6464/* Ideally this would be in a .h file, but it hardly seems worth the trouble */
6565extern const char * select_default_timezone (const char * share_path );
6666
67+ static const char * auth_methods_host []= {"trust" ,"reject" ,"md5" ,"password" ,"ident" ,"radius" ,
68+ #ifdef ENABLE_GSS
69+ "gss" ,
70+ #endif
71+ #ifdef ENABLE_SSPI
72+ "sspi" ,
73+ #endif
74+ #ifdef KRB5
75+ "krb5" ,
76+ #endif
77+ #ifdef USE_PAM
78+ "pam" ,"pam " ,
79+ #endif
80+ #ifdef USE_LDAP
81+ "ldap" ,
82+ #endif
83+ #ifdef USE_SSL
84+ "cert" ,
85+ #endif
86+ NULL };
87+ static const char * auth_methods_local []= {"trust" ,"reject" ,"md5" ,"password" ,"peer" ,"radius" ,
88+ #ifdef USE_PAM
89+ "pam" ,"pam " ,
90+ #endif
91+ #ifdef USE_LDAP
92+ "ldap" ,
93+ #endif
94+ NULL };
6795
6896/*
6997 * these values are passed in by makefile defines
@@ -84,8 +112,8 @@ static const char *default_text_search_config = "";
84112static char * username = "" ;
85113static bool pwprompt = false;
86114static char * pwfilename = NULL ;
87- static char * authmethod = "" ;
88- static char * authmethodlocal = "" ;
115+ static const char * authmethodhost = "" ;
116+ static const char * authmethodlocal = "" ;
89117static bool debug = false;
90118static bool noclean = false;
91119static bool show_setting = false;
@@ -1090,15 +1118,15 @@ setup_config(void)
10901118
10911119/* Replace default authentication methods */
10921120conflines = replace_token (conflines ,
1093- "@authmethod @" ,
1094- authmethod );
1121+ "@authmethodhost @" ,
1122+ authmethodhost );
10951123conflines = replace_token (conflines ,
10961124"@authmethodlocal@" ,
10971125authmethodlocal );
10981126
10991127conflines = replace_token (conflines ,
11001128"@authcomment@" ,
1101- strcmp (authmethod ,"trust" )!= 0 ? "" : AUTHTRUST_WARNING );
1129+ ( strcmp (authmethodlocal ,"trust" )== 0 || strcmp ( authmethodhost , "trust" ) == 0 ) ? AUTHTRUST_WARNING : "" );
11021130
11031131/* Replace username for replication */
11041132conflines = replace_token (conflines ,
@@ -2452,6 +2480,8 @@ usage(const char *progname)
24522480printf (_ (" %s [OPTION]... [DATADIR]\n" ),progname );
24532481printf (_ ("\nOptions:\n" ));
24542482printf (_ (" -A, --auth=METHOD default authentication method for local connections\n" ));
2483+ printf (_ (" --auth-host=METHOD default authentication method for local TCP/IP connections\n" ));
2484+ printf (_ (" --auth-local=METHOD default authentication method for local-socket connections\n" ));
24552485printf (_ (" [-D, --pgdata=]DATADIR location for this database cluster\n" ));
24562486printf (_ (" -E, --encoding=ENCODING set default encoding for new databases\n" ));
24572487printf (_ (" --locale=LOCALE set default locale for new databases\n" ));
@@ -2479,6 +2509,50 @@ usage(const char *progname)
24792509printf (_ ("\nReport bugs to <pgsql-bugs@postgresql.org>.\n" ));
24802510}
24812511
2512+ static void
2513+ check_authmethod_unspecified (const char * * authmethod )
2514+ {
2515+ if (* authmethod == NULL || strlen (* authmethod )== 0 )
2516+ {
2517+ authwarning = _ ("\nWARNING: enabling \"trust\" authentication for local connections\n"
2518+ "You can change this by editing pg_hba.conf or using the option -A, or\n"
2519+ "--auth-local and --auth-host, the next time you run initdb.\n" );
2520+ * authmethod = "trust" ;
2521+ }
2522+ }
2523+
2524+ static void
2525+ check_authmethod_valid (const char * authmethod ,const char * * valid_methods ,const char * conntype )
2526+ {
2527+ const char * * p ;
2528+
2529+ for (p = valid_methods ;* p ;p ++ )
2530+ {
2531+ if (strcmp (authmethod ,* p )== 0 )
2532+ return ;
2533+ /* with space = param */
2534+ if (strchr (authmethod ,' ' ))
2535+ if (strncmp (authmethod ,* p , (authmethod - strchr (authmethod ,' ' )))== 0 )
2536+ return ;
2537+ }
2538+
2539+ fprintf (stderr ,_ ("%s: invalid authentication method \"%s\" for \"%s\" connections\n" ),
2540+ progname ,authmethod ,conntype );
2541+ exit (1 );
2542+ }
2543+
2544+ static void
2545+ check_need_password (const char * authmethod )
2546+ {
2547+ if ((strcmp (authmethod ,"md5" )== 0 ||
2548+ strcmp (authmethod ,"password" )== 0 )&&
2549+ !(pwprompt || pwfilename ))
2550+ {
2551+ fprintf (stderr ,_ ("%s: must specify a password for the superuser to enable %s authentication\n" ),progname ,authmethod );
2552+ exit (1 );
2553+ }
2554+ }
2555+
24822556int
24832557main (int argc ,char * argv [])
24842558{
@@ -2499,6 +2573,8 @@ main(int argc, char *argv[])
24992573{"no-locale" ,no_argument ,NULL ,8 },
25002574{"text-search-config" ,required_argument ,NULL ,'T' },
25012575{"auth" ,required_argument ,NULL ,'A' },
2576+ {"auth-local" ,required_argument ,NULL ,10 },
2577+ {"auth-host" ,required_argument ,NULL ,11 },
25022578{"pwprompt" ,no_argument ,NULL ,'W' },
25032579{"pwfile" ,required_argument ,NULL ,9 },
25042580{"username" ,required_argument ,NULL ,'U' },
@@ -2567,7 +2643,22 @@ main(int argc, char *argv[])
25672643switch (c )
25682644{
25692645case 'A' :
2570- authmethod = xstrdup (optarg );
2646+ authmethodlocal = authmethodhost = xstrdup (optarg );
2647+ /*
2648+ * When ident is specified, use peer for local connections.
2649+ * Mirrored, when peer is specified, use ident for TCP/IP
2650+ * connections.
2651+ */
2652+ if (strcmp (authmethodhost ,"ident" )== 0 )
2653+ authmethodlocal = "peer" ;
2654+ else if (strcmp (authmethodlocal ,"peer" )== 0 )
2655+ authmethodhost = "ident" ;
2656+ break ;
2657+ case 10 :
2658+ authmethodlocal = xstrdup (optarg );
2659+ break ;
2660+ case 11 :
2661+ authmethodhost = xstrdup (optarg );
25712662break ;
25722663case 'D' :
25732664pg_data = xstrdup (optarg );
@@ -2659,56 +2750,14 @@ main(int argc, char *argv[])
26592750exit (1 );
26602751}
26612752
2662- if (authmethod == NULL || !strlen (authmethod ))
2663- {
2664- authwarning = _ ("\nWARNING: enabling \"trust\" authentication for local connections\n"
2665- "You can change this by editing pg_hba.conf or using the -A option the\n"
2666- "next time you run initdb.\n" );
2667- authmethod = "trust" ;
2668- }
2753+ check_authmethod_unspecified (& authmethodlocal );
2754+ check_authmethod_unspecified (& authmethodhost );
26692755
2670- if (strcmp (authmethod ,"md5" )!= 0 &&
2671- strcmp (authmethod ,"peer" )!= 0 &&
2672- strcmp (authmethod ,"ident" )!= 0 &&
2673- strcmp (authmethod ,"trust" )!= 0 &&
2674- #ifdef USE_PAM
2675- strcmp (authmethod ,"pam" )!= 0 &&
2676- strncmp (authmethod ,"pam " ,4 )!= 0 && /* pam with space = param */
2677- #endif
2678- strcmp (authmethod ,"password" )!= 0
2679- )
2756+ check_authmethod_valid (authmethodlocal ,auth_methods_local ,"local" );
2757+ check_authmethod_valid (authmethodhost ,auth_methods_host ,"host" );
26802758
2681- /*
2682- * Kerberos methods not listed because they are not supported over
2683- * local connections and are rejected in hba.c
2684- */
2685- {
2686- fprintf (stderr ,_ ("%s: unrecognized authentication method \"%s\"\n" ),
2687- progname ,authmethod );
2688- exit (1 );
2689- }
2690-
2691- if ((strcmp (authmethod ,"md5" )== 0 ||
2692- strcmp (authmethod ,"password" )== 0 )&&
2693- !(pwprompt || pwfilename ))
2694- {
2695- fprintf (stderr ,_ ("%s: must specify a password for the superuser to enable %s authentication\n" ),progname ,authmethod );
2696- exit (1 );
2697- }
2698-
2699- /*
2700- * When ident is specified, use peer for local connections. Mirrored, when
2701- * peer is specified, use ident for TCP connections.
2702- */
2703- if (strcmp (authmethod ,"ident" )== 0 )
2704- authmethodlocal = "peer" ;
2705- else if (strcmp (authmethod ,"peer" )== 0 )
2706- {
2707- authmethodlocal = "peer" ;
2708- authmethod = "ident" ;
2709- }
2710- else
2711- authmethodlocal = authmethod ;
2759+ check_need_password (authmethodlocal );
2760+ check_need_password (authmethodhost );
27122761
27132762if (strlen (pg_data )== 0 )
27142763{