Обсуждение: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
От
"dennisr@visi.com"
Дата:
From reading the doc’s it looks like a CNAME will not in general work as a hostname specification in pg_hba.conf. Is thata correct interpretation of the the documentation? From the doc’s (https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), thatname is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, ifDNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (e.g., forwardDNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client'sIP address. If both directions match, then the entry is considered to match. (The host name that is used in pg_hba.confshould be the one that address-to-name resolution of the client's IP address returns, otherwise the line won'tbe matched. Some host name databases allow associating an IP address with multiple host names, but the operating systemwill only return one host name when asked to resolve an IP address.)
Honestly, if your DNS is properly setup, it should work fine, yes.
From: pgsql-admin-owner@postgresql.org <pgsql-admin-owner@postgresql.org> on behalf of dennisr@visi.com <dennisr@visi.com>
Sent: Monday, December 5, 2016 3:49 PM
To: pgsql-admin@postgresql.org
Subject: [ADMIN] Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
Sent: Monday, December 5, 2016 3:49 PM
To: pgsql-admin@postgresql.org
Subject: [ADMIN] Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
From reading the doc’s it looks like a CNAME will not in general work as a hostname specification in pg_hba.conf. Is that a correct interpretation of the the documentation?
From the doc’s (https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, if DNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (e.g., forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client's IP address. If both directions match, then the entry is considered to match. (The host name that is used in pg_hba.conf should be the one that address-to-name resolution of the client's IP address returns, otherwise the line won't be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.)
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
From the doc’s (https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, if DNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (e.g., forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client's IP address. If both directions match, then the entry is considered to match. (The host name that is used in pg_hba.conf should be the one that address-to-name resolution of the client's IP address returns, otherwise the line won't be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.)
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Journyx, Inc.
7600 Burnet Road #300
Austin, TX 78757
www.journyx.com
Austin, TX 78757
www.journyx.com
p 512.834.8888
f 512-834-8858
Do you receive our promotional emails? You can subscribe or unsubscribe to those emails at http://go.journyx.com/emailPreference/e/4932/714/
Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
От
"David G. Johnston"
Дата:
Its conventional to bottom (or inline) posts on these forums.
Honestly, if your DNS is properly setup, it should work fine, yes.
I don't understand how placing a non-canonical host name in the pg_hba.conf can ever result in the following condition being true:
"If a host name is specified [...] that name is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, if DNS is used)."
David J.
Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
От
"dennisr@visi.com"
Дата:
Thanks for the quick reply. Here’s some details on how we have things configured.
We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending on your point of view.
If I do a nslookup on the database host against the following CNAME some-cname-host.example.com I get:
Server: 10.97.40.215
Address: 10.97.40.215#53
some-cname-host.example.com canonical name = canonical-host-name.example.com.
Name: canonical-host-name.example.com
Address: 10.65.160.213
When I do the reverse lookup on the IP address return above I get the following:
Server: 10.97.40.215
Address: 10.97.40.215#53
213.160.65.10.in-addr.arpa name = canonical-host-name.example.com.
In our pg_hba.conf I have a line:
hostssl replication streaming_user_name some-cname-host.example.com# TYPE DATABASE USER ADDRESS METHOD
But when I try to connect as the streaming_user_name with the following command, I get the following error (postgresql_hostname is the host where I ran the nslookups above):
bash-4.2$ psql -U streaming_user_name -h postgresql_hostname -c "IDENTIFY_SYSTEM" replication=1
psql: FATAL: no pg_hba.conf entry for replication connection from host "10.65.160.213", user "streaming_user_name", SSL on
FATAL: no pg_hba.conf entry for replication connection from host "10.65.160.213", user "streaming_user_name", SSL off
So I am not sure what I would need to fix or add on the database host to allow it to resolve the CNAME in way the postgres instance could use it and have it pass the validation rules from the documentation. Am I missing something in the DNS configurations?
On Dec 5, 2016, at 3:56 PM, Scott Whitney <scott@journyx.com> wrote:Honestly, if your DNS is properly setup, it should work fine, yes.From: pgsql-admin-owner@postgresql.org <pgsql-admin-owner@postgresql.org> on behalf of dennisr@visi.com <dennisr@visi.com>
Sent: Monday, December 5, 2016 3:49 PM
To: pgsql-admin@postgresql.org
Subject: [ADMIN] Are dns CNAME's allowed or useable in pg_hba.conf hostname specificationFrom reading the doc’s it looks like a CNAME will not in general work as a hostname specification in pg_hba.conf. Is that a correct interpretation of the the documentation?
From the doc’s (https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html
If a host name is specified (anything that is not an IP address range or a special key word is treated as a host name), that name is compared with the result of a reverse name resolution of the client's IP address (e.g., reverse DNS lookup, if DNS is used). Host name comparisons are case insensitive. If there is a match, then a forward name resolution (e.g., forward DNS lookup) is performed on the host name to check whether any of the addresses it resolves to are equal to the client's IP address. If both directions match, then the entry is considered to match. (The host name that is used in pg_hba.conf should be the one that address-to-name resolution of the client's IP address returns, otherwise the line won't be matched. Some host name databases allow associating an IP address with multiple host names, but the operating system will only return one host name when asked to resolve an IP address.)
--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-adminJournyx, Inc.p 512.834.8888f 512-834-8858Do you receive our promotional emails? You can subscribe or unsubscribe to those emails at http://go.journyx.com/emailPreference/e/4932/714/
"dennisr@visi.com" <dennisr@visi.com> writes: > Thanks for the quick reply. Here’s some details on how we have things configured. > We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending on yourpoint of view. > If I do a nslookup on the database host against the following CNAME some-cname-host.example.com <http://some-cname-host.example.com/>I get: > $> nslookup some-cname-host.example.com <http://some-cname-host.example.com/> > Server: 10.97.40.215 > Address: 10.97.40.215#53 > some-cname-host.example.com canonical name = canonical-host-name.example.com. > Name: canonical-host-name.example.com > Address: 10.65.160.213 > When I do the reverse lookup on the IP address return above I get the following: > $> nslookup 10.65.160.213 > Server: 10.97.40.215 > Address: 10.97.40.215#53 > 213.160.65.10.in-addr.arpa name = canonical-host-name.example.com. Given that, what you would have to put in pg_hba.conf is canonical-host-name.example.com (and that needs to forward-resolve to 10.65.160.213, and possibly other addresses as well). This cross-check is meant to prevent getting into a PG server by means of a faked reverse-DNS entry. (If you're wondering why we don't simply accept anything that some-cname-host.example.com forward-maps to, it's for performance reasons: that would require resolving every DNS name in pg_hba.conf to see if it matches, which could be pretty awful with long pg_hba.conf files.) regards, tom lane
Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
От
"dennisr@visi.com"
Дата:
> On Dec 5, 2016, at 5:15 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > "dennisr@visi.com" <dennisr@visi.com> writes: >> Thanks for the quick reply. Here’s some details on how we have things configured. >> We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending onyour point of view. > >> If I do a nslookup on the database host against the following CNAME some-cname-host.example.com <http://some-cname-host.example.com/>I get: > >> $> nslookup some-cname-host.example.com <http://some-cname-host.example.com/> >> Server: 10.97.40.215 >> Address: 10.97.40.215#53 > >> some-cname-host.example.com canonical name = canonical-host-name.example.com. >> Name: canonical-host-name.example.com >> Address: 10.65.160.213 > >> When I do the reverse lookup on the IP address return above I get the following: > >> $> nslookup 10.65.160.213 >> Server: 10.97.40.215 >> Address: 10.97.40.215#53 > >> 213.160.65.10.in-addr.arpa name = canonical-host-name.example.com. > > Given that, what you would have to put in pg_hba.conf is > canonical-host-name.example.com (and that needs to forward-resolve to > 10.65.160.213, and possibly other addresses as well). This cross-check > is meant to prevent getting into a PG server by means of a faked > reverse-DNS entry. > > (If you're wondering why we don't simply accept anything that > some-cname-host.example.com forward-maps to, it's for performance reasons: > that would require resolving every DNS name in pg_hba.conf to see if it > matches, which could be pretty awful with long pg_hba.conf files.) > > regards, tom lane > OK thanks, sadly not the answer I was hoping for though. My preference is to use a network address for this stuff but I was over ruled and needed to use a host specific name or addressin the config file. I wanted to use a CNAME in place of the A or PTR records so as in the event we ever have to rebuilda new WAL receiver, I would only need to repoint the CNAME in the DNS system and avoid the possibility of updatinga few hundred pg_hba.conf’s with a new IP address or hostname (this is a private cloud environment I am working withso I don’t have a lot of control over hostnames of the nodes they give me or even the networks the node is placed in.) Dennis
Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
От
Peter Eisentraut
Дата:
On 12/5/16 7:09 PM, dennisr@visi.com wrote: > My preference is to use a network address for this stuff but I was over ruled and needed to use a host specific name oraddress in the config file. I wanted to use a CNAME in place of the A or PTR records so as in the event we ever have torebuild a new WAL receiver, I would only need to repoint the CNAME in the DNS system and avoid the possibility of updatinga few hundred pg_hba.conf’s with a new IP address or hostname (this is a private cloud environment I am working withso I don’t have a lot of control over hostnames of the nodes they give me or even the networks the node is placed in.) Note that the IP addresses in pg_hba.conf are not really by themselves a primary security measure, because the source IP addresses in the same network are (potentially) under control of the source host. Their purpose is rather to allow different classes of hosts to use different authentication mechanisms. For example, newer hosts might use SSL, older hosts passwords. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services