From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
---|---|
To: | Mark Woodward <pgsql(at)mohawksoft(dot)com> |
Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, mark(at)mark(dot)mielke(dot)cc, Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>, "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>, Andreas Pflug <pgadmin(at)pse-consulting(dot)de>, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Why don't we allow DNS names in pg_hba.conf? |
Date: | 2006-02-13 20:07:09 |
Message-ID: | 43F0E6ED.5030906@dunslane.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Mark Woodward wrote:
>>Mark Woodward wrote:
>>
>>
>>
>>>>If I am a road warrior I want to be able to connect, run my dynamic dns
>>>>client, and go.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>In your scenario of working as a road warrior, you are almost
>>>certainly not going to be able to have a workable DNS host name unless
>>>you
>>>have a raw internet IP address. More than likely you will have an IP
>>>address (known to your laptop) as a 192 or 10 address.
>>>
>>>
>>>
>>Nonsense. There is a dynamic DNS client that is quite smart enough to
>>find out and use the gateway address. See:
>>http://ddclient.sourceforge.net/
>>
>>I'm sure there are others, including some for Windows.
>>
>>
>>
>
>But then, there is another problem, if you don't have a real and true IP
>address, if you are on anonymous 192 or 10 net (most likely the case),
>then your dynamic DNS entry allows EVERYONE on your network the same
>access.
>
>I still say an SSH tunnel with port forwarding is more secure, besides you
>can even compress the data stream.
>
>
>
>
And then you have to allow shell access. What's wrong with SSL with
client certificates?
Personally, I doubt there's any great use case for DNS names. Like Tom
says, if it involves much more that removing the AI_NUMERICHOST hint
then let's forget it.
(I also agree with a point Jan sometimes makes - that end client s/w
generally should not be talking to the db at all - that's what
middleware is for. Then this whole discussion becomes moot.)
cheers
andrew
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2006-02-13 20:21:30 | Re: Why don't we allow DNS names in pg_hba.conf? |
Previous Message | Mark Woodward | 2006-02-13 19:38:38 | Re: Why don't we allow DNS names in pg_hba.conf? |