| From: | Stef Walter <stef-list(at)memberwebs(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Date: | 2009-09-23 19:53:06 |
| Message-ID: | 4ABA7CA2.6040603@memberwebs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Robert Haas wrote:
> On Wed, Sep 23, 2009 at 12:41 PM, Stef Walter <stef-list(at)memberwebs(dot)com> wrote:
>> Currently people are adding 0.0.0.0 to a default pg_hba.conf file in
>> order to allow access from nearby machines, without running into the
>> maintenance problems of hard coding IP addresses. However using 0.0.0.0
>> is clearly suboptimal from a security perspective.
>
> If people aren't willing to take the time (5 minutes?) to create an
> hba.conf file that implements a reasonable security policy, I'm not
> sure anything we can do - and certainly not this - is going to help
> very much. I haven't really looked at this patch, but how confident
> are we that this is actually portable? It would be a shame to spend a
> lot of time and energy troubleshooting portability problems with a
> feature that - IMO - has a fairly marginal use case to begin with.
Obviously this isn't the an authentication method. If you're using
'trust' authentication with anything but unix sockets you're pretty
screwed anyway. This is used in conjuction with an authentication method.
The core problem is with renumbering. Due to IPv4 addresses becoming
more and more scarce, ISPs are regularly foisting renumbering on their
customers. For example, it's in all the new contracts.
Often renumbering takes place on networks where the original developers
are long gone.
Postgresql has always been very fragile when renumbering due to hard
coded IP addresses in the pg_hba.conf file. This patch solves that
problem for most of the cases, where hosts nearby on the network can
talk to postgresql hosts without putting fragile rules into pg_hba.conf.
Allowing host names in pg_hba.conf would also solve this problem,
although the last person who tried to implement this it was a topic of
contention. I asked if I should focus on reverse DNS host names in
pg_hba.conf or portability for this samenet patch, and it was indicated
that I should do the latter.
If there is clear direction within the community to work on DNS based
stuff in pg_hba.conf I'd be willing to contribute effort there.
Cheers,
Stef
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2009-09-23 21:12:05 | Re: pg_hba.conf: samehost and samenet [REVIEW] |
| Previous Message | Marko Kreen | 2009-09-23 19:46:46 | Re: [rfc] unicode escapes for extended strings |