From 461ea6b796bd9dac701324a840cf32e1aee6932f Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Wed, 11 Jul 2001 20:32:11 +0000
Subject: [PATCH] Better document use of ident on localhost, per Tom Lane's
 idea.

---
 doc/src/sgml/client-auth.sgml        | 10 +++++---
 src/backend/libpq/pg_hba.conf.sample | 46 ++++++++++++++++++------------------
 2 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 7ba2a36e2c..9067f53239 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.11 2001/05/12 22:51:34 petere Exp $ -->
+<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.12 2001/07/11 20:32:10 momjian Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -242,7 +242,10 @@ hostssl <replaceable>database</replaceable> <replaceable>IP-address</replaceable
           of the connecting user. <productname>Postgres</productname>
           then verifies whether the so identified operating system user
           is allowed to connect as the database user that is requested.
-	  This is only available for TCP/IP connections.
+	  This is only available for TCP/IP connections.  It can be used
+	  on the local machine by specifying the localhost address 127.0.0.1.
+         </para>
+         <para>
           The <replaceable>authentication option</replaceable> following
           the <literal>ident</> keyword specifies the name of an
           <firstterm>ident map</firstterm> that specifies which operating
@@ -553,7 +556,8 @@ host         all        192.168.0.0    255.255.0.0        ident     omicron
      <attribution>RFC 1413</attribution>
      <para>
       The Identification Protocol is not intended as an authorization
-      or access control protocol.
+      or access control protocol.  You must trust the machine running the
+      ident server.
      </para>
     </blockquote>
    </para>
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index c6711fc08e..d9c05feb12 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -1,5 +1,5 @@
 # 
-#                PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
+#		  PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
 # 
 # 
 # This file controls:
@@ -101,9 +101,9 @@
 # 		be use only for machines where all users are truested.
 # 
 #   password:	Authentication is done by matching a password supplied
-#   		in clear by the host. If no AUTH_ARGUMENT is used, the
-#   		password is compared with the user's entry in the
-#   		pg_shadow table.
+#		in clear by the host. If no AUTH_ARGUMENT is used, the
+#		password is compared with the user's entry in the
+#		pg_shadow table.
 # 
 # 		If AUTH_ARGUMENT is specified, the username is looked up
 # 		in that file in the $PGDATA directory. If the username
@@ -118,30 +118,30 @@
 # 		passwords.
 # 
 #   crypt:  	Same as "password", but authentication is done by
-#   		encrypting the password sent over the network. This is
-#   		always preferable to "password" except for old clients
-#   		that don't support "crypt". Also, crypt can use
-#   		usernames stored in secondary password files but not
-#   		secondary passwords.
-# 
-#   ident: Authentication is done by the ident server on the local 
-#   		or remote host. AUTH_ARGUMENT is required and maps names 
-#		found in the $PGDATA/pg_ident.conf file. The connection
-#   		is accepted if the file contains an entry for this map
-#   		name with the ident-supplied username and the requested
-#   		PostgreSQL username. The special map name "sameuser"
-#   		indicates an implied map (not in pg_ident.conf) that
-#   		maps each ident username to the identical PostgreSQL 
+#		encrypting the password sent over the network. This is
+#		always preferable to "password" except for old clients
+#		that don't support "crypt". Also, crypt can use
+#		usernames stored in secondary password files but not
+#		secondary passwords.
+# 
+#   ident:	Authentication is done by the ident server on the local
+#		(127.0.0.1) or remote host. AUTH_ARGUMENT is required and
+#		maps names found in the $PGDATA/pg_ident.conf file. The 
+#		connection is accepted if the file contains an entry for
+#		this map name with the ident-supplied username and the 
+#		requested PostgreSQL username. The special map name 
+#		"sameuser" indicates an implied map (not in pg_ident.conf)
+#		that maps each ident username to the identical PostgreSQL 
 #		username.
 # 
-#   krb4:   	Kerberos V4 authentication is used.
+#   krb4:	Kerberos V4 authentication is used.
 # 
-#   krb5:   	Kerberos V5 authentication is used.
+#   krb5:	Kerberos V5 authentication is used.
 # 
 #   reject: 	Reject the connection. This is used to reject certain hosts
-#   		that are part of a network specified later in the file.
-#   		To be effective, "reject" must appear before the later
-#   		entries.
+#		that are part of a network specified later in the file.
+#		To be effective, "reject" must appear before the later
+#		entries.
 # 
 # Local UNIX-domain socket connections support only the AUTH_TYPEs of
 # "trust", "password", "crypt", and "reject".
-- 
2.11.0