From: | mark(at)mark(dot)mielke(dot)cc |
---|---|
To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
Cc: | Mark Woodward <pgsql(at)mohawksoft(dot)com>, Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>, "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>, Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Why don't we allow DNS names in pg_hba.conf? |
Date: | 2006-02-13 15:40:31 |
Message-ID: | 20060213154031.GA2033@mark.mielke.cc |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Feb 13, 2006 at 10:00:34AM -0500, Andrew Dunstan wrote:
> Mark Woodward wrote:
> >I'm not so sure you need to be paranoid about it. The scenario is, at
> >startup or HUP, names are looked up and stored as IP addresses. Then hba
> >works as it is supposed too.
> If you do it like that you destroy the only real use case I can see for
> this that has much value, namely to handle cases where the address can
> change dynamically.
*nod*
Addresses change, and for a stable PostgreSQL server, this would hopefully
mean that PostgreSQL has uptime across these changes. :-)
> We have address ranges now; are you proposing to have those IN ADDITION
> to hostname parameters (as opposed to being an alternative)?
I like in addition. For example, at work, saying "a.blah.com" and "47.*"
would give me an inch more of comfort, as the organization is large, and
there are numerous channels to having the name changed - but at least if
I know that the name is within 47.*, I know that it isn't somebody in
another partner company connecting directly from their network.
Not bullet proof, but slightly more difficult to manipulate.
> We can over-egg this pudding massively. I suggest we start with a simple
> implementation and see what needs it leaves unfilled. I would vote for
> allowing a hostname (or list of hostnames?) to replace the address/mask
> params, and that at connect time we do a forward lookup trying for a
> match with the connecting address. If we get a match then that's the hba
> line that applies.
Yes.
> Frankly, any auth mechanism based on the name or address of the client
> is insecure. If you have people connecting across possibly insecure
> networks you should use SSL with client certificates signed by your own
> CA, or a similar approach.
Yes.
Cheers,
mark
--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada
One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...
From | Date | Subject | |
---|---|---|---|
Next Message | Mark Woodward | 2006-02-13 15:44:57 | Re: Why don't we allow DNS names in pg_hba.conf? |
Previous Message | Magnus Naeslund(f) | 2006-02-13 15:39:58 | Re: Postgresql crash (signal 11). keywords: distinct, subselect, |