Re: Thoughts on pg_hba.conf rejection

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jaime Casanova <jcasanov@systemguards.com.ec>
Cc: Simon Riggs <simon@2ndquadrant.com>, pgsql-hackers@postgresql.org
Date: 2010-04-07T15:43:44Z
Lists: pgsql-hackers
Jaime Casanova <jcasanov@systemguards.com.ec> writes:
> On Wed, Apr 7, 2010 at 10:46 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> It's intentional. We try to expose the minimum amount of knowledge
>> about the contents of pg_hba.conf to potential attackers.

> i just tried it in CVS and in 8.4 and when i put a reject rule on
> pg_hba.conf what i get is:
> psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user "mic",
> database "mic"

> so we are giving a lot of info already

All three of those data values are known to the client; they don't add
knowledge about what is in pg_hba.conf.

			regards, tom lane