From f49beb3f505ca30a155134deb5a9b4b7167c6728 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut <peter_e@gmx.net> Date: Tue, 26 Feb 2008 16:07:16 +0000 Subject: [PATCH] In the SSH setup instructions, change ssh -L 3333:foo.com:5432 joe@foo.com I think this should be changed to ssh -L 3333:localhost:5432 joe@foo.com The reason is that this assumes the postgres server on foo.com allows connections from foo.com, which is not allowed by the default listen_addresses setting. Add more detail explaining this. pointed out by Faheem Mitha Also change the example port number 3333 to 63333 so no one can complain that we are stealing a reserved port number. --- doc/src/sgml/runtime.sgml | 54 +++++++++++++++++++++++++++++---------- 1 file changed, 41 insertions(+), 13 deletions(-) diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 2c9342272a0..b9989d4c859 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.407 2008/01/31 23:31:33 momjian Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.408 2008/02/26 16:07:16 petere Exp $ --> <chapter Id="runtime"> <title>Operating System Environment</title> @@ -1771,27 +1771,33 @@ chmod og-rwx server.key <command>ssh</command> as some user. Then you can establish a secure tunnel with a command like this from the client machine: <programlisting> -ssh -L 3333:foo.com:5432 joe@foo.com +ssh -L 63333:localhost:5432 joe@foo.com </programlisting> - The first number in the <option>-L</option> argument, 3333, is the - port number of your end of the tunnel; it can be chosen freely. The + The first number in the <option>-L</option> argument, 63333, is the + port number of your end of the tunnel; it can be chosen freely. + (IANA reserves ports 49152 through 65535 for private use.) The second number, 5432, is the remote end of the tunnel: the port - number your server is using. The name or IP address between - the port numbers is the host with the database server you are going - to connect to. In order to connect to the database server using - this tunnel, you connect to port 3333 on the local machine: + number your server is using. The name or IP address between the + port numbers is the host with the database server you are going to + connect to, as seen from the host you are logging in to, which + is <literal>foo.com</literal> in this example. In order to connect + to the database server using this tunnel, you connect to port 63333 + on the local machine: <programlisting> -psql -h localhost -p 3333 postgres +psql -h localhost -p 63333 postgres </programlisting> To the database server it will then look as though you are really - user <literal>joe@foo.com</literal> and it will use whatever - authentication procedure was configured for connections from this - user and host. Note that the server will not think the connection is - SSL-encrypted, since in fact it is not encrypted between the + user <literal>joe</literal> on host <literal>foo.com</literal> + connecting to <literal>localhost</literal> in that context, and it + will use whatever authentication procedure was configured for + connections from this user and host. Note that the server will not + think the connection is SSL-encrypted, since in fact it is not + encrypted between the <application>SSH</application> server and the <productname>PostgreSQL</productname> server. This should not pose any extra security risk as long as they are on the same machine. </para> + <para> In order for the tunnel setup to succeed you must be allowed to connect via @@ -1800,6 +1806,28 @@ psql -h localhost -p 3333 postgres terminal session. </para> + <para> + You could also have set up the port forwarding as +<programlisting> +ssh -L 63333:foo.com:5432 joe@foo.com +</programlisting> + but then the database server will see the connection as coming in + on its <literal>foo.com</literal> interface, which is not opened by + the default setting <literal>listen_addresses = + 'localhost'</literal>. This is usually not what you want. + </para> + + <para> + If you have to <quote>hop</quote> to the database server via some + login host, one possible setup could look like this: +<programlisting> +ssh -L 63333:db.foo.com:5432 joe@shell.foo.com +</programlisting> + SSH offers quite a few configuration possibilities when the network + is restricted in various ways. Please refer to the SSH + documentation for details. + </para> + <tip> <para> Several other applications exist that can provide secure tunnels using