Обсуждение: remote user
I have one remote user that wants to connect via DSL and a dynamic IP. I do NOT want to open the database to all internet IP's. Of course the fear is someone will attack and break the password for the remote user. What is the best way I can do this? -- John Fabiani
johnf <jfabiani@yolo.com> writes:
> I have one remote user that wants to connect via DSL and a dynamic IP. I do
> NOT want to open the database to all internet IP's. Of course the fear is
> someone will attack and break the password for the remote user. What is the
> best way I can do this?
Limit the range of IPs as much as you can, and require the connection to
use SSL, and maybe insist on a client certificate.
regards, tom lane
am Wed, dem 12.12.2007, um 9:35:24 -0800 mailte johnf folgendes: > I have one remote user that wants to connect via DSL and a dynamic IP. I do > NOT want to open the database to all internet IP's. Of course the fear is > someone will attack and break the password for the remote user. What is the > best way I can do this? I would suggest a ssh-tunnel. Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
On Wednesday 12 December 2007 10:04:04 am A. Kretschmer wrote: > am Wed, dem 12.12.2007, um 9:35:24 -0800 mailte johnf folgendes: > > I have one remote user that wants to connect via DSL and a dynamic IP. I > > do NOT want to open the database to all internet IP's. Of course the > > fear is someone will attack and break the password for the remote user. > > What is the best way I can do this? > > I would suggest a ssh-tunnel. > > > Andreas I guess I don't know enough about ssh because I thought it allowed users to run apps on my server? How would I get a remote app that needs a connection to the postgres server to use the ssh connection? -- John Fabiani
On Wednesday 12 December 2007 09:52:48 am Tom Lane wrote: > johnf <jfabiani@yolo.com> writes: > > I have one remote user that wants to connect via DSL and a dynamic IP. I > > do NOT want to open the database to all internet IP's. Of course the > > fear is someone will attack and break the password for the remote user. > > What is the best way I can do this? > > Limit the range of IPs as much as you can, and require the connection to > use SSL, and maybe insist on a client certificate. > > regards, tom lane > What do you mean by a cleint certificate? I'll assume it is some sort of key that is passed to my server. But would postgres use the key? Or is this just a way to insure user is who he say he is? -- John Fabiani
johnf <jfabiani@yolo.com> writes: > On Wednesday 12 December 2007 09:52:48 am Tom Lane wrote: >> Limit the range of IPs as much as you can, and require the connection to >> use SSL, and maybe insist on a client certificate. > What do you mean by a cleint certificate? I'll assume it is some sort of key > that is passed to my server. But would postgres use the key? Or is this > just a way to insure user is who he say he is? I'm no expert on SSL usage, but there's some basic info here: http://www.postgresql.org/docs/8.2/static/ssl-tcp.html For the full story on SSL you'd want to visit http://www.openssl.org/ regards, tom lane
On Wednesday 12 December 2007 02:00:30 pm Tom Lane wrote: > johnf <jfabiani@yolo.com> writes: > > On Wednesday 12 December 2007 09:52:48 am Tom Lane wrote: > >> Limit the range of IPs as much as you can, and require the connection to > >> use SSL, and maybe insist on a client certificate. > > > > What do you mean by a cleint certificate? I'll assume it is some sort of > > key that is passed to my server. But would postgres use the key? Or is > > this just a way to insure user is who he say he is? > > I'm no expert on SSL usage, but there's some basic info here: > http://www.postgresql.org/docs/8.2/static/ssl-tcp.html > For the full story on SSL you'd want to visit > http://www.openssl.org/ > > regards, tom lane Thanks for the link I'll need to read up on SSL. This looks like it might work. -- John Fabiani
am Wed, dem 12.12.2007, um 10:11:21 -0800 mailte johnf folgendes: > > I would suggest a ssh-tunnel. > > > > > > Andreas > > I guess I don't know enough about ssh because I thought it allowed users to > run apps on my server? This is also possible. > How would I get a remote app that needs a connection > to the postgres server to use the ssh connection? 2 ways: - remote login and run the application remote (like psql) - Portforwarding, i explain: ssh <remote> -L:5432:<ip pg-server>:5432 Read more: http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Port_Forwarding.html Now the TCP-Port 5432 on your local System is forwarded to the PG-Server. You can use arbitrary application on your local host, it seems the database is running local on your host. The connection to the pg-server are encapsulated and encrypted through the ssh-connection. You don't need an open port on the remote side, except SSH. And your server can be in a LAN behind the gateway with a private address. Other solution, as Tom suggested, SSL. Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net
On Wednesday 12 December 2007 10:04:54 pm A. Kretschmer wrote: > am Wed, dem 12.12.2007, um 10:11:21 -0800 mailte johnf folgendes: > > > I would suggest a ssh-tunnel. > > > > > > > > > Andreas > > > > I guess I don't know enough about ssh because I thought it allowed users > > to run apps on my server? > > This is also possible. > > > How would I get a remote app that needs a connection > > to the postgres server to use the ssh connection? > > 2 ways: > - remote login and run the application remote (like psql) > - Portforwarding, i explain: > ssh <remote> -L:5432:<ip pg-server>:5432 > > Read more: > http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Port_Forw >arding.html > > > Now the TCP-Port 5432 on your local System is forwarded to the > PG-Server. You can use arbitrary application on your local host, it > seems the database is running local on your host. > > The connection to the pg-server are encapsulated and encrypted through > the ssh-connection. You don't need an open port on the remote side, > except SSH. And your server can be in a LAN behind the gateway with > a private address. > > > > Other solution, as Tom suggested, SSL. > > > Andreas Thanks this also looks like a possible solution. But what does the postgres server see as an IP coming from the client (is it 127.0.0.1). IOW what/how do I setup the pg_hba.conf to allow this connection? -- John Fabiani
am Thu, dem 13.12.2007, um 7:12:26 -0800 mailte johnf folgendes: > > - Portforwarding, i explain: > > ssh <remote> -L:5432:<ip pg-server>:5432 > > Thanks this also looks like a possible solution. But what does the postgres > server see as an IP coming from the client (is it 127.0.0.1). IOW what/how > do I setup the pg_hba.conf to allow this connection? If the PG-server running on the gateway-host: 127.0.0.1, if it in the LAN then the internal gateway-ip. Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: -> Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net