From:
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:
Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc:
Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>,
"Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>,
Andreas Pflug <pgadmin(at)pse-consulting(dot)de>,
"Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>,
pgsql-hackers(at)postgresql(dot)org
Subject:
Re: Why don't we allow DNS names in pg_hba.conf?
Date:
2006-01-03 17:43:03
Message-ID:
17937.1136310183@sss.pgh.pa.us (view raw or flat )
Thread:
2006-01-01 18:30:46 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-01 18:50:37 from "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>
2006-01-01 19:02:03 from Martijn van Oosterhout <kleptog(at)svana(dot)org>
2006-01-01 20:14:45 from John DeSoi <desoi(at)pgedit(dot)com>
2006-01-01 20:03:00 from Andreas Pflug <pgadmin(at)pse-consulting(dot)de>
2006-01-02 18:09:45 from Jon Jensen <jon(at)endpoint(dot)com>
2006-01-02 18:23:42 from Mike Rylander <mrylander(at)gmail(dot)com>
2006-01-02 18:26:20 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-02 18:55:53 from Jon Jensen <jon(at)endpoint(dot)com>
2006-01-02 19:06:38 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-03 16:18:12 from "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>
2006-01-03 16:54:01 from Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>
2006-01-03 17:34:59 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-01-03 17:43:03 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-03 18:15:45 from mark(at)mark(dot)mielke(dot)cc
2006-01-03 18:21:52 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-02-13 03:42:31 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2006-02-13 12:57:24 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 15:00:34 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 15:40:31 from mark(at)mark(dot)mielke(dot)cc
2006-02-13 15:48:39 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-02-13 15:44:57 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 15:30:39 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 16:57:48 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 16:54:43 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 19:38:38 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 20:07:09 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 20:21:30 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-02-13 20:29:33 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2006-02-13 20:35:19 from Gregory Maxwell <gmaxwell(at)gmail(dot)com>
2006-02-13 20:44:49 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-03 18:21:33 from Tino Wildenhain <tino(at)wildenhain(dot)de>
2006-01-03 20:00:24 from Jon Jensen <jon(at)endpoint(dot)com>
2006-01-01 20:04:47 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-01 21:14:41 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2006-01-01 21:49:57 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-01 23:37:22 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-01-02 03:36:02 from elein <elein(at)varlena(dot)com>
2006-01-02 08:51:23 from <pmagnoli(at)systemevolution(dot)it>
Lists:
pgsql-hackers
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> One thing that bothers me slightly is that we would need to look up each
> name (at least until we found a match) for each connection. If you had
> lots of names in your pg_hba.conf that could be quite a hit.
A possible answer to that is to *not* look up the names from
pg_hba.conf, but instead restrict the feature to matching the
reverse-DNS name of the client. This limits the cost to one lookup per
connection instead of N (and it'd be essentially free if you have
log_hostnames turned on, since we already do that lookup in that case).
I'm not sure about the relative usefulness of this compared to the
forward-lookup case, nor whether it's riskier or less risky from a
spoofing point of view. But something to consider.
regards, tom lane
In response to
Responses
pgsql-hackers by date
Next :From: Larry RosenmanDate: 2006-01-03 18:08:46Subject : Re: Why don't we allow DNS names in pg_hba.conf? Previous :From : Tom LaneDate : 2006-01-03 17:37:32Subject : Re: [Bizgres-general] WAL bypass for INSERT, UPDATE and
