* Jim Nasby (j...@nasby.net) wrote: > On 2/14/14, 8:36 AM, Stephen Frost wrote: > >* Bruce Momjian (br...@momjian.us) wrote: > >>In an ideal world we would have a tool where you could plug in a > >>username, database, IP address, and test pg_hba.conf file and it would > >>report what line is matched. > > > >That's not a bad idea, but we don't expose the logic that figures that > >out today.. It would, perhaps, not be horrible to duplicate it, but > >then we'd need to make sure that we update both places if it ever > >changes (not that it's changed much in oh-so-many-years). Perhaps > >another candidate to be a GSoC project. > > Stupid question... is there a reason we couldn't use the same code for both?
It'd just be a matter of shifting things around to make that work. I'm not against it, but this code is hardly of general or common use. > BTW, I'm not sure that SQL would be the appropriate API for this testing; but > presumably it wouldn't be hard to add functionality to the wire protocol to > support the case of "hypothetically, if I were to attempt a connection that > looks like this, what would happen?" Well, we have that, and it's "just do it" and you'll see. Making that easier to determine would have to be done post-authentication anyway, lest we make it easier for would-be attackers, and at that point I'm not sure that there's much benefit in having something in the protocol for this rather than just a handy SQL function, which people who care about these things are probably going to be pretty familiar with anyway.. Thanks, Stephen
signature.asc
Description: Digital signature