Обсуждение: BUG #3968: ssh tunnel instructions could use improvement

The following bug has been logged online:

Bug reference:      3968
Logged by:          Faheem Mitha
Email address:      faheem@email.unc.edu
PostgreSQL version: 8.1.11
Operating system:   Debian etch
Description:        ssh tunnel instructions could use improvement
Details:

Hi,

Currently http://www.postgresql.org/docs/8.3/static/ssh-tunnels.html

has instructions that say to set up a local port forward

to do

ssh -L 333ssh -L 3333:foo.com:5432 joe@foo.com

I think this should be changed to

ssh -L 3333:localhost:5432 joe@foo.com

The reason is that this assumes the postgres server on foo.com allows
connections from foo.com, since trying to connect to port 3333 on the local
machine using the instructions given in the docs, will attempt to initiate a
connection to the postgres server, which will appear to it to be coming from
foo.com.

However, it appears more likely, and is the Debian default, that the server
only allows connections on localhost. This is a major source of potential
confusion for people not familar with port forwarding.

Also, I'd suggest mentioning that you can put other
addresses in place of localhost, but that the database needs to give
permission to connect from those addresses, and in particular for

ssh -L 3333:localhost:5432 joe@foo.com

psql -h localhost -p 3333 postgres

to work, the database needs to allow a TCP/IP connection from localhost.
This seems a pretty standard default, though.
                                              Faheem.

Am Montag, 18. Februar 2008 schrieb Faheem Mitha:
> ssh -L 333ssh -L 3333:foo.com:5432 joe@foo.com
>
> I think this should be changed to
>
> ssh -L 3333:localhost:5432 joe@foo.com

Good point.  Please see the updated version at
http://developer.postgresql.org/pgdocs/postgres/ssh-tunnels.html in a few
minutes.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Am Dienstag, 26. Februar 2008 schrieb Faheem Mitha:
> At the end, you might want to point out that in the line
>
> ssh -L 63333:db.foo.com:5432 joe@shell.foo.com
>
> the connection from shell.foo.com to db.foo.com will not be encrypted by
> the ssh tunnel, at least according to the documentation I've read.

Good point.  Added.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

On Tue, 26 Feb 2008, Peter Eisentraut wrote:

> Am Montag, 18. Februar 2008 schrieb Faheem Mitha:
>> ssh -L 333ssh -L 3333:foo.com:5432 joe@foo.com
>>
>> I think this should be changed to
>>
>> ssh -L 3333:localhost:5432 joe@foo.com
>
> Good point.  Please see the updated version at
> http://developer.postgresql.org/pgdocs/postgres/ssh-tunnels.html in a few
> minutes.
>
> --
> Peter Eisentraut
> http://developer.postgresql.org/~petere/

Hi Peter,

Thanks for agreeing to the change. Your improvements to the page look
good.

At the end, you might want to point out that in the line

ssh -L 63333:db.foo.com:5432 joe@shell.foo.com

the connection from shell.foo.com to db.foo.com will not be encrypted by
the ssh tunnel, at least according to the documentation I've read.

                                                        Take care, Faheem.