[postgis-users] setting up or accessing a host

Thu Feb 16 07:51:51 PST 2012

Thanks Ben,

I tried setting the pg_hba as you specified, and that seems to work.
I'm only working with a development machine now, no sensitive data and
can't be accessed outside the WAN, but these issues will become more
important later.

________________________________

From: postgis-users-bounces at postgis.refractions.net
[mailto:postgis-users-bounces at postgis.refractions.net] On Behalf Of Ben
Madin
Sent: Thursday, February 16, 2012 2:14 AM
To: PostGIS Users Discussion
Subject: Re: [postgis-users] setting up or accessing a host

Yes - anytime you let anyone else connect to your machine it becomes a
risk. You have to balance that with the usefulness of an isolated
machine vs the value of being able to access it over a network.

I guess in this case you are only allowing connections to the database,
so that limits the damage that could happen.

In this case, because you are letting anyone from that single ip address
connect to any database, you may be pretty safe if you know the owner of
that machine - and they are likely to be careful with their password.

I'd be inclined towards :

host                  specificdatabase
individualuser    machineIP/32   md5

and of course you could use hostssl if you were even more worried.

Then it is a matter of what the individual user can access that becomes
your concerns - for example, for most mapserver interfaces we have a
'mapuser' that can only select data from the necessary tables.

I'm suprised that the fully qualified domain name of the machine is
working - the documentation has :

        IP addresses can only be specified numerically, not as domain or
host names 

cheers

Ben

On 15/02/2012, at 12:46 AM, Bistrais, Bob wrote:

Hi Ben,

I think I've had some success, thanks to your input.  But please let me
know if this is OK...

I edited pg_hba.conf, adding a line like this:

Host     all         all         mymachinename           md5

-where mymachinename is actually the fully qualified domain name of the
machine.

This works, in the sense that I can now display the data through other
than localhost.  But is this a good practice?  Am I breaching security,
or setting myself up for some other disaster? 

Thanks,

Bob 

________________________________

From: postgis-users-bounces at postgis.refractions.net
[mailto:postgis-users-bounces at postgis.refractions.net] On Behalf Of Ben
Madin
Sent: Tuesday, February 14, 2012 10:42 AM
To: PostGIS Users Discussion
Subject: Re: [postgis-users] setting up or accessing a host

Bob,

the security is by default tight - but it sounds like you want host
based authentication (hba)

You will need to read this page a few times :

http://www.postgresql.org/docs/9.1/interactive/auth-pg-hba-conf.html

and then before you do anything else edit your postgresql.conf file
(about 60 lines down) to look like :

listen_addresses = '*'          # what IP address(es) to listen on;

                                        # comma-separated list of
addresses;

                                        # defaults to 'localhost', '*' =
all

                                        # (change requires restart)

Note the * in between the quotes (you may well have localhost there
now). 

Then edit your pg_hba.conf file.

note that you need to restart the server when you change the listen
addresses, but you only need to reload it when you edit the pg_hba.conf
file

Also note that this can be really painful for users with dynamic ip
address allocation.

good luck.

cheers

Ben

On 14/02/2012, at 11:04 PM, Bistrais, Bob wrote:

So at this point I figured out how to get a PostGIS layer to display
through MapServer, but that is only where host=localhost.  Now I'm
trying to figure out how to access the data from other machines.  I'm
looking through the documentation but haven't found out how yet.  Can
anyone point me in the right direction?

_______________________________________________
postgis-users mailing list
postgis-users at postgis.refractions.net
http://postgis.refractions.net/mailman/listinfo/postgis-users

_______________________________________________
postgis-users mailing list
postgis-users at postgis.refractions.net
http://postgis.refractions.net/mailman/listinfo/postgis-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/postgis-users/attachments/20120216/f21ad30b/attachment.html>