Secure Postgres access

Reid Priedhorsky reid at umn.edu
Fri Sep 8 03:11:22 CEST 2006


On Wed, 06 Sep 2006 09:29:59 -0700, Paul Rubin wrote:

> Reid Priedhorsky <reid at reidster.net> writes:
>> I know how to forward ports using SSH, but I don't like doing this because
>> then anyone who knows the port number can connect to Postgres over the
>> same tunnel. (I'm not the only user on the client machine.)
> 
> Wouldn't they need a database password?

Well, right now, no. I have Postgres configured to trust the OS on who is
who. I would prefer not to change that because I don't want another place
containing authentication information. I'd like to connect by entering
only my SSH password, not my SSH password and a database password too.

This is why straight SSH tunneling, as suggested by Marshall and Larry,
isn't satisfactory: once I've set up the tunnel, anyone on the local
machine can connect to the tunnel and then they have passwordless access
into the database.

I control the database machine, and the only user is me. I don't control
the local machine, and it has many users I don't trust.

Thanks,

Reid




More information about the Python-list mailing list