On 9 August 2010 19:47, Peter Eisentraut <peter_e@gmx.net> wrote:
> Here is a patch for host name support in pg_hba.conf. I have reviewed
> various past threads about this, and there appeared to have been a 50/50
> split of for and against reverse lookup. I went with the reverse
> lookup, because
>
> 0) I like it.
>
> 1) It is more secure.
>
> 2) It allows extending it to wildcards in the future.
>
> 3) Apache (Allow from) does it that way.
>
> To clarify how it works: The client's IP address (known from the
> kernel) is reverse looked up, which results in a host name. That host
> name is compared with the line in pg_hba.conf. If it matches, a forward
> lookup is performed on the host name to check if any of the resulting IP
> addresses match the client's IP address. If yes, the line is considered
> to match and the authentication method is selected.
>
> Anyway, assuming we will go with this, you will also notice that in the
> patch I changed the default pg_hba.conf to match against "localhost"
> instead of numeric addresses. Initially thought of as a temporary
> change for testing this patch, I think this might actually have some
> permanent value because it saves you from having to change the IPv4 and
> IPv6 lines in tandem most of the times, which is a moderately common
> mistake. We already rely on localhost being (forward) resolvable for
> the stats collector.
>
> Something to think about: Maybe we need a quoting mechanism in case
> someone names their hosts "samenet".
>
>
> --
A couple things:
+ matches. This field can contain either a host name, an IP
+ address range, one of the special key words mentioned below.
+ </para>
s/, one/, or one/
+ If a host name is specified (anything that is not an IP address
+ or a special key word is processed as a potential host name), a
+ reverse DNS lookup is performed on the client's IP address,
+ then a forward DNS lookup on the resulting name to check if it
+ matches the original IP address (that is, at least one of the
+ potentially many IP addresses matches the original one), and
+ the name found in the reverse lookup is compared with the
+ specified host name.
That's one loooong sentence!
--
Thom Brown
Registered Linux user: #516935