Re: libpq should not look up all host addresses at once

2018-08-14 Thread Garick Hamlin 
On Tue, Aug 14, 2018 at 12:24:32PM +0200, Fabien COELHO wrote:
> 
> Hello Tom,
> 
> >>As you noted in another message, a small doc update should be needed.
> >
> >Check.  Proposed doc patch attached.  (Only the last hunk is actually
> >specific to this patch, the rest is cleanup that I noticed while looking
> >around for possibly-relevant text.)
> 
> Doc build is ok.
> 
> Some comments that you may not find all useful, please accept my apology, it
> just really shows that I read your prose in some detail:-)
> 
> The mention of possible reverse dns queries has been removed... but I do not
> think there was any before? There could be if only hostaddr is provided but
> a hostname is required by some auth, but it does not seem to be the case
> according to the documentation.
> 
> I read the rational of the host/hostaddr artificial mapping. I cannot say
> I'm thrilled with the result: I do not really see a setting where avoiding a
> DNS query is required but which still needs a hostname for auth... If you
> have GSSAPI or SSPI then you have an underlying network, in which a dns
> query should be fine.

FWIW, I think this is useful even it will be uncommon to use.  I run
some HA services here and I find I use this kind of functionality all
the time to test if a standby node functioning properly.  openssh 
GSSAPIServerIdentity does this.  curl does this via '--resolve'.  In
both cases one can check the name authenticates properly via TLS or
GSSAPI while connecting to an IP that is not production.  

The IP might float via VRRP or EIP in AWS, or it might be a service
local OOB network and the frontend might be a load balancer like haproxy.

FWIW, I am not using this for PG today, but this kind of feature is
definitely nice to have for alarming and HA.  It lets proper analysis
happen.  This way not everyone to be called when the local DNS resolver
fails and just the DNS-people can get the 2am call.

Anyway, if it's not a big burden, I suggest you keep it, IIUC.
This kind of thing is really handy especially since today's cloudy-stuff
means one often gets all-the-nat whether one wants it or not.

Garick

Re: Allow COPY's 'text' format to output a header

2018-05-14 Thread Garick Hamlin 
On Mon, May 14, 2018 at 09:37:07AM +0900, Michael Paquier wrote:
> On Sun, May 13, 2018 at 07:01:00PM -0400, David Steele wrote:
> > This patch makes sense to me and looks reasonable.
> 
> One "potential" problem is if a relation has a full set of column which
> allows the input of text-like data: if the header has been added with
> COPY TO, and that the user forgets to add again the header option with
> COPY FROM, then an extra row will be generated but there is the same
> problem with CSV format :)

Yeah, I wonder if that can be addressed.  

I wonder if there was a way to let COPY FROM detect or ignore headers
as appropriate and rather than cause silently result in headers being
added as data.

Maybe a blank line after the header line could prevent this confusion?

Garick

Re: disable SSL compression?

2018-04-02 Thread Garick Hamlin 
On Mon, Apr 02, 2018 at 12:46:25PM -0400, Tom Lane wrote:
> Peter Eisentraut  writes:
> > I agree the attack is less likely to be applicable in typical database
> > installations.  I think we should move forward with considering protocol
> > compression proposals, but any final result should put a warning in the
> > documentation that using compression is potentially insecure.
> 
> It seemed like the attack you described wasn't all that dependent on
> whether the data is compressed or not: 

I think it is.  
I wrote something longer about this in 2013.
https://www.postgresql.org/message-id/20130115172253.ga6...@isc.upenn.edu

The key idea is you can now to a radix search of a secret rather than a
single 1-bit match/doesn't match oracle type attack which is not
feasible when you have an high entropy low density value like a big
ascii number or hex string.

I do something like set my preferred email (or anything an application
lets a user change) to something like a3bf and keep extending the guess
as I go and sometimes I compress along with the secret and rather than
have to guess a whole application session id all at once and have a work
factor of O(2^128) or something I've got a very tractable search.

It might not be something that a problem for everyone, but in some
situations it's attackable.

Garick