On Wed, 2006-12-27 at 16:41 -0500, Stephen Frost wrote:
> * Joshua D. Drake (jd@commandprompt.com) wrote:
> > Allow pg_hba.conf to specify host names along with IP addresses
>
> Excellent.
>
> > Host name lookup could occur when the postmaster reads the pg_hba.conf
> > file, or when the backend starts. Another solution would be to reverse
> > lookup the connection IP and check that hostname against the host names
> > in pg_hba.conf. We could also then check that the host name maps to the
> > IP address.
>
> I'm inclined towards doing the reverse-DNS of the connecting IP and then
> checking that the forward of that matches.
Hmm what if it doesn't? Which is the case any many scenario. My thoughts
are:
If www.commandprompt.com is allowed, then the ip address 207.173.200.129
is allowed to connect.
If we go the reverse way:
129.200.173.207.in-addr.arpa name = 129.commandprompt.com.
Which really isn't that useful imo.
>
> > Allow one to specify a FQDN or a simple wild card DN. E.g;
> > *.commandprompt.com.
> >
> > A valid entry would look like this:
> >
> > host all all *.commandprompt.com trust
> > host all all www1.postgresql.org md5
> >
> > Thoughts?
>
> While a wildcard does make sense (ie: www*.postgresql.org), I would
> generally expect 'commandprompt.com' to mean '*.commandprompt.com'
> implicitly.
Hmm interesting. I wouldn't expect that. I might
expect .commandprompt.com to mean *.commandprompt.com. But
commandprompt.com I would expect only whatever the A record returns as
commandprompt.com.
One thing I don't want to do is create a bunch of different style
syntaxes that are available :)
Sincerely,
Joshua D. Drake
>
> Thanks!
>
> Stephen
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997 http://www.commandprompt.com/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate