<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >Secure TCP/IP Connections with SSH Tunnels</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK REV="MADE" HREF="mailto:pgsql-docs@postgresql.org"><LINK REL="HOME" TITLE="PostgreSQL 9.6.22 Documentation" HREF="index.html"><LINK REL="UP" TITLE="Server Setup and Operation" HREF="runtime.html"><LINK REL="PREVIOUS" TITLE="Secure TCP/IP Connections with SSL" HREF="ssl-tcp.html"><LINK REL="NEXT" TITLE="Registering Event Log on Windows" HREF="event-log-registration.html"><LINK REL="STYLESHEET" TYPE="text/css" HREF="stylesheet.css"><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"><META NAME="creation" CONTENT="2021-05-18T09:16:10"></HEAD ><BODY CLASS="SECT1" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="4" ALIGN="center" VALIGN="bottom" ><A HREF="index.html" >PostgreSQL 9.6.22 Documentation</A ></TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="top" ><A TITLE="Secure TCP/IP Connections with SSL" HREF="ssl-tcp.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="10%" ALIGN="left" VALIGN="top" ><A HREF="runtime.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="60%" ALIGN="center" VALIGN="bottom" >Chapter 18. Server Setup and Operation</TD ><TD WIDTH="20%" ALIGN="right" VALIGN="top" ><A TITLE="Registering Event Log on Windows" HREF="event-log-registration.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="SSH-TUNNELS" >18.10. Secure TCP/IP Connections with <SPAN CLASS="APPLICATION" >SSH</SPAN > Tunnels</A ></H1 ><P > It is possible to use <SPAN CLASS="APPLICATION" >SSH</SPAN > to encrypt the network connection between clients and a <SPAN CLASS="PRODUCTNAME" >PostgreSQL</SPAN > server. Done properly, this provides an adequately secure network connection, even for non-SSL-capable clients. </P ><P > First make sure that an <SPAN CLASS="APPLICATION" >SSH</SPAN > server is running properly on the same machine as the <SPAN CLASS="PRODUCTNAME" >PostgreSQL</SPAN > server and that you can log in using <TT CLASS="COMMAND" >ssh</TT > as some user; you then can establish a secure tunnel to the remote server. A secure tunnel listens on a local port and forwards all traffic to a port on the remote machine. Traffic sent to the remote port can arrive on its <TT CLASS="LITERAL" >localhost</TT > address, or different bind address if desired; it does not appear as coming from your local machine. This command creates a secure tunnel from the client machine to the remote machine <TT CLASS="LITERAL" >foo.com</TT >: </P><PRE CLASS="PROGRAMLISTING" >ssh -L 63333:localhost:5432 joe@foo.com</PRE ><P> The first number in the <TT CLASS="OPTION" >-L</TT > argument, 63333, is the local port number of the tunnel; it can be any unused port. (IANA reserves ports 49152 through 65535 for private use.) The name or IP address after this is the remote bind address you are connecting to, i.e., <TT CLASS="LITERAL" >localhost</TT >, which is the default. The second number, 5432, is the remote end of the tunnel, e.g., the port number your database server is using. In order to connect to the database server using this tunnel, you connect to port 63333 on the local machine: </P><PRE CLASS="PROGRAMLISTING" >psql -h localhost -p 63333 postgres</PRE ><P> To the database server it will then look as though you are user <TT CLASS="LITERAL" >joe</TT > on host <TT CLASS="LITERAL" >foo.com</TT > connecting to the <TT CLASS="LITERAL" >localhost</TT > bind address, and it will use whatever authentication procedure was configured for connections by that user to that bind address. Note that the server will not think the connection is SSL-encrypted, since in fact it is not encrypted between the <SPAN CLASS="APPLICATION" >SSH</SPAN > server and the <SPAN CLASS="PRODUCTNAME" >PostgreSQL</SPAN > server. This should not pose any extra security risk because they are on the same machine. </P ><P > In order for the tunnel setup to succeed you must be allowed to connect via <TT CLASS="COMMAND" >ssh</TT > as <TT CLASS="LITERAL" >joe@foo.com</TT >, just as if you had attempted to use <TT CLASS="COMMAND" >ssh</TT > to create a terminal session. </P ><P > You could also have set up port forwarding as </P><PRE CLASS="PROGRAMLISTING" >ssh -L 63333:foo.com:5432 joe@foo.com</PRE ><P> but then the database server will see the connection as coming in on its <TT CLASS="LITERAL" >foo.com</TT > bind address, which is not opened by the default setting <TT CLASS="LITERAL" >listen_addresses = 'localhost'</TT >. This is usually not what you want. </P ><P > If you have to <SPAN CLASS="QUOTE" >"hop"</SPAN > to the database server via some login host, one possible setup could look like this: </P><PRE CLASS="PROGRAMLISTING" >ssh -L 63333:db.foo.com:5432 joe@shell.foo.com</PRE ><P> Note that this way the connection from <TT CLASS="LITERAL" >shell.foo.com</TT > to <TT CLASS="LITERAL" >db.foo.com</TT > will not be encrypted by the SSH tunnel. SSH offers quite a few configuration possibilities when the network is restricted in various ways. Please refer to the SSH documentation for details. </P ><DIV CLASS="TIP" ><BLOCKQUOTE CLASS="TIP" ><P ><B >Tip: </B > Several other applications exist that can provide secure tunnels using a procedure similar in concept to the one just described. </P ></BLOCKQUOTE ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="ssl-tcp.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="event-log-registration.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Secure TCP/IP Connections with SSL</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="runtime.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Registering <SPAN CLASS="APPLICATION" >Event Log</SPAN > on <SPAN CLASS="SYSTEMITEM" >Windows</SPAN ></TD ></TR ></TABLE ></DIV ></BODY ></HTML >