On lör, 2011-11-26 at 01:20 +0200, Peter Eisentraut wrote:
> I think it would be useful to have separate initdb -A options for local
> and host entries. In 9.1, we went out of our way to separate the "peer"
> and "ident" methods, but we have moved the confusion into the initdb -A
> option, where "ident" sometimes means "peer", and "peer" sometimes means
> "ident". Moreover, having separate options would allow what I think
> would be a far more common use case, namely having local "peer" and host
> something other than "ident", such as "md5".
>
> I'm thinking, we could keep the existing -A option, but add long options
> such as --auth-local and --auth-host, to specify more detail.
Here is a patch that implements exactly that.
diff --git i/doc/src/sgml/ref/initdb.sgml w/doc/src/sgml/ref/initdb.sgml
index d816c21..08a3b86 100644
--- i/doc/src/sgml/ref/initdb.sgml
+++ w/doc/src/sgml/ref/initdb.sgml
@@ -118,10 +118,33 @@ PostgreSQL documentation
--auth=authmethod
-This option specifies the authentication method for local users
-used in pg_hba.conf. Do not use trust
-unless you trust all local users on your system. Trust
-is the default for ease of installation.
+This option specifies the authentication method for local users used
+in pg_hba.conf (host
+and local lines). Do not use trust
+unless you trust all local users on your system. Trust is
+the default for ease of installation.
+
+
+
+
+
+ --auth-host=authmethod
+
+
+This option specifies the authentication method for local users via
+TCP/IP connections used in pg_hba.conf
+(host lines).
+
+
+
+
+
+ --auth-local=authmethod
+
+
+This option specifies the authentication method for local users via
+Unix-domain socket connections used in pg_hba.conf
+(local lines).
diff --git i/src/backend/libpq/pg_hba.conf.sample w/src/backend/libpq/pg_hba.conf.sample
index 0a50905..a12ba26 100644
--- i/src/backend/libpq/pg_hba.conf.sample
+++ w/src/backend/libpq/pg_hba.conf.sample
@@ -79,11 +79,11 @@
@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
@remove-line-for-nolocal@local all all @authmethodlocal@
# IPv4 local connections:
-hostall all 127.0.0.1/32@authmethod@
+hostall all 127.0.0.1/32@authmethodhost@
# IPv6 local connections:
-hostall all ::1/128 @authmethod@
+hostall all ::1/128 @authmethodhost@
# Allow replication connections from localhost, by a user with the
# replication privilege.
@remove-line-for-nolocal@#local replication @default_username@@authmethodlocal@
-#hostreplication @default_username@127.0.0.1/32@authmethod@
-#hostreplication @default_username@::1/128 @authmethod@
+#hostreplication @default_username@127.0.0.1/32@authmethodhost@
+#hostreplication @default_username@::1/128 @authmethodhost@
diff --git i/src/bin/initdb/initdb.c w/src/bin/initdb/initdb.c
index 9df2656..21ced98 100644
--- i/src/bin/initdb/initdb.c
+++ w/src/bin/initdb/initdb.c
@@ -64,6 +64,34 @@
/* Ideally this would be in a .h file, but it hardly seems worth the trouble */
extern const char *select_default_timezone(const char *share_path);
+static const char *auth_methods_host[] = {"trust", "reject", "md5", "password", "ident", "radius",
+#ifdef ENABLE_GSS
+ "gss",
+#endif
+#ifdef ENABLE_SSPI
+ "sspi",
+#endif
+#ifdef KRB5
+ "krb5",
+#endif
+#ifdef USE_PAM
+ "pam", "pam ",
+#endif
+#ifdef USE_LDAP
+ "ldap",
+#endif
+#ifdef USE_SSL
+ "cert",
+#endif
+ NULL};
+static const char *auth_methods_local[] = {"trust", "reject", "md5", "password", "peer", "radius",
+#ifdef USE_PAM
+ "pam", "pam ",
+#endif
+#ifdef USE_LDAP
+ "ldap",
+#endif
+ NULL};
/*
* these values are passed in by makefile defines
@@ -84,8 +112,8 @@ static const char *default_text_search_config = "";
static char *username = "";
static bool pwprompt = false;
static char *pwfilename = NULL;
-static char *authmethod = "";
-static char *authmethodlocal = "";
+static const char *authmethodhost = "";
+static const char *authmethodlocal = "";
static bool debug = false;
static bool noclean = false;
static bool show_setting = false;
@@ -1090,15 +1118,15 @@ setup_config(void)
/* Replace default authentication methods */
conflines = replace_token(conflines,
- "@authmethod@",
- authmethod);
+ "@authmethodhost@",
+ authmethodhost);
con