Обсуждение: BUG #3968: ssh tunnel instructions could use improvement
The following bug has been logged online: Bug reference: 3968 Logged by: Faheem Mitha Email address: faheem@email.unc.edu PostgreSQL version: 8.1.11 Operating system: Debian etch Description: ssh tunnel instructions could use improvement Details: Hi, Currently http://www.postgresql.org/docs/8.3/static/ssh-tunnels.html has instructions that say to set up a local port forward to do ssh -L 333ssh -L 3333:foo.com:5432 joe@foo.com I think this should be changed to ssh -L 3333:localhost:5432 joe@foo.com The reason is that this assumes the postgres server on foo.com allows connections from foo.com, since trying to connect to port 3333 on the local machine using the instructions given in the docs, will attempt to initiate a connection to the postgres server, which will appear to it to be coming from foo.com. However, it appears more likely, and is the Debian default, that the server only allows connections on localhost. This is a major source of potential confusion for people not familar with port forwarding. Also, I'd suggest mentioning that you can put other addresses in place of localhost, but that the database needs to give permission to connect from those addresses, and in particular for ssh -L 3333:localhost:5432 joe@foo.com psql -h localhost -p 3333 postgres to work, the database needs to allow a TCP/IP connection from localhost. This seems a pretty standard default, though. Faheem.
Am Montag, 18. Februar 2008 schrieb Faheem Mitha: > ssh -L 333ssh -L 3333:foo.com:5432 joe@foo.com > > I think this should be changed to > > ssh -L 3333:localhost:5432 joe@foo.com Good point. Please see the updated version at http://developer.postgresql.org/pgdocs/postgres/ssh-tunnels.html in a few minutes. -- Peter Eisentraut http://developer.postgresql.org/~petere/
Am Dienstag, 26. Februar 2008 schrieb Faheem Mitha: > At the end, you might want to point out that in the line > > ssh -L 63333:db.foo.com:5432 joe@shell.foo.com > > the connection from shell.foo.com to db.foo.com will not be encrypted by > the ssh tunnel, at least according to the documentation I've read. Good point. Added. -- Peter Eisentraut http://developer.postgresql.org/~petere/
On Tue, 26 Feb 2008, Peter Eisentraut wrote: > Am Montag, 18. Februar 2008 schrieb Faheem Mitha: >> ssh -L 333ssh -L 3333:foo.com:5432 joe@foo.com >> >> I think this should be changed to >> >> ssh -L 3333:localhost:5432 joe@foo.com > > Good point. Please see the updated version at > http://developer.postgresql.org/pgdocs/postgres/ssh-tunnels.html in a few > minutes. > > -- > Peter Eisentraut > http://developer.postgresql.org/~petere/ Hi Peter, Thanks for agreeing to the change. Your improvements to the page look good. At the end, you might want to point out that in the line ssh -L 63333:db.foo.com:5432 joe@shell.foo.com the connection from shell.foo.com to db.foo.com will not be encrypted by the ssh tunnel, at least according to the documentation I've read. Take care, Faheem.