Re: CIDR in pg_hba.conf - Mailing list pgsql-hackers

From Kurt Roeckx
Subject Re: CIDR in pg_hba.conf
Date
Msg-id 20030508225958.GA22657@ping.be
Whole thread Raw
In response to Re: CIDR in pg_hba.conf  (Matthew Kirkwood <matthew@hairy.beasts.org>)
Responses Re: CIDR in pg_hba.conf
List pgsql-hackers
On Thu, May 08, 2003 at 11:01:16PM +0100, Matthew Kirkwood wrote:
> On Thu, 8 May 2003, Larry Rosenman wrote:
> 
> > >> a paranoid lookup:  name->ip->name and make sure it's sane.
> > >> (My abuse/security/paranoid hat).
> > >
> > > If you're being paranoid, why use hostnames at all?
> >
> > My point.  But, if we are going to allow hostnames, we ought to make
> > sure the userbase (and us) understand the holes.
> 
> But _there are none_ if you only do forward lookups.

There are.  You can even make an authoritative nameserver return
a wrong answer.

It can only make sense if you only look it up once on start up
(or rehash), but then what is the point of it?  And even that is
questionable.

You should NEVER do authentication based on a hostname.  You
can't even always rely on an IP address (or MAC address).


Kurt



pgsql-hackers by date:

Previous
From: Matthew Kirkwood
Date:
Subject: Re: CIDR in pg_hba.conf
Next
From: Bruno Wolff III
Date:
Subject: Re: CIDR in pg_hba.conf