Secure Postgres access

Reid Priedhorsky reid at reidster.net
Sat Sep 9 19:40:20 CEST 2006


On Thu, 07 Sep 2006 18:36:32 -0700, Paul Rubin wrote:

> Reid Priedhorsky <reid at umn.edu> writes:
>> > Wouldn't they need a database password?
>> 
>> Well, right now, no. I have Postgres configured to trust the OS on who is
>> who. 
> 
> You trust the OS on the client machine, but not the client machine's
> users?  Does it run identd?  Maybe you could use that.  I'd consider
> this shaky for any real security application, but it might be better
> than nothing depending on what you're doing.

Hi Paul,

Thanks for your help.

No -- I suppose I wasn't clear. There are two machines involved:

A) Database server. Run by me. I trust the OS on who is who, and there is
only one user (me). So database clients run on this box don't require
a password.

B) Work machine. Run by others, many users. I'd like to also run my
database client (Python) here. SSH tunnel is unsatisfactory because other
folks can slip down the tunnel after I set it up and then connect to the
DB as me. Having the DB on (A) listen to the Internet as well as localhost
for connections is also unsatisfactory, because I don't want to set up
database passwords.

What I'd like is functionality similar to what Subversion does with
"svn+ssh://" URLs: an SSH tunnel that accepts only one connection and
doesn't have race conditions.

Thanks again,

Reid



More information about the Python-list mailing list