# Chapter 27: Authentication, `pg_hba.conf`, and TLS

Securing database connections is foundational to production PostgreSQL deployments. This chapter covers the complete authentication stack—from password mechanisms and host-based access rules to TLS encryption and secret management. We emphasize modern, industry-standard practices that satisfy compliance requirements (SOC 2, PCI-DSS, HIPAA) while maintaining operational usability.

---

## 27.1 PostgreSQL Authentication Architecture

PostgreSQL employs a two-layer authentication model:

1. **Transport Layer**: TCP connection establishment with optional TLS encryption
2. **Application Layer**: Credential validation via configured authentication methods

```text
Client Request → pg_hba.conf Match → TLS Handshake (if required) → Auth Method → Database Access
```

**Key Principle**: Authentication is controlled by the `pg_hba.conf` (Host-Based Authentication configuration) file, which defines *who* can connect *from where* using *which method* to access *which database*.

---

## 27.2 Modern Password Authentication (SCRAM-SHA-256)

### 27.2.1 Password Hashing Evolution

PostgreSQL has evolved through several password authentication methods. Industry standards now mandate **SCRAM-SHA-256** (Salted Challenge Response Authentication Mechanism).

```sql
-- Check current password encryption setting (should be 'scram-sha-256')
SHOW password_encryption;

-- Set globally in postgresql.conf
password_encryption = 'scram-sha-256'  -- Default since PostgreSQL 14

-- Verify existing user password hashes
SELECT 
    usename,
    CASE 
        WHEN passwd LIKE 'SCRAM-SHA-256%' THEN 'SCRAM-SHA-256 (Secure)'
        WHEN passwd LIKE 'md5%' THEN 'MD5 (Deprecated)'
        WHEN passwd IS NULL THEN 'No password/Trust auth'
        ELSE 'Unknown format'
    END as password_type
FROM pg_shadow 
WHERE usename = 'app_user';
```

**Critical Security Notes**:
- **MD5** (used in PostgreSQL ≤9.6 default) is cryptographically broken and **must not be used** in production
- **SCRAM-SHA-256** (RFC 7677) prevents replay attacks and requires the server to prove knowledge of the password without transmitting it
- Password hashes are stored using the format: `SCRAM-SHA-256$<iteration count>:<salt>$<StoredKey>:<ServerKey>`

### 27.2.2 Creating Users with Secure Passwords

```sql
-- Create user with SCRAM-SHA-256 hashed password (recommended)
CREATE USER app_user 
WITH PASSWORD 'ComplexP@ssw0rd!2024';

-- Verify the hash was stored correctly
SELECT passwd FROM pg_shadow WHERE usename = 'app_user';
-- Output: SCRAM-SHA-256$4096:...

-- Force password rotation
ALTER USER app_user WITH PASSWORD 'NewComplexP@ssw0rd!2024';

-- Set password expiration (compliance requirement)
ALTER USER app_user VALID UNTIL '2025-01-01';

-- Prevent password reuse (requires pg_password_history extension or application-layer enforcement)
-- Note: PostgreSQL native password history requires external extensions or wrapper functions
```

### 27.2.3 Connection String Security

**Anti-Pattern**: Hardcoding passwords in application code or connection strings.

```bash
# NEVER DO THIS in production scripts
psql "postgresql://app_user:password123@db.example.com:5432/mydb"

# Security risks:
# 1. Appears in shell history (bash_history, zsh_history)
# 2. Visible in process lists (ps aux)
# 3. Committed to version control
# 4. Exposed in logs and monitoring tools
```

**Industry Standard**: Environment variables and secrets management.

```bash
# .env file (add to .gitignore, use restrictive permissions chmod 600)
# Never commit to version control
DATABASE_URL="postgresql://app_user@db.example.com:5432/mydb"

# Password in PGPASSFILE (see section 27.2.4)
PGPASSWORD_FILE="/etc/app/.pgpass"
```

**Application Implementation** (Python/Node.js/Go patterns):

```python
# Python SQLAlchemy example
import os
from urllib.parse import quote_plus

# Load from environment
db_user = os.environ.get('DB_USER')
db_pass = os.environ.get('DB_PASSWORD')  # From secrets manager, never hardcoded
db_host = os.environ.get('DB_HOST')
db_name = os.environ.get('DB_NAME')
db_ssl_mode = os.environ.get('DB_SSL_MODE', 'verify-full')

# URL encode password to handle special characters
encoded_pass = quote_plus(db_pass)

connection_string = (
    f"postgresql://{db_user}:{encoded_pass}@{db_host}:5432/{db_name}?"
    f"sslmode={db_ssl_mode}&"
    f"sslrootcert=/etc/ssl/certs/ca.crt"
)
```

### 27.2.4 The `.pgpass` File (Password File)

For non-interactive connections (cron jobs, batch scripts), use the password file instead of environment variables or command-line arguments.

```bash
# File location: ~/.pgpass (Unix) or %APPDATA%\postgresql\pgpass.conf (Windows)
# Permissions: chmod 0600 ~/.pgpass (PostgreSQL will reject if permissions are too open)

# Format: hostname:port:database:username:password
# Wildcard (*) matches any value

# Example entries
db.example.com:5432:production:backup_user:SecureBackupPass123
*.example.com:5432:*:monitoring_user:MonPass456
localhost:5432:*:postgres:LocalAdminPass789
```

**Security Requirements**:
- File must be owned by the user running the PostgreSQL client
- Permissions must be `0600` (owner read/write only) or `0400` (read-only)
- PostgreSQL will silently ignore the file if permissions are too permissive (group/other readable)

```bash
# Setup commands
touch ~/.pgpass
chmod 0600 ~/.pgpass
# Edit with secure editor that doesn't create backup copies
vim ~/.pgpass
```

---

## 27.3 Authentication Methods Deep Dive

### 27.3.1 SCRAM-SHA-256 (Production Standard)

The default and recommended method for password-based authentication.

```conf
# pg_hba.conf entry
host    all             all             10.0.0.0/8              scram-sha-256
```

**Characteristics**:
- Password never transmitted over the wire (challenge-response protocol)
- Resistant to replay attacks
- Requires PostgreSQL 10+ (client and server)
- Compatible with JDBC, libpq, and modern drivers

### 27.3.2 Peer Authentication (Local Connections)

For local Unix domain socket connections where the OS user identity is trusted.

```conf
# pg_hba.conf
local   all             postgres                                peer
local   all             +dba_users                              peer
```

**How it works**:
- PostgreSQL checks the OS user name via `getpeereid()` system call
- Database user name must match OS user name (or be mapped via `pg_ident.conf`)
- No password required (relies on OS security)
- Only works for local socket connections (not TCP/IP)

**Use Cases**:
- Administrative tasks run by `postgres` OS user
- Development environments
- CI/CD pipelines where the runner OS user matches the DB user

### 27.3.3 Certificate-Based Authentication (SSL)

The strongest authentication method for production environments—uses X.509 client certificates.

```conf
# pg_hba.conf
hostssl all             all             0.0.0.0/0               cert
# Or combine with map for user name extraction
hostssl all             all             0.0.0.0/0               cert map=sslusers
```

**Certificate Requirements**:
1. **Client Certificate**: Signed by a trusted CA (can be internal CA)
2. **Server Certificate**: Valid for the hostname, not expired
3. **Common Name (CN)**: Must match database username (or use mapping)

```bash
# Generate client certificate (simplified example)
# In production, use your organization's PKI or HashiCorp Vault, etc.

# 1. Create private key
openssl genrsa -out client.key 4096
chmod 600 client.key

# 2. Create certificate signing request (CSR)
openssl req -new -key client.key -out client.csr \
    -subj "/CN=app_user/O=MyOrg/C=US"

# 3. Sign with CA (in production, submit to your CA)
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out client.crt -days 365 -sha256

# 4. Verify chain
openssl verify -CAfile ca.crt client.crt
```

**Connection with Certificates**:

```bash
psql "postgresql://app_user@db.example.com:5432/mydb?\
sslmode=verify-full&\
sslcert=/secure/path/client.crt&\
sslkey=/secure/path/client.key&\
sslrootcert=/secure/path/ca.crt"
```

**Security Notes**:
- Private keys (`client.key`) must have permissions `0600` or `0400`
- PostgreSQL will reject connections if the key is world-readable
- Certificate authentication eliminates password management and rotation complexity
- Supports certificate revocation lists (CRLs) for compromised certificates

### 27.3.4 LDAP and Active Directory Integration

For enterprise environments requiring centralized identity management.

```conf
# Simple LDAP binding
host    all             all             10.0.0.0/8              ldap \
    ldapserver=ldap.example.com \
    ldapport=636 \
    ldaptls=1 \
    ldapbasedn="dc=example,dc=com" \
    ldapbinddn="cn=dbauth,dc=example,dc=com" \
    ldapbindpasswd='bind_password' \
    ldapsearchattribute=uid
```

**Security Considerations**:
- Always use LDAPS (LDAP over SSL) on port 636, never plain LDAP (port 389)
- Use `ldaptls=1` to enforce TLS
- Consider LDAP + Kerberos (GSSAPI) for stronger security
- Bind passwords should be rotated regularly and stored securely

### 27.3.5 Authentication Methods to Avoid

```conf
# NEVER USE IN PRODUCTION:

# 1. Trust (no authentication)
host    all             all             0.0.0.0/0               trust
# Allows any connection without password from any IP (catastrophic)

# 2. Password (cleartext)
host    all             all             0.0.0.0/0               password
# Transmits password in cleartext over the network

# 3. MD5 (cryptographically broken)
host    all             all             0.0.0.0/0               md5
# Vulnerable to rainbow table attacks, replay attacks
# Upgrade to scram-sha-256 immediately
```

---

## 27.4 Host-Based Authentication Configuration (`pg_hba.conf`)

### 27.4.1 File Structure and Rule Matching

`pg_hba.conf` (Host-Based Authentication configuration) controls client access. Rules are processed **top-to-bottom**, and the **first match** wins.

```conf
# TYPE  DATABASE        USER            ADDRESS                 METHOD

# Local connections (Unix socket)
local   all             postgres                                peer
local   replication     all                                     reject

# IPv4 local connections (administrative subnet only)
host    postgres        postgres        127.0.0.1/32            scram-sha-256
host    all             +admin_group    10.0.1.0/24             scram-sha-256

# Application servers (specific subnet)
hostssl myapp_db        app_user        10.0.2.0/24             scram-sha-256
hostssl myapp_db        readonly_user   10.0.3.0/24             scram-sha-256

# Monitoring (specific IP, certificate auth)
hostssl all             monitoring      10.0.0.5/32             cert

# Replication connections (dedicated replication subnet)
hostssl replication     replicator      10.0.10.0/24            scram-sha-256

# Deny all other connections (explicit deny is safer than implicit)
host    all             all             0.0.0.0/0               reject
host    all             all             ::/0                    reject
```

**Field Definitions**:

1. **TYPE**: 
   - `local`: Unix domain socket
   - `host`: TCP/IP (SSL or non-SSL)
   - `hostssl`: TCP/IP with SSL/TLS required
   - `hostnossl`: TCP/IP without SSL (rarely used, generally unsafe)
   - `hostgssenc`: TCP/IP with GSSAPI encryption

2. **DATABASE**: 
   - Specific name, `all`, `sameuser`, `samerole`, `replication`, or comma-separated list
   - `@file` to load from file

3. **USER**: 
   - Specific user, `all`, `+groupname` (group prefix), `@file`

4. **ADDRESS**: 
   - IP address/CIDR (e.g., `192.168.1.0/24`)
   - Host name (requires DNS, slower, less secure)
   - `samehost`, `samenet` for local network matching

5. **METHOD**: Authentication method (scram-sha-256, cert, peer, etc.)

### 27.4.2 Rule Ordering and Security

**Critical Principle**: More specific rules must come before general rules.

```conf
# WRONG ORDER (specific rule never reached):
host    all             all             0.0.0.0/0               reject
host    mydb            app_user        10.0.2.5/32             scram-sha-256
# The reject rule matches first, blocking the specific IP

# CORRECT ORDER:
host    mydb            app_user        10.0.2.5/32             scram-sha-256
host    all             all             0.0.0.0/0               reject
```

**Best Practice Template**:

```conf
# 1. Local admin access (peer auth)
local   all             postgres                                peer

# 2. Localhost TCP (for apps on same machine)
hostssl all             all             127.0.0.1/32            scram-sha-256
hostssl all             all             ::1/128                 scram-sha-256

# 3. Specific application rules (most specific first)
hostssl app_db          app_write       10.0.2.0/24             scram-sha-256
hostssl app_db          app_read        10.0.3.0/24             scram-sha-256

# 4. Administrative jump hosts
hostssl all             dba_team        10.0.100.0/24           scram-sha-256

# 5. Replication
hostssl replication     replicator      10.0.10.0/24            scram-sha-256

# 6. Explicit reject (defense in depth)
host    all             all             0.0.0.0/0               reject
```

### 27.4.3 User Name Mapping (`pg_ident.conf`)

When OS user names or certificate CNs don't match database user names, use mapping.

```conf
# pg_ident.conf format:
# MAPNAME       SYSTEM-USERNAME         PG-USERNAME

# Map OS users to database users
admin_map       root                    postgres
admin_map       ubuntu                  postgres
admin_map       deploy_user             app_admin

# Map certificate CNs to database users (when CN contains email/domain)
ssl_map         /^(.*)@example\.com$    \1
# This strips @example.com from certificate CN
```

Usage in `pg_hba.conf`:

```conf
local   all             postgres                    peer map=admin_map
hostssl all             all                         cert map=ssl_map
```

### 27.4.4 Reloading Configuration

Changes to `pg_hba.conf` require a configuration reload (not restart).

```bash
# Method 1: SQL command (requires superuser)
SELECT pg_reload_conf();

# Method 2: Signal to postmaster (as postgres user)
kill -HUP $(cat /var/lib/postgresql/data/postmaster.pid)

# Method 3: Systemd
systemctl reload postgresql

# Verification (check for syntax errors in logs)
tail -f /var/log/postgresql/postgresql-*.log
```

**Testing New Rules**:

```bash
# Test connection without actually connecting (dry run)
# Note: Requires actual connection attempt, use low-privilege test user
psql "postgresql://test_user@host/db" -c "SELECT 1"

# Check pg_hba.conf line that matched (in log with log_connections = on)
# Look for: "connection authorized: user=test_user database=db ... application=psql"
```

---

## 27.5 TLS/SSL Configuration

### 27.5.1 TLS Basics for PostgreSQL

PostgreSQL supports TLS (Transport Layer Security) to encrypt data in transit. Industry standard requires **TLS 1.2 or higher**; TLS 1.0 and 1.1 are deprecated.

```conf
# postgresql.conf SSL settings

# Enable SSL (required for hostssl in pg_hba.conf)
ssl = on

# Certificate and key locations (must be readable by postgres user)
ssl_cert_file = '/etc/ssl/certs/server.crt'
ssl_key_file = '/etc/ssl/private/server.key'
ssl_ca_file = '/etc/ssl/certs/ca.crt'  # For client cert verification

# TLS version enforcement (PostgreSQL 13+)
ssl_min_protocol_version = 'TLSv1.2'
# ssl_max_protocol_version = ''  # Leave empty for latest

# Cipher suites (PostgreSQL 13+, industry strong ciphers)
ssl_ciphers = 'HIGH:!aNULL:!MD5'
ssl_prefer_server_ciphers = on
```

**Certificate File Requirements**:

1. **Server Certificate** (`server.crt`):
   - Must be PEM format
   - Full chain (server cert + intermediate CA) if using intermediate CAs
   - Valid for the hostname used in connection strings (SAN or CN match)

2. **Server Key** (`server.key`):
   - PEM format, unencrypted (PostgreSQL does not support encrypted keys without passphrase input)
   - Permissions: `0600` (owner read/write only), owned by `postgres` user
   - Never use group-readable permissions

3. **CA Certificate** (`ca.crt`):
   - Root CA that signed client certificates (for cert authentication)
   - Intermediate CAs if not included in server certificate chain

### 27.5.2 Generating Server Certificates

```bash
# Production: Use your organization's PKI or reputable public CA
# Development/Testing: Self-signed (never in production)

# 1. Generate CA private key and certificate (do this in secure offline environment)
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
    -out ca.crt -subj "/CN=MyOrg Root CA"

# 2. Generate server private key
openssl genrsa -out server.key 4096
chmod 600 server.key

# 3. Create CSR with SAN (Subject Alternative Name) for hostname validation
openssl req -new -key server.key -out server.csr \
    -subj "/CN=db.example.com/O=MyOrg" \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:db.example.com,DNS:db-replica.example.com"))

# 4. Sign with CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out server.crt -days 365 -sha256 \
    -extfile <(printf "subjectAltName=DNS:db.example.com,DNS:db-replica.example.com")

# 5. Verify certificate
openssl x509 -in server.crt -text -noout | grep -A2 "Subject Alternative Name"
```

### 27.5.3 SSL Modes in Connection Strings

The `sslmode` parameter controls client-side TLS behavior.

| Mode | Protection | Use Case |
|------|-----------|----------|
| `disable` | None | Never use in production |
| `allow` | Prefer non-SSL, accept SSL | Legacy internal networks (not recommended) |
| `prefer` | Prefer SSL, allow non-SSL | Development only |
| `require` | SSL required, no verification | Internal networks with trusted infrastructure |
| `verify-ca` | SSL + CA verification | Production (verifies server cert signed by trusted CA) |
| `verify-full` | SSL + CA + Hostname verification | **Production standard** (highest security) |

```bash
# Production standard: verify-full
psql "postgresql://user@db.example.com:5432/mydb?sslmode=verify-full&sslrootcert=/path/to/ca.crt"

# verify-full requires:
# 1. Certificate is signed by CA in sslrootcert
# 2. Hostname matches certificate CN or SAN
# 3. Certificate is not expired
# 4. Certificate is not revoked (if CRL provided)
```

### 27.5.4 Certificate Revocation Lists (CRL)

For compromised certificates, use CRLs or OCSP (Online Certificate Status Protocol).

```conf
# postgresql.conf
ssl_crl_file = '/etc/ssl/crl/ca.crl'  # PEM format
# Note: PostgreSQL does not natively support OCSP; use external proxies for OCSP
```

---

## 27.6 Secret Management and Operational Security

### 27.6.1 Environment Variable Security

```bash
# Secure environment file (sourced by application, never committed)
# /etc/app/env.production
export DB_HOST="db.example.com"
export DB_USER="app_user"
# Password loaded from secrets manager at runtime
export DB_PASSWORD="$(aws secretsmanager get-secret-value --secret-id prod/db/password --query SecretString --output text)"

# Application startup script
set -a  # Export all variables
source /etc/app/env.production
set +a
exec /usr/local/bin/myapp
```

### 27.6.2 Connection Pooling Security (PgBouncer)

When using connection poolers, authentication flows through the pooler to PostgreSQL.

```ini
; pgbouncer.ini
[databases]
mydb = host=localhost port=5432 dbname=mydb

[pgbouncer]
listen_port = 6432
listen_addr = 0.0.0.0
auth_type = scram-sha-256
auth_file = /etc/pgbouncer/userlist.txt

; userlist.txt format:
; "username" "SCRAM-SHA-256$4096:..."
; Passwords must match PostgreSQL passwords for auth_query mode
```

**Security Considerations**:
- PgBouncer can use `auth_query` to validate passwords against PostgreSQL itself
- TLS should terminate at PgBouncer or pass through to PostgreSQL
- Use `auth_user` and `auth_query` to avoid duplicating password files

### 27.6.3 Audit and Monitoring

```sql
-- Enable connection logging
ALTER SYSTEM SET log_connections = 'on';
ALTER SYSTEM SET log_disconnections = 'on';
ALTER SYSTEM SET log_line_prefix = '%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h ';
SELECT pg_reload_conf();

-- Query to check current connections and auth methods
SELECT 
    pid,
    usename,
    application_name,
    client_addr,
    client_port,
    ssl,
    ssl_version,
    ssl_cipher,
    state
FROM pg_stat_ssl
JOIN pg_stat_activity USING (pid)
WHERE backend_type = 'client backend';

-- Failed authentication attempts (from logs)
-- Look for: "password authentication failed" or "authentication failed"
```

---

## 27.7 Compliance and Security Checklists

### Pre-Production Checklist

- [ ] `password_encryption = 'scram-sha-256'` in `postgresql.conf`
- [ ] No `trust`, `password`, or `md5` methods in `pg_hba.conf`
- [ ] `hostssl` enforced for all remote connections
- [ ] `ssl_min_protocol_version = 'TLSv1.2'` (or higher)
- [ ] Server certificates use SAN (Subject Alternative Name) for hostname validation
- [ ] Private key files have `0600` permissions and owned by `postgres`
- [ ] `pg_hba.conf` ends with explicit `reject` rules for defense in depth
- [ ] `.pgpass` files have `0600` permissions (if used)
- [ ] No passwords in shell history (use `HISTCONTROL=ignorespace` or interactive input)
- [ ] Certificate expiry monitoring (alert before 30 days expiry)
- [ ] `log_connections = on` for audit trails

### Connection String Security Checklist

- [ ] Use `sslmode=verify-full` in production
- [ ] Store passwords in secrets managers (Vault, AWS Secrets Manager, Azure Key Vault)
- [ ] URL-encode special characters in passwords
- [ ] Use certificate authentication for service accounts where possible
- [ ] Rotate passwords every 90 days (or per policy) or use short-lived certificates

---

## Chapter Summary

In this chapter, you learned:

1. **SCRAM-SHA-256**: The industry-standard password authentication method that prevents replay attacks and eliminates cleartext password transmission. MD5 is cryptographically broken and must not be used.

2. **pg_hba.conf**: The gatekeeper of PostgreSQL access. Rules are processed top-down with the first match winning. Structure entries from most specific to most general, ending with explicit `reject` rules. Use `hostssl` to mandate encryption.

3. **Authentication Methods**: 
   - `scram-sha-256` for password-based production environments
   - `peer` for local administrative access via Unix sockets
   - `cert` for high-security environments eliminating password management
   - `ldap` with TLS for enterprise integration
   - Never use `trust`, `password`, or `md5` in production

4. **TLS Configuration**: Require TLS 1.2+, use `verify-full` sslmode for hostname verification, ensure server certificates include SAN entries, and protect private keys with strict file permissions (0600).

5. **Secret Management**: Never hardcode passwords. Use environment variables loaded from secure sources, `.pgpass` files with 0600 permissions for scripts, and centralized secrets managers for applications. Implement certificate-based authentication for service-to-service communication to eliminate password rotation complexity.

6. **Operational Security**: Monitor `pg_stat_ssl` for connection encryption status, enable `log_connections` for audit trails, implement certificate revocation lists for compromised credentials, and reload (not restart) `pg_hba.conf` after changes using `pg_reload_conf()` or `kill -HUP`.

**Next**: In Chapter 28, we will explore Application Security Patterns, covering Row-Level Security (RLS) implementation, multi-tenant security models, SQL injection prevention strategies, and data masking techniques for compliance with privacy regulations.