<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Secure TCP/IP Connections with SSH Tunnels</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 8.4.12 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Server Setup and Operation"
HREF="runtime.html"><LINK
REL="PREVIOUS"
TITLE="Secure TCP/IP Connections with SSL"
HREF="ssl-tcp.html"><LINK
REL="NEXT"
TITLE="Server Configuration"
HREF="runtime-config.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2012-05-31T23:30:11"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="5"
ALIGN="center"
VALIGN="bottom"
>PostgreSQL 8.4.12 Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="ssl-tcp.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="runtime.html"
>Fast Backward</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Chapter 17. Server Setup and Operation</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="top"
><A
HREF="runtime.html"
>Fast Forward</A
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="top"
><A
HREF="runtime-config.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SSH-TUNNELS"
>17.9. Secure TCP/IP Connections with <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> Tunnels</A
></H1
><A
NAME="AEN24453"
></A
><P
> One can use <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> to encrypt the network
connection between clients and a
<SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> server. Done properly, this
provides an adequately secure network connection, even for non-SSL-capable
clients.
</P
><P
> First make sure that an <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> server is
running properly on the same machine as the
<SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> server and that you can log in using
<TT
CLASS="COMMAND"
>ssh</TT
> as some user. Then you can establish a secure
tunnel with a command like this from the client machine:
</P><PRE
CLASS="PROGRAMLISTING"
>ssh -L 63333:localhost:5432 joe@foo.com</PRE
><P>
The first number in the <TT
CLASS="OPTION"
>-L</TT
> argument, 63333, is the
port number of your end of the tunnel; it can be chosen freely.
(IANA reserves ports 49152 through 65535 for private use.) The
second number, 5432, is the remote end of the tunnel: the port
number your server is using. The name or IP address between the
port numbers is the host with the database server you are going to
connect to, as seen from the host you are logging in to, which
is <TT
CLASS="LITERAL"
>foo.com</TT
> in this example. In order to connect
to the database server using this tunnel, you connect to port 63333
on the local machine:
</P><PRE
CLASS="PROGRAMLISTING"
>psql -h localhost -p 63333 postgres</PRE
><P>
To the database server it will then look as though you are really
user <TT
CLASS="LITERAL"
>joe</TT
> on host <TT
CLASS="LITERAL"
>foo.com</TT
>
connecting to <TT
CLASS="LITERAL"
>localhost</TT
> in that context, and it
will use whatever authentication procedure was configured for
connections from this user and host. Note that the server will not
think the connection is SSL-encrypted, since in fact it is not
encrypted between the
<SPAN
CLASS="APPLICATION"
>SSH</SPAN
> server and the
<SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> server. This should not pose any
extra security risk as long as they are on the same machine.
</P
><P
> In order for the
tunnel setup to succeed you must be allowed to connect via
<TT
CLASS="COMMAND"
>ssh</TT
> as <TT
CLASS="LITERAL"
>joe@foo.com</TT
>, just
as if you had attempted to use <TT
CLASS="COMMAND"
>ssh</TT
> to set up a
terminal session.
</P
><P
> You could also have set up the port forwarding as
</P><PRE
CLASS="PROGRAMLISTING"
>ssh -L 63333:foo.com:5432 joe@foo.com</PRE
><P>
but then the database server will see the connection as coming in
on its <TT
CLASS="LITERAL"
>foo.com</TT
> interface, which is not opened by
the default setting <TT
CLASS="LITERAL"
>listen_addresses =
'localhost'</TT
>. This is usually not what you want.
</P
><P
> If you have to <SPAN
CLASS="QUOTE"
>"hop"</SPAN
> to the database server via some
login host, one possible setup could look like this:
</P><PRE
CLASS="PROGRAMLISTING"
>ssh -L 63333:db.foo.com:5432 joe@shell.foo.com</PRE
><P>
Note that this way the connection
from <TT
CLASS="LITERAL"
>shell.foo.com</TT
>
to <TT
CLASS="LITERAL"
>db.foo.com</TT
> will not be encrypted by the SSH
tunnel.
SSH offers quite a few configuration possibilities when the network
is restricted in various ways. Please refer to the SSH
documentation for details.
</P
><DIV
CLASS="TIP"
><BLOCKQUOTE
CLASS="TIP"
><P
><B
>Tip: </B
> Several other applications exist that can provide secure tunnels using
a procedure similar in concept to the one just described.
</P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="ssl-tcp.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="runtime-config.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Secure TCP/IP Connections with SSL</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="runtime.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Server Configuration</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
distrib
>
Mandriva
>
current
>
i586
>
media
>
main-updates
>
by-pkgid
>
fc62ce67f262cdcd253dc7f849ce3223
>
files
>
910
