Thread: Pg_hba and dynamic dns

Pg_hba and dynamic dns

From
Randall Perry
Date:
I've discovered I can use URLs for an IP address in pg_hba.conf, and
everything works ok if the host can be resolved.

If it can't be resolved I get the error:
psql: FATAL:  Missing or erroneous pg_hba.conf file, see postmaster log for
details

And then all tcp/ip is denied.

That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access
shouldn't break if a URL can't be resolved?


--
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


Re: Pg_hba and dynamic dns

From
Hans Spaans
Date:
On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote:
> I've discovered I can use URLs for an IP address in pg_hba.conf, and
> everything works ok if the host can be resolved.
>
> If it can't be resolved I get the error:
> psql: FATAL:  Missing or erroneous pg_hba.conf file, see postmaster log for
> details
>
> And then all tcp/ip is denied.
>
> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access
> shouldn't break if a URL can't be resolved?

IMHO support for fqdn should be removed.

1. FQDN's are mostly resolved when the configuration is being loaded.
So that data isn't going to change when the program is running or
would you like to do a dns query for every connection you get?

2. How are you going to handle forward and reversed dns? Think about
multiple A-records, fake or no reversed DNS, etc.

3. If fqdn is being checked when the db gets a connection people can
break in when you only check reversed dns.

4. Who is going to ensure me that dns isn't compromised somewhere down
the line?

This are just a few things, but I'm wondering.

--
Hans


Re: Pg_hba and dynamic dns

From
Randall Perry
Date:
Ok, those are valid points.

What I'm trying to do is get access to the db for clients who are on the
road using connections with dynamic IPs, from a PC running an MS Access db
app. Dynamic DNS would have been an easy solution.

Any ideas how to achieve this in other ways?


> On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote:
>> I've discovered I can use URLs for an IP address in pg_hba.conf, and
>> everything works ok if the host can be resolved.
>>
>> If it can't be resolved I get the error:
>> psql: FATAL:  Missing or erroneous pg_hba.conf file, see postmaster log for
>> details
>>
>> And then all tcp/ip is denied.
>>
>> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access
>> shouldn't break if a URL can't be resolved?
>
> IMHO support for fqdn should be removed.
>
> 1. FQDN's are mostly resolved when the configuration is being loaded.
> So that data isn't going to change when the program is running or
> would you like to do a dns query for every connection you get?
>
> 2. How are you going to handle forward and reversed dns? Think about
> multiple A-records, fake or no reversed DNS, etc.
>
> 3. If fqdn is being checked when the db gets a connection people can
> break in when you only check reversed dns.
>
> 4. Who is going to ensure me that dns isn't compromised somewhere down
> the line?
>
> This are just a few things, but I'm wondering.

--
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


Re: Pg_hba and dynamic dns

From
Hans Spaans
Date:
On Fri, May 09, 2003 at 09:51:54AM -0400, Randall Perry wrote:
> Ok, those are valid points.
>
> What I'm trying to do is get access to the db for clients who are on the
> road using connections with dynamic IPs, from a PC running an MS Access db
> app. Dynamic DNS would have been an easy solution.
>
> Any ideas how to achieve this in other ways?

Don't do it. You need to look in another direction, because your
design is pretty lame. My design would be to use something like IPsec
to create a VPN between client and a router. This way all traffic is
encrypted, your ACL's aren't dynamic and you can safely control and
account who is accessing the data. This because the client becomes
part from the network.

Another suggestion, but proberly would cost more on the short term
and proberly will safe money on the long term is to build a 100%
webapp. This also can be safe by granting access based on SSL-keys and
username/password.

--
Hans


Re: Pg_hba and dynamic dns

From
"Josh Goldberg"
Date:
set them up with an ssh tunnel to the db server and connect with that.
That's how I have my suits access our intranet remotely.

----- Original Message -----
From: "Randall Perry" <rgp@systame.com>
To: "Hans Spaans" <pgsql-admin@lists.hansspaans.nl>;
<pgsql-admin@postgresql.org>
Sent: Friday, May 09, 2003 6:51 AM
Subject: Re: [ADMIN] Pg_hba and dynamic dns


> Ok, those are valid points.
>
> What I'm trying to do is get access to the db for clients who are on the
> road using connections with dynamic IPs, from a PC running an MS Access db
> app. Dynamic DNS would have been an easy solution.
>
> Any ideas how to achieve this in other ways?
>
>
> > On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote:
> >> I've discovered I can use URLs for an IP address in pg_hba.conf, and
> >> everything works ok if the host can be resolved.
> >>
> >> If it can't be resolved I get the error:
> >> psql: FATAL:  Missing or erroneous pg_hba.conf file, see postmaster log
for
> >> details
> >>
> >> And then all tcp/ip is denied.
> >>
> >> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip
access
> >> shouldn't break if a URL can't be resolved?
> >
> > IMHO support for fqdn should be removed.
> >
> > 1. FQDN's are mostly resolved when the configuration is being loaded.
> > So that data isn't going to change when the program is running or
> > would you like to do a dns query for every connection you get?
> >
> > 2. How are you going to handle forward and reversed dns? Think about
> > multiple A-records, fake or no reversed DNS, etc.
> >
> > 3. If fqdn is being checked when the db gets a connection people can
> > break in when you only check reversed dns.
> >
> > 4. Who is going to ensure me that dns isn't compromised somewhere down
> > the line?
> >
> > This are just a few things, but I'm wondering.
>
> --
> Randall Perry
> sysTame
>
> Xserve Web Hosting/Co-location
> Website Development/Promotion
> Mac Consulting/Sales
>
> http://www.systame.com/
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>


Re: Pg_hba and dynamic dns

From
Randall Perry
Date:
Thanks for the input -- got a decision to make.

--
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


Re: Pg_hba and dynamic dns

From
"Bernie LaSalle"
Date:
You may want to consider using another server to access your database(s) which is publically accessable and keep your
databseserver access restricted.  It would require controlling access with a middle layer such as Apache/ColdFusion,
Apache/PHPor Apache/Perl but your database would probably be more secure and your mobile users would only need an SSL
webbrowser. 



-----------------------------------------------------------------
Bernie LaSalle
GCRC Informatics Core Director
University of Utah
50 North Medical Drive  Rm 4R210  SOM
Salt Lake City, UT  84132
(801) 581-3670

>>> Randall Perry <rgp@systame.com> 05/09/03 07:51AM >>>
Ok, those are valid points.

What I'm trying to do is get access to the db for clients who are on the
road using connections with dynamic IPs, from a PC running an MS Access db
app. Dynamic DNS would have been an easy solution.

Any ideas how to achieve this in other ways?


> On Thu, May 08, 2003 at 06:40:14PM -0400, Randall Perry wrote:
>> I've discovered I can use URLs for an IP address in pg_hba.conf, and
>> everything works ok if the host can be resolved.
>>
>> If it can't be resolved I get the error:
>> psql: FATAL:  Missing or erroneous pg_hba.conf file, see postmaster log for
>> details
>>
>> And then all tcp/ip is denied.
>>
>> That sucks -- means I can't use dynamic DNS. Anyone else think tcp/ip access
>> shouldn't break if a URL can't be resolved?
>
> IMHO support for fqdn should be removed.
>
> 1. FQDN's are mostly resolved when the configuration is being loaded.
> So that data isn't going to change when the program is running or
> would you like to do a dns query for every connection you get?
>
> 2. How are you going to handle forward and reversed dns? Think about
> multiple A-records, fake or no reversed DNS, etc.
>
> 3. If fqdn is being checked when the db gets a connection people can
> break in when you only check reversed dns.
>
> 4. Who is going to ensure me that dns isn't compromised somewhere down
> the line?
>
> This are just a few things, but I'm wondering.

--
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org