Thread: Incomplete online documentation on conecting via ssh tunnels
Hi, If this is not the correct list for the mail, I can post to a more relevant one, suggest. Otherwise read on: There was a discussion on connecting to a postgres server via SSH tunnels here: http://archives.postgresql.org/pgsql-novice/2008-11/msg00060.php The relevant documentations are (replace 8.3 by 8.2 or 8.1 or...): http://www.postgresql.org/docs/8.3/static/ssh-tunnels.html The concerned command is: client$ ssh -L 3333:foo.com:5432 joe@foo.com From the discussion on the novice list, I came to the conclusion that the above command works only when listen_addresses = '*' OR listen_addresses = 'a.b.c.d' (where a.b.c.d is the IP of foo.com; other IPs can be present too) is set in postgresql.conf. But in most cases, for security reason, the server is quarantined within localhost by setting: listen_addresses = 'localhost'. In this case, the ssh tunnel does not work. The correct command is: client$ ssh -L 3333:localhost:5432 joe@foo.com OR client$ ssh -L 3333:127.0.0.1:5432 joe@foo.com It is certainly not trivial to realize (ok, one should read the ssh manpage thoroughly) that the "localhost" or "127.0.0.1" host in the above commands is interpreted by foo.com and hence it works. It would be extremely helpful to include this clarification on the online documentations (links above). Makes sense? -- Regards PK -------------------------------------- http://counter.li.org #402424
P Kapat wrote: > The relevant documentations are (replace 8.3 by 8.2 or 8.1 or...): > http://www.postgresql.org/docs/8.3/static/ssh-tunnels.html > > The concerned command is: > client$ ssh -L 3333:foo.com:5432 joe@foo.com > >From the discussion on the novice list, I came to the conclusion that > the above command works only when listen_addresses = '*' OR > listen_addresses = 'a.b.c.d' > (where a.b.c.d is the IP of foo.com; other IPs can be present too) is > set in postgresql.conf. > > But in most cases, for security reason, the server is quarantined > within localhost by setting: listen_addresses = 'localhost'. > > In this case, the ssh tunnel does not work. The correct command is: > client$ ssh -L 3333:localhost:5432 joe@foo.com > OR > client$ ssh -L 3333:127.0.0.1:5432 joe@foo.com You are absolutely correct. Someone already pointed this out independently, and the 8.4devel documentation has much better information on this: http://developer.postgresql.org/pgdocs/postgres/ssh-tunnels.html
On Thu, Nov 20, 2008 at 3:26 AM, Peter Eisentraut <peter_e@gmx.net> wrote: > > http://developer.postgresql.org/pgdocs/postgres/ssh-tunnels.html That is much transparent. Would it not be better to link to the relevant section which describes the listen_addresses and port config parameters in postgres.conf? For example: http://developer.postgresql.org/pgdocs/postgres/runtime-config-connection.html -- Regards PK -------------------------------------- http://counter.li.org #402424
P Kapat wrote: > On Thu, Nov 20, 2008 at 3:26 AM, Peter Eisentraut <peter_e@gmx.net> wrote: >> http://developer.postgresql.org/pgdocs/postgres/ssh-tunnels.html > > That is much transparent. Would it not be better to link to the > relevant section which describes the listen_addresses and port config > parameters in postgres.conf? Well, if you are enthusiastic enough you can link anything to anything, but it seems to me that the main point in that section is to work with the given address and port setup, not to create a new one, so it doesn't appear to be so important.