File: ssh-tunnels.html

package info (click to toggle)
pgadmin3 1.4.3-2
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 29,796 kB
  • ctags: 10,758
  • sloc: cpp: 55,356; sh: 6,164; ansic: 1,520; makefile: 576; sql: 482; xml: 100; perl: 18
file content (63 lines) | stat: -rw-r--r-- 3,462 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>16.8.Secure TCP/IP Connections with SSH Tunnels</title>
<link rel="stylesheet" href="stylesheet.css" type="text/css">
<link rev="made" href="pgsql-docs@postgresql.org">
<meta name="generator" content="DocBook XSL Stylesheets V1.70.0">
<link rel="start" href="index.html" title="PostgreSQL 8.1.4 Documentation">
<link rel="up" href="runtime.html" title="Chapter16.Operating System Environment">
<link rel="prev" href="ssl-tcp.html" title="16.7.Secure TCP/IP Connections with SSL">
<link rel="next" href="runtime-config.html" title="Chapter17.Server Configuration">
<link rel="copyright" href="ln-legalnotice.html" title="Legal Notice">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="ssh-tunnels"></a>16.8.Secure TCP/IP Connections with <span class="application">SSH</span> Tunnels</h2></div></div></div>
<a name="id644772"></a><p>   One can use <span class="application">SSH</span> to encrypt the network
   connection between clients and a
   <span class="productname">PostgreSQL</span> server. Done properly, this
   provides an adequately secure network connection, even for non-SSL-capable
   clients.
  </p>
<p>   First make sure that an <span class="application">SSH</span> server is
   running properly on the same machine as the
   <span class="productname">PostgreSQL</span> server and that you can log in using
   <code class="command">ssh</code> as some user. Then you can establish a secure
   tunnel with a command like this from the client machine:
</p>
<pre class="programlisting">ssh -L 3333:foo.com:5432 joe@foo.com</pre>
<p>
   The first number in the <code class="option">-L</code> argument, 3333, is the
   port number of your end of the tunnel; it can be chosen freely. The
   second number, 5432, is the remote end of the tunnel: the port
   number your server is using. The name or IP address between
   the port numbers is the host with the database server you are going
   to connect to. In order to connect to the database server using
   this tunnel, you connect to port 3333 on the local machine:
</p>
<pre class="programlisting">psql -h localhost -p 3333 postgres</pre>
<p>
   To the database server it will then look as though you are really
   user <code class="literal">joe@foo.com</code> and it will use whatever
   authentication procedure was configured for connections from this
   user and host.  Note that the server will not think the connection is
   SSL-encrypted, since in fact it is not encrypted between the
   <span class="application">SSH</span> server and the
   <span class="productname">PostgreSQL</span> server.  This should not pose any
   extra security risk as long as they are on the same machine.
  </p>
<p>   In order for the
   tunnel setup to succeed you must be allowed to connect via
   <code class="command">ssh</code> as <code class="literal">joe@foo.com</code>, just
   as if you had attempted to use <code class="command">ssh</code> to set up a
   terminal session.
  </p>
<div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Tip</h3>
<p>    Several other applications exist that can provide secure tunnels using
    a procedure similar in concept to the one just described.
   </p>
</div>
</div></body>
</html>