Skip site navigation (1) Skip section navigation (2)

Re: Why don't we allow DNS names in pg_hba.conf?

From: Martijn van Oosterhout <kleptog(at)svana(dot)org>
To: "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Date: 2006-01-01 19:02:03
Message-ID: 20060101190202.GC627@svana.org (view raw or flat)
Thread:
Lists: pgsql-hackers
On Sun, Jan 01, 2006 at 02:50:37PM -0400, Marc G. Fournier wrote:
> Employee adds his DNS to pg_hba.conf, becomes disgruntled employee, moves 
> to different IP and same name, and can still access your database?

I think it depends how you do the check. You can either do a forward
lookup from the name and match that to the IP. Or you can do a reverse
lookup on the IP to match the name. Or both.

To work around either requires hijacking DNS but which servers varies.
If you've got the entries in /etc/hosts that makes hijacking harder.

I'm thinking something like tcpwrappers would be an example here. They
have a paranoid mode where your reverse and forward have to match.
Something to consider.

For the user in referred to thread: SSH tunnelling. I wonder if there's
a way we can make that easier to setup...

Have a nice day,
-- 
Martijn van Oosterhout   <kleptog(at)svana(dot)org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

In response to

Responses

pgsql-hackers by date

Next:From: Andreas PflugDate: 2006-01-01 20:03:00
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Previous:From: Qingqing ZhouDate: 2006-01-01 18:59:53
Subject: Re: EINTR error in SunOS

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group