Connect to postgres from a dynamic IP
Dear Sirs,
it is possible to connect to PostgreSQL server from a client with a dynamic
IP (or from an unknown IP)?
How I have to configure pg_hba.conf (and/or eventually my router, where the
server is located)?
I have no possibility to change the settings of clients (my customers)
Thank you.
Domenico
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date: 02/03/2008
15:59
yes, it is possible if you use a service like dyndns: http://www.dyndns.com/
to "convert" your dynamic ip. If you use this service you connect your
dynamic
ip to a hostname, which is dynamically updated by this service.
after that you can change your windows hosts file to add the hostname
you have registered with dyndns to your localhost (or the ip that
resides in the network serving PostgreSQL).
when you have done all this, you can change your pg_hba.conf file like you
wish...
Steven
On Mon, Mar 3, 2008 at 11:01 AM, dfx <dfx@dfx.it> wrote:
Show quoted text
Dear Sirs,
it is possible to connect to PostgreSQL server from a client with a
dynamic
IP (or from an unknown IP)?How I have to configure pg_hba.conf (and/or eventually my router, where
the
server is located)?I have no possibility to change the settings of clients (my customers)
Thank you.
Domenico
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date:
02/03/2008
15:59---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match
Em Monday 03 March 2008 07:01:17 dfx escreveu:
it is possible to connect to PostgreSQL server from a client with a dynamic
IP (or from an unknown IP)?How I have to configure pg_hba.conf (and/or eventually my router, where the
server is located)?
You'll have to make PostgreSQL accept connections from ANY IP in the possible
range assigned to the networks where your customers are. There are IP ranges
for specific countries available... You can also allow access from anywhere
in the world.
I'd also recommend that you require the use of some cryptography such as SSL
for that.
--
Jorge Godoy <jgodoy@gmail.com>
am Mon, dem 03.03.2008, um 11:01:17 +0100 mailte dfx folgendes:
Dear Sirs,
it is possible to connect to PostgreSQL server from a client with a dynamic
IP (or from an unknown IP)?
Of course, yes.
How I have to configure pg_hba.conf (and/or eventually my router, where the
server is located)?
Set the CIDR to 0.0.0.0/32.
I have no possibility to change the settings of clients (my customers)
Keep in mind, with this way everyone from around the world have access
to your database-server. Consider other solutions like a VPN or a
SSH-Tunnel. At least you should use strong authentication (md5) or SSL.
Andreas
--
Andreas Kretschmer
Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header)
GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
On Mon, Mar 03, 2008 at 11:33:17AM +0100, A. Kretschmer wrote:
am Mon, dem 03.03.2008, um 11:01:17 +0100 mailte dfx folgendes:
Dear Sirs,
it is possible to connect to PostgreSQL server from a client with a dynamic
IP (or from an unknown IP)?Of course, yes.
How I have to configure pg_hba.conf (and/or eventually my router, where the
server is located)?Set the CIDR to 0.0.0.0/32.
That should be 0.0.0.0/0, I beleive.
//Magnus
I apologize for my confuse exposition.
My server has a static, well known IP.
The problem is that I don't know the IP of my customers (client side) and
then
I cannot insert those addresses in pg_hba.conf file.
The question il: Is there a method to avoid to insert the addesses of the
clients
in the pg_hba.conf and to allow connections from internet with security
assured
only by username and password?
The unique (mandatory) solution to solve this problem id to use web services
(and then port 80)
or there are some other solutions?
Thank you
Domenico
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date: 02/03/2008
15:59
Import Notes
Resolved by subject fallback
am Mon, dem 03.03.2008, um 11:59:36 +0100 mailte Magnus Hagander folgendes:
How I have to configure pg_hba.conf (and/or eventually my router, where the
server is located)?Set the CIDR to 0.0.0.0/32.
That should be 0.0.0.0/0, I beleive.
//Magnus
Magnus, right. Thx.
Andreas
--
Andreas Kretschmer
Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header)
GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
On 03/03/2008 11:01, dfx wrote:
The question il: Is there a method to avoid to insert the addesses of
the clients in the pg_hba.conf and to allow connections from internet
with security assured only by username and password?
Yes, that's what people have been explaining: you insert a line
something like:
host [database] [user] 0.0.0.0/0 md5
if you're asking if pg_hba.conf can be bypassed completely, then as far
as I know the answer is no. However, inserting the line above will
have a similar effect, at least with regard to incoming network connections.
HTH,
Ray.
---------------------------------------------------------------
Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland
rod@iol.ie
---------------------------------------------------------------
Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu:
On 03/03/2008 11:01, dfx wrote:
The question il: Is there a method to avoid to insert the addesses of
the clients in the pg_hba.conf and to allow connections from internet
with security assured only by username and password?Yes, that's what people have been explaining: you insert a line
something like:host [database] [user] 0.0.0.0/0 md5
But make it "hostssl" instead of "host", to require some cryptography in the
channel used, specially to authenticate the connection.
Opening your access to everyone without crypto sounds like something you don't
want to do. Specially if users can change their own passwords...
--
Jorge Godoy <jgodoy@gmail.com>
Jorge Godoy wrote:
Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu:
On 03/03/2008 11:01, dfx wrote:
The question il: Is there a method to avoid to insert the addesses of
the clients in the pg_hba.conf and to allow connections from internet
with security assured only by username and password?Yes, that's what people have been explaining: you insert a line
something like:host [database] [user] 0.0.0.0/0 md5
But make it "hostssl" instead of "host", to require some cryptography in the
channel used, specially to authenticate the connection.Opening your access to everyone without crypto sounds like something you don't
want to do. Specially if users can change their own passwords...
My understanding is no password is sent in the clear with md5 per:
http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD
Paul
But make it "hostssl" instead of "host", to require some cryptography
in the channel used, specially to authenticate the connection.Opening your access to everyone without crypto sounds like something
you don't want to do. Specially if users can change their own
passwords...My understanding is no password is sent in the clear with md5 per:
http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD
Paul
However, it depends on the sort of data you are accessing. Sending a MD5
password is all well and good but if your data consists of credit card
info or trade secrets then you'll want that encrypted too.
Collin wrote:
But make it "hostssl" instead of "host", to require some
cryptography in the channel used, specially to authenticate the
connection.Opening your access to everyone without crypto sounds like something
you don't want to do. Specially if users can change their own
passwords...My understanding is no password is sent in the clear with md5 per:
http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD
Paul
However, it depends on the sort of data you are accessing. Sending a
MD5 password is all well and good but if your data consists of credit
card info or trade secrets then you'll want that encrypted too.
Yes true, if your data is sensitive, go with SSL.
On the other hand, if you're sending credit card data around, you must
comply with the PCI audit regulation, in which case there is exactly
0.0% chance you're putting your database port on a public network.
Regards,
Paul
Em Monday 03 March 2008 13:17:03 você escreveu:
My understanding is no password is sent in the clear with md5 per:
http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW
ORD
But the MD5 hash is. This page states that the password can't be directly
sniffed, but one can still get the hash of the password and perform a
dictionary attack against it on a local copy (i.e., without ever trying to
connect to the server).
After a successful attack then one can connect directly to the server as if
the password was known to him/her.
Crypting the channell -- be it with SSL or SSH, for example -- will prevent
the sniffer from being able to capture the hash, so your password will be
safer.
--
Jorge Godoy <jgodoy@gmail.com>
Jorge Godoy wrote:
Em Monday 03 March 2008 13:17:03 voc� escreveu:
My understanding is no password is sent in the clear with md5 per:
http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW
ORDBut the MD5 hash is. This page states that the password can't be directly
sniffed, but one can still get the hash of the password and perform a
dictionary attack against it on a local copy (i.e., without ever trying to
connect to the server).After a successful attack then one can connect directly to the server as if
the password was known to him/her.
No sense in pretending. I should think that password *would* be known in
that scenario.
(ignoring hash collisions, of course)