1- <!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.407 2008/01/31 23:31:33 momjian Exp $ -->
1+ <!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.408 2008/02/26 16:07:16 petere Exp $ -->
22
33<chapter Id="runtime">
44 <title>Operating System Environment</title>
@@ -1771,27 +1771,33 @@ chmod og-rwx server.key
17711771 <command>ssh</command> as some user. Then you can establish a secure
17721772 tunnel with a command like this from the client machine:
17731773<programlisting>
1774- ssh -L 3333:foo.com :5432 joe@foo.com
1774+ ssh -L 63333:localhost :5432 joe@foo.com
17751775</programlisting>
1776- The first number in the <option>-L</option> argument, 3333, is the
1777- port number of your end of the tunnel; it can be chosen freely. The
1776+ The first number in the <option>-L</option> argument, 63333, is the
1777+ port number of your end of the tunnel; it can be chosen freely.
1778+ (IANA reserves ports 49152 through 65535 for private use.) The
17781779 second number, 5432, is the remote end of the tunnel: the port
1779- number your server is using. The name or IP address between
1780- the port numbers is the host with the database server you are going
1781- to connect to. In order to connect to the database server using
1782- this tunnel, you connect to port 3333 on the local machine:
1780+ number your server is using. The name or IP address between the
1781+ port numbers is the host with the database server you are going to
1782+ connect to, as seen from the host you are logging in to, which
1783+ is <literal>foo.com</literal> in this example. In order to connect
1784+ to the database server using this tunnel, you connect to port 63333
1785+ on the local machine:
17831786<programlisting>
1784- psql -h localhost -p 3333 postgres
1787+ psql -h localhost -p 63333 postgres
17851788</programlisting>
17861789 To the database server it will then look as though you are really
1787- user <literal>joe@foo.com</literal> and it will use whatever
1788- authentication procedure was configured for connections from this
1789- user and host. Note that the server will not think the connection is
1790- SSL-encrypted, since in fact it is not encrypted between the
1790+ user <literal>joe</literal> on host <literal>foo.com</literal>
1791+ connecting to <literal>localhost</literal> in that context, and it
1792+ will use whatever authentication procedure was configured for
1793+ connections from this user and host. Note that the server will not
1794+ think the connection is SSL-encrypted, since in fact it is not
1795+ encrypted between the
17911796 <application>SSH</application> server and the
17921797 <productname>PostgreSQL</productname> server. This should not pose any
17931798 extra security risk as long as they are on the same machine.
17941799 </para>
1800+
17951801 <para>
17961802 In order for the
17971803 tunnel setup to succeed you must be allowed to connect via
@@ -1800,6 +1806,28 @@ psql -h localhost -p 3333 postgres
18001806 terminal session.
18011807 </para>
18021808
1809+ <para>
1810+ You could also have set up the port forwarding as
1811+ <programlisting>
1812+ ssh -L 63333:foo.com:5432 joe@foo.com
1813+ </programlisting>
1814+ but then the database server will see the connection as coming in
1815+ on its <literal>foo.com</literal> interface, which is not opened by
1816+ the default setting <literal>listen_addresses =
1817+ 'localhost'</literal>. This is usually not what you want.
1818+ </para>
1819+
1820+ <para>
1821+ If you have to <quote>hop</quote> to the database server via some
1822+ login host, one possible setup could look like this:
1823+ <programlisting>
1824+ ssh -L 63333:db.foo.com:5432 joe@shell.foo.com
1825+ </programlisting>
1826+ SSH offers quite a few configuration possibilities when the network
1827+ is restricted in various ways. Please refer to the SSH
1828+ documentation for details.
1829+ </para>
1830+
18031831 <tip>
18041832 <para>
18051833 Several other applications exist that can provide secure tunnels using
0 commit comments