20.13. PAM Authentication
This authentication method operates similarly to
password except that it uses PAM (Pluggable Authentication Modules) as the authentication mechanism. The default PAM service name is
postgresql. PAM is used only to validate user name/password pairs and optionally the connected remote host name or IP address. Therefore the user must already exist in the database before PAM can be used for authentication. For more information about PAM, please read the Linux-PAM Page.
The following configuration options are supported for PAM:
PAM service name.
Determines whether the remote IP address or the host name is provided to PAM modules through the
PAM_RHOSTitem. By default, the IP address is used. Set this option to 1 to use the resolved host name instead. Host name resolution can lead to login delays. (Most PAM configurations don't use this information, so it is only necessary to consider this setting if a PAM configuration was specifically created to make use of it.)
If PAM is set up to read
/etc/shadow, authentication will fail because the PostgreSQL server is started by a non-root user. However, this is not an issue when PAM is configured to use LDAP or other authentication methods.