![]() ![]() The password is sent in cleartext, so you probably only want to enable this for hostssl connections. If the password field in that table is null, then they will be rejected. This method allows someone to connect providing they have given the correct password for their user in the pg_shadow table. This is particularly useful where you want to enable access to a range of addresses, but want to block a particular host in that range. This is the reverse of trust, as it rejects any one. This should be avoided unless you know what you are doing as it could be a security risk. This method allows any user to connect without a password. There is the special username all, which matches any user. Again you can use a filename with users in by using filename is a file in the same directory as pg_hba.conf. You can specify groups by prefixing the name with a +. You can also list several users by separating them by commas. You can also supply a filename which lists databases they can connect to by using filename is a file in the same directory as the pg_hba.conf. sameuser allows the user to connect to a database with the same name as the user connecting. ![]() all allows the person to connect to all databases on the server. There are two special database names, all and sameuser. You can list several databases by separating them by commas. Hostssl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD Hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD Hostnossl DATABASE USER IP-ADDRESS/CIDR-MASK METHOD hostnossl DATABASE USER IP-ADDRESS IP-MASK METHOD For example you might be happy to have clear text passwords over SSL, but only allow MD5 over non-secure connections. This is so that you can treat secure and non-secure connections differently. This is for users connecting over a non-encrypted or an encrypted TCP/IP connection using SSL. Host DATABASE USER IP-ADDRESS/CIDR-MASK METHOD hostnossl, hostssl This is matches connections over a TCP/IP network connection host DATABASE USER IP-ADDRESS IP-MASK METHOD A line for this method will be in the form: local DATABASE USER METHOD host This is for a user connecting via the unix socket on the local machine. There are three different access methods: local Usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig If you are not a super user, you will not have permission to access this table and will have to access the pg_user view instead, which is identical, but displays the password as stars. You can see the users on the server by selecting from the pg_shadow system table. If you don’t give any options it will prompt you for them. This is important if you intend to use password based authentication, as if you do not give a password, it will be NULL and all passwords will be rejected. The other option you will probably want to use is the -p flag to ask for a password for the new user. Likewise -d and -D allows or disallows them from creating databases. a allows the user to add new users and -Aprevents them from doing so. The createuser command allows you to set these using command line options. When you add a user you can opt to give the new user two additional powers the ability to create new databases and the ability to create new users. Ident and other connection schemes are explained below. The simplest way to connect as the postgres user is to change to the postgres unix user on the database server and take advantage of postgres’ ident based authentication, which trusts your unix account. In most cases this will be the postgres user, which is the initial superuser. ![]() To add a user you need to use a postgres user with the ability to add users (a superuser). ![]()
0 Comments
Leave a Reply. |