Re: host name support in pg_hba.conf
| От | Tom Lane |
|---|---|
| Тема | Re: host name support in pg_hba.conf |
| Дата | |
| Msg-id | 29712.1281451159@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: host name support in pg_hba.conf ("Kevin Grittner" <Kevin.Grittner@wicourts.gov>) |
| Ответы |
Re: host name support in pg_hba.conf
Re: host name support in pg_hba.conf |
| Список | pgsql-hackers |
"Kevin Grittner" <Kevin.Grittner@wicourts.gov> writes:
> Without the logic to ensure that the hostname matches the reverse
> lookup, this might be useful for us. With that logic it is useless
> for us. I'm wondering how much you gain by having it in there. Why
> can't a forward lookup which matches the requesting IP be considered
> sufficient?
I was about to complain about that same thing. ISTM the logic ought
to be that you do a forward DNS lookup on the name presented in
pg_hba.conf, and if any of the returned IP addresses match the
connection's remote IP address, then you have a match. This business
with doing a reverse lookup is at least twice as expensive, far more
fragile, and it seems completely bogus from a security viewpoint.
Why should I trust the RDNS server for an attacker's IP address?
regards, tom lane
В списке pgsql-hackers по дате отправления: