On 5/9/2016 2:42 PM, D'Arcy J.M. Cain wrote:
I had an idea that that wouldn't be so easy else we would have had it
by now. However, I am not sure that that is what is needed. I was
thinking of something like this:
host all joe@nobody 192.168.151.75/32 password
host all all 192.168.151.75/32 ident
The "all@nobody" field is meant to specify that the remote user is
nobody but that they are connecting as user joe. You would be able to
use "all" as well. You don't even need to do an ident check unless the
auth method is "trust" which would be silly anyway. In fact "password"
is the only method that even makes any sense at all.
over a tcp socket, there's no way of knowing *WHAT* the system user is short of querying the unreliable service 'authd' (113/tcp) and hoping that it A) exists and B) returns something meaningful. authd/ident services can return virtually anything they want to.
when pg_hba.conf is searched, all thats known is the socket type (host or local), the database name, the requested(!) username, and if its 'host', the source IP address. this is used to select the desired authentication method for that combination.
--
john r pierce, recycling bits in santa cruz