From: | Thom Brown <thom(at)linux(dot)com> |
---|---|
To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: host name support in pg_hba.conf |
Date: | 2010-08-09 18:56:21 |
Message-ID: | AANLkTi=OVVAoB5U2K1s0+TKesUSTaMi9byLYgX5fwywL@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 9 August 2010 19:47, Peter Eisentraut <peter_e(at)gmx(dot)net> wrote:
> Here is a patch for host name support in pg_hba.conf. I have reviewed
> various past threads about this, and there appeared to have been a 50/50
> split of for and against reverse lookup. I went with the reverse
> lookup, because
>
> 0) I like it.
>
> 1) It is more secure.
>
> 2) It allows extending it to wildcards in the future.
>
> 3) Apache (Allow from) does it that way.
>
> To clarify how it works: The client's IP address (known from the
> kernel) is reverse looked up, which results in a host name. That host
> name is compared with the line in pg_hba.conf. If it matches, a forward
> lookup is performed on the host name to check if any of the resulting IP
> addresses match the client's IP address. If yes, the line is considered
> to match and the authentication method is selected.
>
> Anyway, assuming we will go with this, you will also notice that in the
> patch I changed the default pg_hba.conf to match against "localhost"
> instead of numeric addresses. Initially thought of as a temporary
> change for testing this patch, I think this might actually have some
> permanent value because it saves you from having to change the IPv4 and
> IPv6 lines in tandem most of the times, which is a moderately common
> mistake. We already rely on localhost being (forward) resolvable for
> the stats collector.
>
> Something to think about: Maybe we need a quoting mechanism in case
> someone names their hosts "samenet".
>
>
> --
A couple things:
+ matches. This field can contain either a host name, an IP
+ address range, one of the special key words mentioned below.
+ </para>
s/, one/, or one/
+ If a host name is specified (anything that is not an IP address
+ or a special key word is processed as a potential host name), a
+ reverse DNS lookup is performed on the client's IP address,
+ then a forward DNS lookup on the resulting name to check if it
+ matches the original IP address (that is, at least one of the
+ potentially many IP addresses matches the original one), and
+ the name found in the reverse lookup is compared with the
+ specified host name.
That's one loooong sentence!
--
Thom Brown
Registered Linux user: #516935
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2010-08-09 18:59:02 | Re: dynamically allocating chunks from shared memory |
Previous Message | Kevin Grittner | 2010-08-09 18:56:11 | Re: host name support in pg_hba.conf |