Configuration File Reference
Table 1 Parameter description
Indicates that this record accepts only the Unix-domain-socket connection. If no such type of record exists, Unix-domain-socket connections are not allowed. When gsql is used to initiate a connection from a local server and the -U parameter is not specified, a Unix-domain-socket connection is established. | ||
Indicates that this record accepts either a common TCP/IP-socket connection or a TCP/IP-socket connection encrypted through SSL. | ||
Indicates that this record accepts only a TCP/IP socket connection encrypted through SSL. | For the connection encrypted through SSL, you need to apply for a digital certificate and configure related parameters. For details, see Establishing Secure TCP/IP Connections in SSL Mode. | |
Indicates that this record accepts only a common TCP/IP socket connection. | ||
| ||
Users who match the record and are allowed to access databases |
| |
Range of IP addresses that match the record and can be visited | IPv4 addresses and IPv6 addresses are supported. The IP address range can be expressed in the following two formats: | |
The following authentication modes are supported. For details, see Table 2.
|
Table 2 Authentication modes
In trust mode, only the connection initiated from the local server using gsql with the -U parameter not specified is trusted. In this case, no password is required. The trust authentication mode applies to local connection of a single-user workstation, but not of a multi-user workstation. To use this authentication mode, you can use the file system permissions to control the access to the Unix-domain socket file on the server. You can use either of the following methods to control the access:
| |
Rejects connections unconditionally. This authentication mode is usually used for filtering certain hosts. | |
Requires that the client must provide an MD5-encrypted password for authentication. | |
Requires that the client must provide a SHA256-encrypted password for authentication. The password is encrypted based on the unidirectional SHA-256 of salt (a random number sent from the server to the client) when being transmitted, enhancing the security. | |
The client is required to provide an SM3 encryption password for authentication. The password is encrypted using the salt (a random number sent by the server to the client) to enhance security. | |
A client certificate is used for authentication. In this mode, the SSL connection must be configured and the client must provide a valid SSL certificate. The user password is not required. | |
Obtains the username of the OS where the client is located and checks whether the username is the same as the initial username of the database. In this mode, only the initial database user can connect to the database in local mode. You can configure pg_ident.conf to establish the mapping between the OS user and the initial database user. Assume that the OS username is omm, the initial database user is dbAdmin, and the local mode is set to peer authentication in pg_hba.conf. local all all peer map=mymap In the preceding information, map=mymap specifies the username mapping, and the mapping name mymap is added to pg_ident.conf. The following shows the mapping. # MAPNAME SYSTEM-USERNAME PG-USERNAME mymap omm dbAdmin |