SSH offers quite a few configuration possibilities when the network is restricted in various ways. Ssh -L 63333:db.foo.com:5432 that this way the connection from to db.foo.com will not be encrypted by the SSH tunnel. If you have to “ hop” to the database server via some login host, one possible setup could look like this: Ssh -L 63333:foo.com:5432 then the database server will see the connection as coming in on its foo.com bind address, which is not opened by the default setting listen_addresses = 'localhost'. You could also have set up port forwarding as psqlODBC Configuration Options Advanced Options 1/3 Dialog Box DEFAULTS: Press to this button restore the normal defaults for the settings described below. In order for the tunnel setup to succeed you must be allowed to connect via ssh as just as if you had attempted to use ssh to create a terminal session. This should not pose any extra security risk because they are on the same machine. Note that the server will not think the connection is SSL-encrypted, since in fact it is not encrypted between the SSH server and the PostgreSQL server.
To the database server it will then look as though you are user joe on host foo.com connecting to the localhost bind address, and it will use whatever authentication procedure was configured for connections by that user to that bind address. In order to connect to the database server using this tunnel, you connect to port 63333 on the local machine: The second number, 5432, is the remote end of the tunnel, e.g., the port number your database server is using. (IANA reserves ports 49152 through 65535 for private use.) The name or IP address after this is the remote bind address you are connecting to, i.e., localhost, which is the default. Ssh -L 63333:localhost:5432 first number in the -L argument, 63333, is the local port number of the tunnel it can be any unused port. The nf file can be read again with the pgctl reload command on the operating system or with the SELECT pgreloadconf () command from the psql command line tool. This signal can be sent to postgresql in two ways. This command creates a secure tunnel from the client machine to the remote machine foo.com: When Postgresql main process receives the SIGHUP signal, the Postgresql configuration file is read again. Traffic sent to the remote port can arrive on its localhost address, or different bind address if desired it does not appear as coming from your local machine. A secure tunnel listens on a local port and forwards all traffic to a port on the remote machine. Done properly, this provides an adequately secure network connection, even for non-SSL-capable clients.įirst make sure that an SSH server is running properly on the same machine as the PostgreSQL server and that you can log in using ssh as some user you then can establish a secure tunnel to the remote server. It is possible to use SSH to encrypt the network connection between clients and a PostgreSQL server.
19.11. Secure TCP/IP Connections with SSH Tunnels
0 kommentar(er)
