| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: Why don't we allow DNS names in pg_hba.conf? |
| Date: | 2006-01-01 19:02:03 |
| Message-ID: | 20060101190202.GC627@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Jan 01, 2006 at 02:50:37PM -0400, Marc G. Fournier wrote:
> Employee adds his DNS to pg_hba.conf, becomes disgruntled employee, moves
> to different IP and same name, and can still access your database?
I think it depends how you do the check. You can either do a forward
lookup from the name and match that to the IP. Or you can do a reverse
lookup on the IP to match the name. Or both.
To work around either requires hijacking DNS but which servers varies.
If you've got the entries in /etc/hosts that makes hijacking harder.
I'm thinking something like tcpwrappers would be an example here. They
have a paranoid mode where your reverse and forward have to match.
Something to consider.
For the user in referred to thread: SSH tunnelling. I wonder if there's
a way we can make that easier to setup...
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Pflug | 2006-01-01 20:03:00 | Re: Why don't we allow DNS names in pg_hba.conf? |
| Previous Message | Qingqing Zhou | 2006-01-01 18:59:53 | Re: EINTR error in SunOS |