(2010/10/12 3:34), Peter Eisentraut wrote:
> On tor, 2010-10-07 at 12:45 +0900, KaiGai Kohei wrote:
>> * The logic is still unclear for me.
>>
>> The check_hostname() immediately returns with false, if the resolved
>> remote hostname is NOT matched with the hostname described in pg_hba.conf.
>
>> If the resolved hostname is matched with the hostname described
>> in pg_hba.conf, we can consider this HbaLine to be a suitable
>> configuration without any fallbacks. Right?
>> It so, it should be as follows:
>>
>> if (strcmp(port->remote_hostname, hostname) == 0)
>> return true;
>>
>> In addition, we should go the rest of fallback code on mismatch
>> cases only, don't we?
>
> The code below that is not a fallback, it is the second part of the
> double DNS lookup that has been extensively discussed throughout this
> thread. The logic is
>
> get hostname from client's IP address
> strcmp hostname to pg_hba.conf
> get IP address from hostname
> if that IP address == client's IP address; then pg_hba.conf entry OK
>
Sorry, I missed what you introduced at the head of this thread.
When an entry passes the checks, this routine always checks both of
directions for the supplied entries.
BTW, I have one other question.
Is it really necessary to check reverse dns entries?
If check_hostname() compares remote address of the client and all
the candidates retrieved using getaddrinfo() for the hostname in
pg_hba.conf line (not port->remote_hostname), it seems to me we don't
need to set up reverse dns entries.
A typical ISP often doesn't assign reverse dns entries for cheap class
rental server being shared by multiple users, for instance. It seem to
me this idea allows to apply this new feature more widely.
# Let's try nslookup to www.kaigai.gr.jp, and its retrieved address. :-)
Of course, it is just my idea. If dislike it, please ignore it.
>> * Why getnameinfo() in the fallback loop?
>
> I checked through my git history; this was actually a leftover from some
> debugging code. I'll remove it.
>
>> * Slash ('/') after the hostname
>>
>> At the parse_hba_line(), the parsed token which contains either
>> hostname or cidr address is sliced into two parts on the first '/'
>> character, if exist.
>> Then, even if cidr_slash is not NULL, it shall be ignored when
>> top-half of the token is hostname, not numeric address.
>
> OK, I'll fix that.
>
>
>
--
KaiGai Kohei <kai...@ak.jp.nec.com>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
