On Sun, Jan 01, 2006 at 02:50:37PM -0400, Marc G. Fournier wrote: > Employee adds his DNS to pg_hba.conf, becomes disgruntled employee, moves > to different IP and same name, and can still access your database?
I think it depends how you do the check. You can either do a forward lookup from the name and match that to the IP. Or you can do a reverse lookup on the IP to match the name. Or both. To work around either requires hijacking DNS but which servers varies. If you've got the entries in /etc/hosts that makes hijacking harder. I'm thinking something like tcpwrappers would be an example here. They have a paranoid mode where your reverse and forward have to match. Something to consider. For the user in referred to thread: SSH tunnelling. I wonder if there's a way we can make that easier to setup... Have a nice day, -- Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
pgpsS9MEdVnjX.pgp
Description: PGP signature
