diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index 0a90b68c1006e386e46987998866225a2870e45a..c40696b6b5061434d984e3ae3f6eade94df94def 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -22,7 +22,9 @@
 # plain TCP/IP socket.
 #
 # DATABASE can be "all", "sameuser", "samerole", "replication", a
-# database name, or a comma-separated list thereof.
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
 #
 # USER can be "all", a user name, a group name prefixed with "+", or a
 # comma-separated list thereof.  In both the DATABASE and USER fields
@@ -80,3 +82,7 @@
 host    all             all             127.0.0.1/32            @authmethod@
 # IPv6 local connections:
 host    all             all             ::1/128                 @authmethod@
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+# host    replication     @default_username@        127.0.0.1/32            @authmethod@
+# host    replication     @default_username@        ::1/128                 @authmethod@
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 56a396bdddc7aa9747071f14868311d0133bc5c3..4949af965727193ec77608461966dd08f305ad6d 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -1086,6 +1086,11 @@ setup_config(void)
 							  "@authcomment@",
 					   strcmp(authmethod, "trust") ? "" : AUTHTRUST_WARNING);
 
+    /* Replace username for replication */
+	conflines = replace_token(conflines,
+							  "@default_username@",
+							  username);
+
 	snprintf(path, sizeof(path), "%s/pg_hba.conf", pg_data);
 
 	writefile(path, conflines);