental concepts involved with authenticating and encrypting a client session to the
PostgreSQL server. This includes how to correctly configure the
file for a variety of
authentication schemes, as well as a few common ways to encrypt your client connections.
Client authentication is a central feature to PostgreSQL. Without it, you would either have to sacrifice remote
connectivity, or blindly allow anyone to connect to your database and retrieve, or even modify your data. PostgreSQL has
several different types of client authentication at its disposal. As the site administrator, you need to decide which
one is best for your system.
As of PostgreSQL 7.1.x, host-based client access is specified in the
file. The rights
and restrictions described in this file should not be confused with a PostgreSQL user's rights to objects within the
file allows you to set the type of
authentication to be used. This authentication is performed before PostgreSQL establishes a connection to the intended
database, where user rights would be relevant.
is located in the PostgreSQL data directory
), and is installed automatically upon the execution of the
command when PostgreSQL is installed.
PostgreSQL's host-based authentication is flexible, featuring a wide variety of configurable options. You may restrict
database access to specific hosts, as well as allow access to a range of IP addresses by using netmasks. Each configured host
has its own
, which is a single line in the
With these host records, you may specify access either to a particular database or all databases. Furthermore, you
may require a user from a specified host to authenticate via the PostgreSQL users table after qualifying for a
Put simply, the
file allows you to determine
is allowed to
machines, and to
they must prove their authenticity to gain access.
Through remote password-based authentication, passwords may be transmitted in clear text depending on whether or not
you are using encrypted sessions. Be sure that you understand how your application is communicating with PostgreSQL before
allowing users to remotely connect to a PostgreSQL database.