* Andrew Sullivan (ajs@commandprompt.com) wrote:
> On Mon, Jun 16, 2008 at 11:47:21AM +0200, Peter Eisentraut wrote:
> > I'm a bit curious how useful in practice this would actually be. Obviously,
> > you want to use host names to simplify the management of hosts, currently
> > being done with IP addresses. But how widely useful is it really to
> > authenticate a bunch of hosts in different ways? I'd say the standard case
> > is localhost vs everything else. Or perhaps localhost vs LAN vs rest of the
> > Internet. In neither of these cases , using host names helps much.
There's an important use case that you've not listed- differentiating
authentication types by hosts. For example, I have some systems which
are inside of my Kerberos realm and you should be using kerberos/gssapi
to auth to the databases from there, but I don't control everything and
so have to make exceptions for systems which need to connect but can't
use Kerberos for one reason or another. The same also ends up being
true of applications (most notably Java-based ones, though that should
get better with GSSAPI support getting into JDBC and my moving to 8.3)
where users can't auth with kerberos/gssapi. That tends to be most
easily managed on a per-host basis as well.
Additionally, we have systems with sensetive data on them where we like
to layer the security, and one of those is to say "users with admin
rights can connect from these hosts, while other users can only connect
from their systems". All of these systems are behind NAT'ing devices or
are using RFC 1918 addressing as an isolated network so it's not clear
to me that using host names will help me in the IPv4 world. We're
working with IPv6 though and are bringing up services on it and I expect
we will have to go through a renumbering before we run anything
production on IPv6, so being able to use host names at that point would
be nice. Not as the only authentication mechanism, but as an additional
layer that an intruder would have to deal with. We have DNSSEC running
also, and IPSEC, which lends security to the DNS service such that
forging DNS would be at least non-trivial.
All that said, we could drive it off some config option, I suppose. I'm
not sure if that will satisfy those concerned about depending on
anything DNS, but it would limit the performance conerns, I'd think.
Thanks,
Stephen