[postgis-users] setting up or accessing a host
Ben Madin
lists at remoteinformation.com.au
Wed Feb 15 23:13:34 PST 2012
Yes - anytime you let anyone else connect to your machine it becomes a risk. You have to balance that with the usefulness of an isolated machine vs the value of being able to access it over a network.
I guess in this case you are only allowing connections to the database, so that limits the damage that could happen.
In this case, because you are letting anyone from that single ip address connect to any database, you may be pretty safe if you know the owner of that machine - and they are likely to be careful with their password.
I'd be inclined towards :
host specificdatabase individualuser machineIP/32 md5
and of course you could use hostssl if you were even more worried.
Then it is a matter of what the individual user can access that becomes your concerns - for example, for most mapserver interfaces we have a 'mapuser' that can only select data from the necessary tables.
I'm suprised that the fully qualified domain name of the machine is working - the documentation has :
IP addresses can only be specified numerically, not as domain or host names
cheers
Ben
On 15/02/2012, at 12:46 AM, Bistrais, Bob wrote:
> Hi Ben,
>
> I think I’ve had some success, thanks to your input. But please let me know if this is OK…
>
> I edited pg_hba.conf, adding a line like this:
> Host all all mymachinename md5
>
> -where mymachinename is actually the fully qualified domain name of the machine.
>
> This works, in the sense that I can now display the data through other than localhost. But is this a good practice? Am I breaching security, or setting myself up for some other disaster?
>
> Thanks,
> Bob
>
> From: postgis-users-bounces at postgis.refractions.net [mailto:postgis-users-bounces at postgis.refractions.net] On Behalf Of Ben Madin
> Sent: Tuesday, February 14, 2012 10:42 AM
> To: PostGIS Users Discussion
> Subject: Re: [postgis-users] setting up or accessing a host
>
> Bob,
>
> the security is by default tight - but it sounds like you want host based authentication (hba)
>
> You will need to read this page a few times :
>
> http://www.postgresql.org/docs/9.1/interactive/auth-pg-hba-conf.html
>
> and then before you do anything else edit your postgresql.conf file (about 60 lines down) to look like :
>
> listen_addresses = '*' # what IP address(es) to listen on;
> # comma-separated list of addresses;
> # defaults to 'localhost', '*' = all
> # (change requires restart)
>
> Note the * in between the quotes (you may well have localhost there now).
>
> Then edit your pg_hba.conf file.
>
> note that you need to restart the server when you change the listen addresses, but you only need to reload it when you edit the pg_hba.conf file
>
> Also note that this can be really painful for users with dynamic ip address allocation.
>
> good luck.
>
> cheers
>
> Ben
>
>
>
>
> On 14/02/2012, at 11:04 PM, Bistrais, Bob wrote:
>
>
> So at this point I figured out how to get a PostGIS layer to display through MapServer, but that is only where host=localhost. Now I’m trying to figure out how to access the data from other machines. I’m looking through the documentation but haven’t found out how yet. Can anyone point me in the right direction?
> _______________________________________________
> postgis-users mailing list
> postgis-users at postgis.refractions.net
> http://postgis.refractions.net/mailman/listinfo/postgis-users
>
> _______________________________________________
> postgis-users mailing list
> postgis-users at postgis.refractions.net
> http://postgis.refractions.net/mailman/listinfo/postgis-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/postgis-users/attachments/20120216/e1c08b19/attachment.html>
More information about the postgis-users
mailing list