On Sun, Jan 01, 2006 at 02:50:37PM -0400, Marc G. Fournier wrote:
> Employee adds his DNS to pg_hba.conf, becomes disgruntled employee, moves
> to different IP and same name, and can still access your database?
I think it depends how you do the check. You can either do a forward
lookup from the name and match that to the IP. Or you can do a reverse
lookup on the IP to match the name. Or both.
To work around either requires hijacking DNS but which servers varies.
If you've got the entries in /etc/hosts that makes hijacking harder.
I'm thinking something like tcpwrappers would be an example here. They
have a paranoid mode where your reverse and forward have to match.
Something to consider.
For the user in referred to thread: SSH tunnelling. I wonder if there's
a way we can make that easier to setup...
Have a nice day,
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
In response to
pgsql-hackers by date
|Next:||From: Andreas Pflug||Date: 2006-01-01 20:03:00|
|Subject: Re: Why don't we allow DNS names in pg_hba.conf?|
|Previous:||From: Qingqing Zhou||Date: 2006-01-01 18:59:53|
|Subject: Re: EINTR error in SunOS |