1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5
>Secure TCP/IP Connections with SSH Tunnels</TITLE
8
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
10
HREF="mailto:pgsql-docs@postgresql.org"><LINK
12
TITLE="PostgreSQL 9.1beta1 Documentation"
13
HREF="index.html"><LINK
15
TITLE="Server Setup and Operation"
16
HREF="runtime.html"><LINK
18
TITLE="Secure TCP/IP Connections with SSL"
19
HREF="ssl-tcp.html"><LINK
21
TITLE="Server Configuration"
22
HREF="runtime-config.html"><LINK
25
HREF="stylesheet.css"><META
26
HTTP-EQUIV="Content-Type"
27
CONTENT="text/html; charset=ISO-8859-1"><META
29
CONTENT="2011-04-27T21:20:33"></HEAD
35
SUMMARY="Header navigation table"
47
>PostgreSQL 9.1beta1 Documentation</A
56
TITLE="Secure TCP/IP Connections with SSL"
66
TITLE="Server Setup and Operation"
74
>Chapter 17. Server Setup and Operation</TD
80
TITLE="Server Setup and Operation"
89
TITLE="Server Configuration"
90
HREF="runtime-config.html"
105
>17.10. Secure TCP/IP Connections with <SPAN
111
> It is possible to use <SPAN
114
> to encrypt the network
115
connection between clients and a
119
> server. Done properly, this
120
provides an adequately secure network connection, even for non-SSL-capable
124
> First make sure that an <SPAN
128
running properly on the same machine as the
132
> server and that you can log in using
136
> as some user. Then you can establish a secure
137
tunnel with a command like this from the client machine:
139
CLASS="PROGRAMLISTING"
140
>ssh -L 63333:localhost:5432 joe@foo.com</PRE
142
The first number in the <TT
145
> argument, 63333, is the
146
port number of your end of the tunnel; it can be any unused port.
147
(IANA reserves ports 49152 through 65535 for private use.) The
148
second number, 5432, is the remote end of the tunnel: the port
149
number your server is using. The name or IP address between the
150
port numbers is the host with the database server you are going to
151
connect to, as seen from the host you are logging in to, which
155
> in this example. In order to connect
156
to the database server using this tunnel, you connect to port 63333
157
on the local machine:
159
CLASS="PROGRAMLISTING"
160
>psql -h localhost -p 63333 postgres</PRE
162
To the database server it will then look as though you are really
173
> in that context, and it
174
will use whatever authentication procedure was configured for
175
connections from this user and host. Note that the server will not
176
think the connection is SSL-encrypted, since in fact it is not
177
encrypted between the
185
> server. This should not pose any
186
extra security risk as long as they are on the same machine.
190
tunnel setup to succeed you must be allowed to connect via
198
as if you had attempted to use <TT
205
> You could also have set up the port forwarding as
207
CLASS="PROGRAMLISTING"
208
>ssh -L 63333:foo.com:5432 joe@foo.com</PRE
210
but then the database server will see the connection as coming in
214
> interface, which is not opened by
215
the default setting <TT
219
>. This is usually not what you want.
222
> If you have to <SPAN
225
> to the database server via some
226
login host, one possible setup could look like this:
228
CLASS="PROGRAMLISTING"
229
>ssh -L 63333:db.foo.com:5432 joe@shell.foo.com</PRE
231
Note that this way the connection
239
> will not be encrypted by the SSH
241
SSH offers quite a few configuration possibilities when the network
242
is restricted in various ways. Please refer to the SSH
243
documentation for details.
252
> Several other applications exist that can provide secure tunnels using
253
a procedure similar in concept to the one just described.
263
SUMMARY="Footer navigation table"
292
HREF="runtime-config.html"
302
>Secure TCP/IP Connections with SSL</TD
316
>Server Configuration</TD
b'\\ No newline at end of file'