On 9 August 2010 19:47, Peter Eisentraut <pete...@gmx.net> wrote: > Here is a patch for host name support in pg_hba.conf. I have reviewed > various past threads about this, and there appeared to have been a 50/50 > split of for and against reverse lookup. I went with the reverse > lookup, because > > 0) I like it. > > 1) It is more secure. > > 2) It allows extending it to wildcards in the future. > > 3) Apache (Allow from) does it that way. > > To clarify how it works: The client's IP address (known from the > kernel) is reverse looked up, which results in a host name. That host > name is compared with the line in pg_hba.conf. If it matches, a forward > lookup is performed on the host name to check if any of the resulting IP > addresses match the client's IP address. If yes, the line is considered > to match and the authentication method is selected. > > Anyway, assuming we will go with this, you will also notice that in the > patch I changed the default pg_hba.conf to match against "localhost" > instead of numeric addresses. Initially thought of as a temporary > change for testing this patch, I think this might actually have some > permanent value because it saves you from having to change the IPv4 and > IPv6 lines in tandem most of the times, which is a moderately common > mistake. We already rely on localhost being (forward) resolvable for > the stats collector. > > Something to think about: Maybe we need a quoting mechanism in case > someone names their hosts "samenet". > > > --
A couple things: + matches. This field can contain either a host name, an IP + address range, one of the special key words mentioned below. + </para> s/, one/, or one/ + If a host name is specified (anything that is not an IP address + or a special key word is processed as a potential host name), a + reverse DNS lookup is performed on the client's IP address, + then a forward DNS lookup on the resulting name to check if it + matches the original IP address (that is, at least one of the + potentially many IP addresses matches the original one), and + the name found in the reverse lookup is compared with the + specified host name. That's one loooong sentence! -- Thom Brown Registered Linux user: #516935 -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers