On Sun, Jun 15, 2008 at 11:56:35PM +0200, Peter Eisentraut wrote: > It would probably be a good idea to check how other programs deal with > hostname lookups during authentication. Programs like SSH, Apache, and Squid > come to mind.
There is actually a great deal of controversy about most of this hostname-based authentication, particularly in the absence of DNSSEC. If anyone implementing this is interested in the controversy, I have a huge mail archive of it (because I'm the current editor of the IETF working group document on this, and therefore have received much hate mail on the topic). I think it's all summarised in the draft[1] I mentioned upthread. Since that's possibly about to go to IETF last call, it'd be a good time for someone planning to implement something to look at that document, and report on whether it provides any useful guidance at all. I'd be keenly interested in hearing the verdict. A [1] http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-reverse-mapping-considerations/ -- Andrew Sullivan [EMAIL PROTECTED] +1 503 667 4564 x104 http://www.commandprompt.com/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
