Secure Postgres access
reid at reidster.net
Sat Sep 9 19:40:20 CEST 2006
On Thu, 07 Sep 2006 18:36:32 -0700, Paul Rubin wrote:
> Reid Priedhorsky <reid at umn.edu> writes:
>> > Wouldn't they need a database password?
>> Well, right now, no. I have Postgres configured to trust the OS on who is
> You trust the OS on the client machine, but not the client machine's
> users? Does it run identd? Maybe you could use that. I'd consider
> this shaky for any real security application, but it might be better
> than nothing depending on what you're doing.
Thanks for your help.
No -- I suppose I wasn't clear. There are two machines involved:
A) Database server. Run by me. I trust the OS on who is who, and there is
only one user (me). So database clients run on this box don't require
B) Work machine. Run by others, many users. I'd like to also run my
database client (Python) here. SSH tunnel is unsatisfactory because other
folks can slip down the tunnel after I set it up and then connect to the
DB as me. Having the DB on (A) listen to the Internet as well as localhost
for connections is also unsatisfactory, because I don't want to set up
What I'd like is functionality similar to what Subversion does with
"svn+ssh://" URLs: an SSH tunnel that accepts only one connection and
doesn't have race conditions.
More information about the Python-list