On Thu, 2007-03-01 at 17:15 +0100, Martin Hierling wrote: > Hi, > > > Dont know, but the suggested solution (1 password for all > users when > > connection comes from a specific IP) should not so hard to > implement. > > Absolutely a disaster. IP-locking is a secondary security > mechanism at best. > > i general i agree, but in a controlled environment where you have > firewall, static arp, port security, anti spool stuff it is not that > bad.
You are assuming 100% trust of the proxy to tell you the truth about which account it authenticated, without any actual key exchange. The potential for disaster here is huge! Of course you have trust the auth server in some way, but it is necessary for security-in-depth to demand some additional checks every time. Aaron _______________________________________________ DBmail mailing list [email protected] https://mailman.fastxs.nl/mailman/listinfo/dbmail
