Kris Deugau <kdeugau@xxxxxxxxx> writes: > Failing that, a diagnostic poke to the head to tell me where in this > config I should put entries that refer to both local socket connections > and remote TCP/IP connections for one specific database that I want MD5 > (or crypt, for the old 6.x client :/ ) authentication on: The rule is very simple: the first entry that is able to match an incoming connection request is the one that's used. "Match" is on the basis of connection type (local or TCP) and the requested database name and user name. When the match occurs, the connection is checked using the specified auth method, and if that fails then it's rejected. The relative positioning of "local" and "host" entries is therefore irrelevant, because they can never both match the same connection request. The relative order of "local" entries is important, and so is the relative order of "host" entries. > # From Debian Sarge stock install > local all postgres ident sameuser > local all all ident sameuser The first one is really redundant since the second one would match all the same connections (ie, local connections with username postgres) and it specifies the same handling. > # Added for local software using PG > local template1 all ident > local sameuser all md5 > local all root trust These three are all complete no-ops where you have them, because the local/all/all entry will already have siphoned off every possible local connection. You'd need to put them in front of the local/all/all entry if you want them to do anything. Note however that you almost certainly do not want that "trust" entry, since it'd allow anyone local to connect by saying eg "psql -U root". There's not a lot of point in intermixing trust and non-trust methods for connections from the same machine. > # More entries from stock Debian package > host all all 127.0.0.1 255.255.255.255 ident sameuser > host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ident sameuser > host all all ::ffff:127.0.0.1/128 ident sameuser > > # another local config - the real entry contains a real IP > host all all [host IP] 255.255.255.255 trust These seem reasonably sane assuming that's what you want. Their relative order doesn't matter since no two can match the same connection. (I think --- I don't recall at the moment if 127.0.0.1 can match an IPv6 connection on ::ffff:127.0.0.1.) > # Last stock entry > host all all 0.0.0.0 0.0.0.0 reject This one is a waste of space, since the default is to reject anyway if there's no match. regards, tom lane
