Thread:
I havn't actually done it but I believe in 7.2 MD5 is a possibility. Before this the ODBC driver just handled plain text authentication. (Although as you said you can use something like SSH tunneling) - Stuart -----Original Message----- From: Peter E. Chen [mailto:pchen3@jhmi.edu] Sent: 20 December 2001 15:55 To: pgadmin-support@postgresql.org Subject: [pgadmin-support] Hey All, Can anyone please tell me whether or not pgAdmin can use encryption to connect to PostgresQL. I want to find a way to connect to the database without sending clear text passwords. Is SSH tunneling the only way? Peter ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org
> -----Original Message----- > From: Peter E. Chen [mailto:pchen3@jhmi.edu] > Sent: 20 December 2001 15:55 > To: pgadmin-support@postgresql.org > Subject: [pgadmin-support] > > > Hey All, > > Can anyone please tell me whether or not pgAdmin can use > encryption to connect to PostgresQL. I want to find a way to > connect to the database without sending clear text passwords. > > Is SSH tunneling the only way? Yes, at the moment it is. Regards, Dave.
> -----Original Message----- > From: Peter E. Chen [mailto:pchen3@jhmi.edu] > Sent: 20 December 2001 16:15 > To: Dave Page > Subject: RE: [pgadmin-support] > > > Hi Dave, > > Can you tell me exactly how to tunnel? I'm not sure I'm > doing it correctly. How do I know if its working? > > Peter Sorry Peter, I've never done it and don't have a clue how. Fred (if you're reading this :-) ), do you have a couple of minutes to give some pointers on this? Cheers, Dave.
> -----Original Message----- > From: Henshall, Stuart - WCP > [mailto:SHenshall@westcountrypublications.co.uk] > Sent: 20 December 2001 16:11 > To: 'Peter E. Chen'; pgadmin-support@postgresql.org > Subject: Re: [pgadmin-support] > > > I havn't actually done it but I believe in 7.2 MD5 is a > possibility. Before this the ODBC driver just handled plain > text authentication. (Although as you said you can use > something like SSH tunneling) > - Stuart Do you mean password encryption using MD5 (which pgAdmin handles already) or connection encryption? If the latter, how does the ODBC driver handle it - through a connection string option? I know Bruce added some MD5 code, but I never really looked at it. /Dave. > -----Original Message----- > From: Peter E. Chen [mailto:pchen3@jhmi.edu] > Sent: 20 December 2001 15:55 > To: pgadmin-support@postgresql.org > Subject: [pgadmin-support] > > > Hey All, > > Can anyone please tell me whether or not pgAdmin can use > encryption to connect to PostgresQL. I want to find a way to > connect to the database without sending clear text passwords. > > Is SSH tunneling the only way? > > Peter > > > ---------------------------(end of > broadcast)--------------------------- > TIP 6: Have you searched our list archives? > http://archives.postgresql.org ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
I was meaning password encryption as Peter mentioned passwords in particular. I was just regurgitating something I saw about Bruce adding MD5 to the ODBC driver on the ODBC list. I didn't realize PgAdminII already supported it, my mistake sorry. - Stuart -----Original Message----- From: Dave Page [mailto:dpage@vale-housing.co.uk] Sent: 20 December 2001 16:45 To: 'Henshall, Stuart - WCP'; 'Peter E. Chen'; pgadmin-support@postgresql.org Subject: RE: [pgadmin-support] > -----Original Message----- > From: Henshall, Stuart - WCP > [mailto:SHenshall@westcountrypublications.co.uk] > Sent: 20 December 2001 16:11 > To: 'Peter E. Chen'; pgadmin-support@postgresql.org > Subject: Re: [pgadmin-support] > > > I havn't actually done it but I believe in 7.2 MD5 is a > possibility. Before this the ODBC driver just handled plain > text authentication. (Although as you said you can use > something like SSH tunneling) > - Stuart Do you mean password encryption using MD5 (which pgAdmin handles already) or connection encryption? If the latter, how does the ODBC driver handle it - through a connection string option? I know Bruce added some MD5 code, but I never really looked at it. /Dave. > -----Original Message----- > From: Peter E. Chen [mailto:pchen3@jhmi.edu] > Sent: 20 December 2001 15:55 > To: pgadmin-support@postgresql.org > Subject: [pgadmin-support] > > > Hey All, > > Can anyone please tell me whether or not pgAdmin can use > encryption to connect to PostgresQL. I want to find a way to > connect to the database without sending clear text passwords. > > Is SSH tunneling the only way? > > Peter > > > ---------------------------(end of > broadcast)--------------------------- > TIP 6: Have you searched our list archives? > http://archives.postgresql.org ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
> -----Original Message----- > From: Henshall, Stuart - WCP > [mailto:SHenshall@westcountrypublications.co.uk] > Sent: 20 December 2001 16:55 > To: 'Dave Page' > Cc: 'Peter E. Chen'; pgadmin-support@postgresql.org > Subject: RE: [pgadmin-support] > > > I was meaning password encryption as Peter mentioned > passwords in particular. I was just regurgitating something I > saw about Bruce adding MD5 to the ODBC driver on the ODBC > list. I didn't realize PgAdminII already supported it, my > mistake sorry. > - Stuart pgAdmin just supports the new ENCRYPTED PASSWORD options to CREATE/ALTER user. Nothing special there, and it only is encrypted in pg_shadow as far as I'm aware, *not* in any communications. Regards, Dave.
On Thu, Dec 20, 2001 at 04:22:41PM -0000, Dave Page wrote:
> > Can you tell me exactly how to tunnel? I'm not sure I'm
> > doing it correctly. How do I know if its working?
>
> Sorry Peter, I've never done it and don't have a clue how. Fred (if you're
> reading this :-) ), do you have a couple of minutes to give some pointers on
> this?
Executive summary:
+ Set up a local machine (call it "mylocalhost") to forward, via
SSH, local port 35432 to remote port 5432 on the Postgres server
(call it "dbhost").
+ Connect via pgAdmin to port 35432 on mylocalhost.
Details (specific to OpenSSH on mylocalhost):
+ Add the following to $HOME/.ssh/config in mylocalhost:
Host dbhost
Hostname dbhost.com
User mynameondbhost
LocalForward 35432 dbhost.com:5432
GatewayPorts yes
The 35432 port number is arbitrary. GatewayPorts must be allowed if
you're running pgAdmin on a different machine than mylocalhost. In
my case, mylocalhost is a Linux box on my LAN.
+ Open an ssh connection from mylocalhost to dbhost, and leave it open:
$ ssh dbhost
These first two steps can be combined by using command-line
parameters to ssh to specify the port-forwarding, but I prefer to
use the config file method.
+ Add the following to the pg_hba.conf file on dbhost:
host all nnn.nnn.nnn.nnn 255.255.255.255 password
where 'nnn.nnn.nnn.nnn' is the IP address of dbhost. I found that
it didn't suffice to just have the standard similar entries for
'local ...' and 'host all 127.0.0.1 ...'.
+ Run pgAdmin and connect to mylocalhost:
Server: mylocalhost
Port: 35432
Username: [as normal]
Password: [as normal]
+ When done with pgAdmin you may wish to tear down the ssh connection.
Note that the same forwarded port can be used with all the other
Postgres utilities:
$ psql -h mylocalhost -p 35432 -l -U postgres
$ pg_dump -h mylocalhost -p 35432 -u some_db_name
etc
--
Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312
Principal Consultant www.OntoSys.com fax: +1.630.879.1370
OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA
Thanks for that Fred, do you mind if I use it as the basis for a howto (properly credited of course)? Regards, Dave. > -----Original Message----- > From: fred@ontosys.com [mailto:fred@ontosys.com] > Sent: 20 December 2001 17:54 > To: Dave Page > Cc: 'Peter E. Chen'; pgadmin-support@postgresql.org > Subject: Re: [pgadmin-support] > > > On Thu, Dec 20, 2001 at 04:22:41PM -0000, Dave Page wrote: > > > Can you tell me exactly how to tunnel? I'm not sure I'm > > > doing it correctly. How do I know if its working? > > > > Sorry Peter, I've never done it and don't have a clue how. Fred (if > > you're reading this :-) ), do you have a couple of minutes to give > > some pointers on this? > > Executive summary: > > + Set up a local machine (call it "mylocalhost") to forward, via > SSH, local port 35432 to remote port 5432 on the Postgres server > (call it "dbhost"). > > + Connect via pgAdmin to port 35432 on mylocalhost. > > > Details (specific to OpenSSH on mylocalhost): > > + Add the following to $HOME/.ssh/config in mylocalhost: > > Host dbhost > Hostname dbhost.com > User mynameondbhost > LocalForward 35432 dbhost.com:5432 > GatewayPorts yes > > The 35432 port number is arbitrary. GatewayPorts must be allowed if > you're running pgAdmin on a different machine than mylocalhost. In > my case, mylocalhost is a Linux box on my LAN. > > + Open an ssh connection from mylocalhost to dbhost, and > leave it open: > > $ ssh dbhost > > These first two steps can be combined by using command-line > parameters to ssh to specify the port-forwarding, but I prefer to > use the config file method. > > + Add the following to the pg_hba.conf file on dbhost: > > host all nnn.nnn.nnn.nnn 255.255.255.255 password > > where 'nnn.nnn.nnn.nnn' is the IP address of dbhost. I found that > it didn't suffice to just have the standard similar entries for > 'local ...' and 'host all 127.0.0.1 ...'. > > + Run pgAdmin and connect to mylocalhost: > > Server: mylocalhost > Port: 35432 > Username: [as normal] > Password: [as normal] > > + When done with pgAdmin you may wish to tear down the ssh connection. > > Note that the same forwarded port can be used with all the > other Postgres utilities: > > $ psql -h mylocalhost -p 35432 -l -U postgres > $ pg_dump -h mylocalhost -p 35432 -u some_db_name > etc > > -- > Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312 > Principal Consultant www.OntoSys.com fax: +1.630.879.1370 > OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA >