to resolve an IP address.)
</para>
+ <para>
+ A host name specification that starts with a dot
+ (<literal>.</literal>) matches a suffix of the actual host
+ name. So <literal>.example.com</literal> would match
+ <literal>foo.example.com</literal> (but not just
+ <literal>example.com</literal>).
+ </para>
+
<para>
When host names are specified
in <filename>pg_hba.conf</filename>, you should make sure that
everyone's problem.
</para>
+ <para>
+ Also, a reverse lookup is necessary to implement the suffix
+ matching feature, because the actual client host name needs to
+ be known in order to match it against the pattern.
+ </para>
+
<para>
Note that this behavior is consistent with other popular
implementations of host name-based access control, such as the
# TYPE DATABASE USER ADDRESS METHOD
host postgres all 192.168.12.10/32 md5
+# Allow any user from hosts in the example.com domain to connect to
+# any database if the user's password is correctly supplied.
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host all all .example.com md5
+
# In the absence of preceding "host" lines, these two lines will
# reject all connections from 192.168.54.1 (since that entry will be
# matched first), but allow Kerberos 5 connections from anywhere else
#endif /* HAVE_IPV6 */
+/*
+ * Check whether host name matches pattern.
+ */
+static bool
+hostname_match(const char *pattern, const char *actual_hostname)
+{
+ if (pattern[0] == '.') /* suffix match */
+ {
+ size_t plen = strlen(pattern);
+ size_t hlen = strlen(actual_hostname);
+
+ if (hlen < plen)
+ return false;
+
+ return (pg_strcasecmp(pattern, actual_hostname + (hlen - plen)) == 0);
+ }
+ else
+ return (pg_strcasecmp(pattern, actual_hostname) == 0);
+}
+
/*
* Check to see if a connecting IP matches a given host name.
*/
port->remote_hostname = pstrdup(remote_hostname);
}
- if (pg_strcasecmp(port->remote_hostname, hostname) != 0)
+ if (!hostname_match(hostname, port->remote_hostname))
return false;
/* Lookup IP from host name and check against original IP */
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
-# specifies the number of significant bits in the mask.
+# specifies the number of significant bits in the mask. A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
projects / users / c2main / postgres.git / commitdiff