Обсуждение: Pg_hba and dynamic dns
I've discovered I can use URLs for an IP address in pg_hba.conf, and everything works ok if the host can be resolved. If it can't be resolved I get the error: psql: FATAL: Missing or erroneous pg_hba.conf file, see postmaster log for details And then all tcp/ip is denied. That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access shouldn't break if a URL can't be resolved? -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Development/Promotion Mac Consulting/Sales http://www.systame.com/
On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote: > I've discovered I can use URLs for an IP address in pg_hba.conf, and > everything works ok if the host can be resolved. > > If it can't be resolved I get the error: > psql: FATAL: Missing or erroneous pg_hba.conf file, see postmaster log for > details > > And then all tcp/ip is denied. > > That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access > shouldn't break if a URL can't be resolved? IMHO support for fqdn should be removed. 1. FQDN's are mostly resolved when the configuration is being loaded. So that data isn't going to change when the program is running or would you like to do a dns query for every connection you get? 2. How are you going to handle forward and reversed dns? Think about multiple A-records, fake or no reversed DNS, etc. 3. If fqdn is being checked when the db gets a connection people can break in when you only check reversed dns. 4. Who is going to ensure me that dns isn't compromised somewhere down the line? This are just a few things, but I'm wondering. -- Hans
Ok, those are valid points. What I'm trying to do is get access to the db for clients who are on the road using connections with dynamic IPs, from a PC running an MS Access db app. Dynamic DNS would have been an easy solution. Any ideas how to achieve this in other ways? > On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote: >> I've discovered I can use URLs for an IP address in pg_hba.conf, and >> everything works ok if the host can be resolved. >> >> If it can't be resolved I get the error: >> psql: FATAL: Missing or erroneous pg_hba.conf file, see postmaster log for >> details >> >> And then all tcp/ip is denied. >> >> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access >> shouldn't break if a URL can't be resolved? > > IMHO support for fqdn should be removed. > > 1. FQDN's are mostly resolved when the configuration is being loaded. > So that data isn't going to change when the program is running or > would you like to do a dns query for every connection you get? > > 2. How are you going to handle forward and reversed dns? Think about > multiple A-records, fake or no reversed DNS, etc. > > 3. If fqdn is being checked when the db gets a connection people can > break in when you only check reversed dns. > > 4. Who is going to ensure me that dns isn't compromised somewhere down > the line? > > This are just a few things, but I'm wondering. -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Development/Promotion Mac Consulting/Sales http://www.systame.com/
On Fri, May 09, 2003 at 09:51:54AM -0400, Randall Perry wrote: > Ok, those are valid points. > > What I'm trying to do is get access to the db for clients who are on the > road using connections with dynamic IPs, from a PC running an MS Access db > app. Dynamic DNS would have been an easy solution. > > Any ideas how to achieve this in other ways? Don't do it. You need to look in another direction, because your design is pretty lame. My design would be to use something like IPsec to create a VPN between client and a router. This way all traffic is encrypted, your ACL's aren't dynamic and you can safely control and account who is accessing the data. This because the client becomes part from the network. Another suggestion, but proberly would cost more on the short term and proberly will safe money on the long term is to build a 100% webapp. This also can be safe by granting access based on SSL-keys and username/password. -- Hans
set them up with an ssh tunnel to the db server and connect with that. That's how I have my suits access our intranet remotely. ----- Original Message ----- From: "Randall Perry" <rgp@systame.com> To: "Hans Spaans" <pgsql-admin@lists.hansspaans.nl>; <pgsql-admin@postgresql.org> Sent: Friday, May 09, 2003 6:51 AM Subject: Re: [ADMIN] Pg_hba and dynamic dns > Ok, those are valid points. > > What I'm trying to do is get access to the db for clients who are on the > road using connections with dynamic IPs, from a PC running an MS Access db > app. Dynamic DNS would have been an easy solution. > > Any ideas how to achieve this in other ways? > > > > On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote: > >> I've discovered I can use URLs for an IP address in pg_hba.conf, and > >> everything works ok if the host can be resolved. > >> > >> If it can't be resolved I get the error: > >> psql: FATAL: Missing or erroneous pg_hba.conf file, see postmaster log for > >> details > >> > >> And then all tcp/ip is denied. > >> > >> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access > >> shouldn't break if a URL can't be resolved? > > > > IMHO support for fqdn should be removed. > > > > 1. FQDN's are mostly resolved when the configuration is being loaded. > > So that data isn't going to change when the program is running or > > would you like to do a dns query for every connection you get? > > > > 2. How are you going to handle forward and reversed dns? Think about > > multiple A-records, fake or no reversed DNS, etc. > > > > 3. If fqdn is being checked when the db gets a connection people can > > break in when you only check reversed dns. > > > > 4. Who is going to ensure me that dns isn't compromised somewhere down > > the line? > > > > This are just a few things, but I'm wondering. > > -- > Randall Perry > sysTame > > Xserve Web Hosting/Co-location > Website Development/Promotion > Mac Consulting/Sales > > http://www.systame.com/ > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org >
Thanks for the input -- got a decision to make. -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Development/Promotion Mac Consulting/Sales http://www.systame.com/
You may want to consider using another server to access your database(s) which is publically accessable and keep your databseserver access restricted. It would require controlling access with a middle layer such as Apache/ColdFusion, Apache/PHPor Apache/Perl but your database would probably be more secure and your mobile users would only need an SSL webbrowser. ----------------------------------------------------------------- Bernie LaSalle GCRC Informatics Core Director University of Utah 50 North Medical Drive Rm 4R210 SOM Salt Lake City, UT 84132 (801) 581-3670 >>> Randall Perry <rgp@systame.com> 05/09/03 07:51AM >>> Ok, those are valid points. What I'm trying to do is get access to the db for clients who are on the road using connections with dynamic IPs, from a PC running an MS Access db app. Dynamic DNS would have been an easy solution. Any ideas how to achieve this in other ways? > On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote: >> I've discovered I can use URLs for an IP address in pg_hba.conf, and >> everything works ok if the host can be resolved. >> >> If it can't be resolved I get the error: >> psql: FATAL: Missing or erroneous pg_hba.conf file, see postmaster log for >> details >> >> And then all tcp/ip is denied. >> >> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access >> shouldn't break if a URL can't be resolved? > > IMHO support for fqdn should be removed. > > 1. FQDN's are mostly resolved when the configuration is being loaded. > So that data isn't going to change when the program is running or > would you like to do a dns query for every connection you get? > > 2. How are you going to handle forward and reversed dns? Think about > multiple A-records, fake or no reversed DNS, etc. > > 3. If fqdn is being checked when the db gets a connection people can > break in when you only check reversed dns. > > 4. Who is going to ensure me that dns isn't compromised somewhere down > the line? > > This are just a few things, but I'm wondering. -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Development/Promotion Mac Consulting/Sales http://www.systame.com/ ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org