NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit24b29ca

committed

Support suffix matching of host names in pg_hba.conf

A name starting with a dot can be used to match a suffix of the actualhost name (e.g., .example.com matches foo.example.com).

1 parentdd15870 commit24b29caCopy full SHA for 24b29ca

File tree

3 files changed

+43

-2

lines changed

doc/src/sgml
- client-auth.sgml
src/backend/libpq
- hba.c
- pg_hba.conf.sample

3 files changed

+43

-2

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -282,6 +282,14 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`282`	`282`	`to resolve an IP address.)`
`283`	`283`	`</para>`
`284`	`284`
	`285`	`+ <para>`
	`286`	`+ A host name specification that starts with a dot`
	`287`	`+ (<literal>.</literal>) matches a suffix of the actual host`
	`288`	`+ name. So <literal>.example.com</literal> would match`
	`289`	`+ <literal>foo.example.com</literal> (but not just`
	`290`	`+ <literal>example.com</literal>).`
	`291`	`+ </para>`
	`292`	`+`
`285`	`293`	`<para>`
`286`	`294`	`When host names are specified`
`287`	`295`	`in <filename>pg_hba.conf</filename>, you should make sure that`
`@@ -310,6 +318,12 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`310`	`318`	`everyone's problem.`
`311`	`319`	`</para>`
`312`	`320`
	`321`	`+ <para>`
	`322`	`+ Also, a reverse lookup is necessary to implement the suffix`
	`323`	`+ matching feature, because the actual client host name needs to`
	`324`	`+ be known in order to match it against the pattern.`
	`325`	`+ </para>`
	`326`	`+`
`313`	`327`	`<para>`
`314`	`328`	`Note that this behavior is consistent with other popular`
`315`	`329`	`implementations of host name-based access control, such as the`
`@@ -605,6 +619,12 @@ host postgres all 192.168.93.0/24 ident`
`605`	`619`	`# TYPE DATABASE USER ADDRESS METHOD`
`606`	`620`	`host postgres all 192.168.12.10/32 md5`
`607`	`621`
	`622`	`+# Allow any user from hosts in the example.com domain to connect to`
	`623`	`+# any database if the user's password is correctly supplied.`
	`624`	`+#`
	`625`	`+# TYPE DATABASE USER ADDRESS METHOD`
	`626`	`+host all all .example.com md5`
	`627`	`+`
`608`	`628`	`# In the absence of preceding "host" lines, these two lines will`
`609`	`629`	`# reject all connections from 192.168.54.1 (since that entry will be`
`610`	`630`	`# matched first), but allow Kerberos 5 connections from anywhere else`

`‎src/backend/libpq/hba.c`

Lines changed: 21 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -564,6 +564,26 @@ ipv6eq(struct sockaddr_in6 a, struct sockaddr_in6 b)`
`564`	`564`
`565`	`565`	`#endif/* HAVE_IPV6 */`
`566`	`566`
	`567`	`+/*`
	`568`	`+ * Check whether host name matches pattern.`
	`569`	`+ */`
	`570`	`+staticbool`
	`571`	`+hostname_match(constcharpattern,constcharactual_hostname)`
	`572`	`+{`
	`573`	`+if (pattern[0]=='.')/* suffix match */`
	`574`	`+{`
	`575`	`+size_tplen=strlen(pattern);`
	`576`	`+size_thlen=strlen(actual_hostname);`
	`577`	`+`
	`578`	`+if (hlen<plen)`
	`579`	`+return false;`
	`580`	`+`
	`581`	`+return (pg_strcasecmp(pattern,actual_hostname+ (hlen-plen))==0);`
	`582`	`+}`
	`583`	`+else`
	`584`	`+return (pg_strcasecmp(pattern,actual_hostname)==0);`
	`585`	`+}`
	`586`	`+`
`567`	`587`	`/*`
`568`	`588`	`* Check to see if a connecting IP matches a given host name.`
`569`	`589`	`*/`
`@@ -588,7 +608,7 @@ check_hostname(hbaPort port, const char hostname)`
`588`	`608`	`port->remote_hostname=pstrdup(remote_hostname);`
`589`	`609`	`}`
`590`	`610`
`591`		`-if (pg_strcasecmp(port->remote_hostname,hostname)!=0)`
	`611`	`+if (!hostname_match(hostname,port->remote_hostname))`
`592`	`612`	`return false;`
`593`	`613`
`594`	`614`	`/* Lookup IP from host name and check against original IP */`

`‎src/backend/libpq/pg_hba.conf.sample`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,8 @@`
`32`	`32`	`# ADDRESS specifies the set of hosts the record matches. It can be a`
`33`	`33`	`# host name, or it is made up of an IP address and a CIDR mask that is`
`34`	`34`	`# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that`
`35`		`-# specifies the number of significant bits in the mask.`
	`35`	`+# specifies the number of significant bits in the mask. A host name`
	`36`	`+# that starts with a dot (.) matches a suffix of the actual host name.`
`36`	`37`	`# Alternatively, you can write an IP address and netmask in separate`
`37`	`38`	`# columns to specify the set of hosts. Instead of a CIDR-address, you`
`38`	`39`	`# can write "samehost" to match any of the server's own IP addresses,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit24b29ca

File tree

3 files changed

3 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎src/backend/libpq/hba.c`

`‎src/backend/libpq/pg_hba.conf.sample`

0 commit comments