Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
关注 1
点赞 0
百科 捐赠
gooderp18绿色标准版
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
目录树: 0f75e31513
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/ssh-tunnels.html

71 行
6.2KB
原始文件 Blame 文件历史 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>18.11. Secure TCP/IP Connections with SSH Tunnels</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="gssapi-enc.html" title="18.10. Secure TCP/IP Connections with GSSAPI Encryption" /><link rel="next" href="event-log-registration.html" title="18.12. Registering Event Log on Windows" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">18.11. Secure TCP/IP Connections with <span xmlns="http://www.w3.org/1999/xhtml" class="application">SSH</span> Tunnels</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="gssapi-enc.html" title="18.10. Secure TCP/IP Connections with GSSAPI Encryption">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="runtime.html" title="Chapter 18. Server Setup and Operation">Up</a></td><th width="60%" align="center">Chapter 18. Server Setup and Operation</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="event-log-registration.html" title="18.12. Registering Event Log on Windows">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="SSH-TUNNELS"><div class="titlepage"><div><div><h2 class="title" style="clear: both">18.11. Secure TCP/IP Connections with <span class="application">SSH</span> Tunnels</h2></div></div></div><a id="id-1.6.5.13.2" class="indexterm"></a><p>

  3.    It is possible to use <span class="application">SSH</span> to encrypt the network

  4.    connection between clients and a

  5.    <span class="productname">PostgreSQL</span> server. Done properly, this

  6.    provides an adequately secure network connection, even for non-SSL-capable

  7.    clients.

  8.   </p><p>

  9.    First make sure that an <span class="application">SSH</span> server is

  10.    running properly on the same machine as the

  11.    <span class="productname">PostgreSQL</span> server and that you can log in using

  12.    <code class="command">ssh</code> as some user. Then you can establish a secure

  13.    tunnel with a command like this from the client machine:

  14. </p><pre class="programlisting">

  15. ssh -L 63333:localhost:5432 joe@foo.com

  16. </pre><p>

  17.    The first number in the <code class="option">-L</code> argument, 63333, is the

  18.    port number of your end of the tunnel; it can be any unused port.

  19.    (IANA reserves ports 49152 through 65535 for private use.)  The

  20.    second number, 5432, is the remote end of the tunnel: the port

  21.    number your server is using. The name or IP address between the

  22.    port numbers is the host with the database server you are going to

  23.    connect to, as seen from the host you are logging in to, which

  24.    is <code class="literal">foo.com</code> in this example. In order to connect

  25.    to the database server using this tunnel, you connect to port 63333

  26.    on the local machine:

  27. </p><pre class="programlisting">

  28. psql -h localhost -p 63333 postgres

  29. </pre><p>

  30.    To the database server it will then look as though you are really

  31.    user <code class="literal">joe</code> on host <code class="literal">foo.com</code>

  32.    connecting to <code class="literal">localhost</code> in that context, and it

  33.    will use whatever authentication procedure was configured for

  34.    connections from this user and host.  Note that the server will not

  35.    think the connection is SSL-encrypted, since in fact it is not

  36.    encrypted between the

  37.    <span class="application">SSH</span> server and the

  38.    <span class="productname">PostgreSQL</span> server.  This should not pose any

  39.    extra security risk as long as they are on the same machine.

  40.   </p><p>

  41.    In order for the

  42.    tunnel setup to succeed you must be allowed to connect via

  43.    <code class="command">ssh</code> as <code class="literal">joe@foo.com</code>, just

  44.    as if you had attempted to use <code class="command">ssh</code> to create a

  45.    terminal session.

  46.   </p><p>

  47.    You could also have set up the port forwarding as

  48. </p><pre class="programlisting">

  49. ssh -L 63333:foo.com:5432 joe@foo.com

  50. </pre><p>

  51.    but then the database server will see the connection as coming in

  52.    on its <code class="literal">foo.com</code> interface, which is not opened by

  53.    the default setting <code class="literal">listen_addresses =

  54.    'localhost'</code>.  This is usually not what you want.

  55.   </p><p>

  56.    If you have to <span class="quote">“<span class="quote">hop</span>”</span> to the database server via some

  57.    login host, one possible setup could look like this:

  58. </p><pre class="programlisting">

  59. ssh -L 63333:db.foo.com:5432 joe@shell.foo.com

  60. </pre><p>

  61.    Note that this way the connection

  62.    from <code class="literal">shell.foo.com</code>

  63.    to <code class="literal">db.foo.com</code> will not be encrypted by the SSH

  64.    tunnel.

  65.    SSH offers quite a few configuration possibilities when the network

  66.    is restricted in various ways.  Please refer to the SSH

  67.    documentation for details.

  68.   </p><div class="tip"><h3 class="title">Tip</h3><p>

  69.     Several other applications exist that can provide secure tunnels using

  70.     a procedure similar in concept to the one just described.

  71.    </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="gssapi-enc.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="runtime.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="event-log-registration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">18.10. Secure TCP/IP Connections with GSSAPI Encryption </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 18.12. Registering <span class="application">Event Log</span> on <span class="systemitem">Windows</span></td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1