Re: Why don't we allow DNS names in pg_hba.conf?

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: Why don't we allow DNS names in pg_hba.conf?
Дата
Msg-id 200602130342.k1D3gVu06834@candle.pha.pa.us
обсуждение исходный текст
Ответ на Re: Why don't we allow DNS names in pg_hba.conf?  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: Why don't we allow DNS names in pg_hba.conf?
Список pgsql-hackers
Дерево обсуждения 
Added to TODO:
       o Allow pg_hba.conf to specify host names along with IP addresses
         Host name lookup could occur when the postmaster reads the         pg_hba.conf file, or when the backend
starts. Another         solution would be to reverse lookup the connection IP and         check that hostname against
thehost names in pg_hba.conf.         We could also then check that the host name maps to the IP         address.
 


---------------------------------------------------------------------------

Tom Lane wrote:
> mark@mark.mielke.cc writes:
> > On Tue, Jan 03, 2006 at 12:43:03PM -0500, Tom Lane wrote:
> >> I'm not sure about the relative usefulness of this compared to the
> >> forward-lookup case, nor whether it's riskier or less risky from a
> >> spoofing point of view.  But something to consider.
> 
> > I think it's riskier. I have my own PTR records, that I can make be
> > whatever I wish without any authority verifying that my actions are
> > proper.
> 
> Yeah, that occurred to me after a few moments' thought.  We could do one
> extra forward lookup to confirm that the reverse-lookup name maps back
> to the IP address.
> 
> > It's not a big deal.
> 
> Depends on how many names you want to put into pg_hba.conf.  I don't
> offhand see a use-case for very many, but maybe there is one.  Even
> if there are a lot, they'd not be expensive to look up if there is
> a local nameserver that is authoritative for those names ... which
> I'd think would be the normal case.  The more "outside" names you've
> got in pg_hba.conf, the more open you are to spoofing.
> 
>             regards, tom lane
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Have you searched our list archives?
> 
>                http://archives.postgresql.org
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073

В списке pgsql-hackers по дате отправления: