Thread: Connect to postgres from a dynamic IP

Dear Sirs,

it is possible to connect to PostgreSQL server from a client with a dynamic
IP (or from an unknown IP)?

How I have to configure pg_hba.conf (and/or eventually my router, where the
server is located)?

I have no possibility to change the settings of clients (my customers)

Thank you.

Domenico


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date: 02/03/2008
15:59

yes, it is possible if you use a service like dyndns: http://www.dyndns.com/
to "convert" your dynamic ip. If you use this service you connect your dynamic
ip to a hostname, which is dynamically updated by this service.
after that you can change your windows hosts file to add the hostname
you have registered with dyndns to your localhost (or the ip that
resides in the network serving PostgreSQL).
when you have done all this, you can change your pg_hba.conf file like you wish...

Steven

Em Monday 03 March 2008 07:01:17 dfx escreveu:

> it is possible to connect to PostgreSQL server from a client with a dynamic
> IP (or from an unknown IP)?
>
> How I have to configure pg_hba.conf (and/or eventually my router, where the
> server is located)?

You'll have to make PostgreSQL accept connections from ANY IP in the possible
range assigned to the networks where your customers are.  There are IP ranges
for specific countries available...  You can also allow access from anywhere
in the world.

I'd also recommend that you require the use of some cryptography such as SSL
for that.

--
Jorge Godoy      <jgodoy@gmail.com>

am  Mon, dem 03.03.2008, um 11:01:17 +0100 mailte dfx folgendes:
> Dear Sirs,
>
> it is possible to connect to PostgreSQL server from a client with a dynamic
> IP (or from an unknown IP)?

Of course, yes.


>
> How I have to configure pg_hba.conf (and/or eventually my router, where the
> server is located)?

Set the CIDR to 0.0.0.0/32.


>
> I have no possibility to change the settings of clients (my customers)

Keep in mind, with this way everyone from around the world have access
to your database-server. Consider other solutions like a VPN or a
SSH-Tunnel. At least you should use strong authentication (md5) or SSL.



Andreas
--
Andreas Kretschmer
Kontakt:  Heynitz: 035242/47150,   D1: 0160/7141639 (mehr: -> Header)
GnuPG-ID:   0x3FFF606C, privat 0x7F4584DA   http://wwwkeys.de.pgp.net

On Mon, Mar 03, 2008 at 11:33:17AM +0100, A. Kretschmer wrote:
> am  Mon, dem 03.03.2008, um 11:01:17 +0100 mailte dfx folgendes:
> > Dear Sirs,
> >
> > it is possible to connect to PostgreSQL server from a client with a dynamic
> > IP (or from an unknown IP)?
>
> Of course, yes.
>
>
> >
> > How I have to configure pg_hba.conf (and/or eventually my router, where the
> > server is located)?
>
> Set the CIDR to 0.0.0.0/32.

That should be 0.0.0.0/0, I beleive.

//Magnus

I apologize for my confuse exposition.

My server has a static, well known IP.

The problem is that I don't know the IP of my customers (client side) and
then
I cannot insert those addresses in pg_hba.conf file.

The question il: Is there a method to avoid to insert the addesses of the
clients
in the pg_hba.conf and to allow connections from internet with security
assured
only by username and password?

The unique (mandatory) solution to solve this problem id to use web services
(and then port 80)
or there are some other solutions?

Thank you

Domenico





No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date: 02/03/2008
15:59

am  Mon, dem 03.03.2008, um 11:59:36 +0100 mailte Magnus Hagander folgendes:
> > > How I have to configure pg_hba.conf (and/or eventually my router, where the
> > > server is located)?
> >
> > Set the CIDR to 0.0.0.0/32.
>
> That should be 0.0.0.0/0, I beleive.
>
> //Magnus

Magnus, right. Thx.


Andreas
--
Andreas Kretschmer
Kontakt:  Heynitz: 035242/47150,   D1: 0160/7141639 (mehr: -> Header)
GnuPG-ID:   0x3FFF606C, privat 0x7F4584DA   http://wwwkeys.de.pgp.net

On 03/03/2008 11:01, dfx wrote:

> The question il: Is there a method to avoid to insert the addesses of
> the clients in the pg_hba.conf and to allow connections from internet
> with security assured only by username and password?

Yes, that's what people have been explaining: you insert a line
something like:

   host  [database]   [user]   0.0.0.0/0   md5

if you're asking if pg_hba.conf can be bypassed completely, then as far
as I know the answer is no. However, inserting the line above will
have a similar effect, at least with regard to incoming network connections.

HTH,

Ray.

---------------------------------------------------------------
Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland
rod@iol.ie
---------------------------------------------------------------

Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu:
> On 03/03/2008 11:01, dfx wrote:
> > The question il: Is there a method to avoid to insert the addesses of
> > the clients in the pg_hba.conf and to allow connections from internet
> > with security assured only by username and password?
>
> Yes, that's what people have been explaining: you insert a line
> something like:
>
>    host  [database]   [user]   0.0.0.0/0   md5

But make it "hostssl" instead of "host", to require some cryptography in the
channel used, specially to authenticate the connection.

Opening your access to everyone without crypto sounds like something you don't
want to do.  Specially if users can change their own passwords...


--
Jorge Godoy      <jgodoy@gmail.com>

Jorge Godoy wrote:
> Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu:
>
>> On 03/03/2008 11:01, dfx wrote:
>>
>>> The question il: Is there a method to avoid to insert the addesses of
>>> the clients in the pg_hba.conf and to allow connections from internet
>>> with security assured only by username and password?
>>>
>> Yes, that's what people have been explaining: you insert a line
>> something like:
>>
>>    host  [database]   [user]   0.0.0.0/0   md5
>>
>
> But make it "hostssl" instead of "host", to require some cryptography in the
> channel used, specially to authenticate the connection.
>
> Opening your access to everyone without crypto sounds like something you don't
> want to do.  Specially if users can change their own passwords...

My understanding is no password is sent in the clear with md5 per:

http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD


Paul

Collin wrote:
>
>>>
>>> But make it "hostssl" instead of "host", to require some
>>> cryptography in the channel used, specially to authenticate the
>>> connection.
>>>
>>> Opening your access to everyone without crypto sounds like something
>>> you don't want to do.  Specially if users can change their own
>>> passwords...
>>
>> My understanding is no password is sent in the clear with md5 per:
>>
>> http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD
>>
>>
>>
>> Paul
>>
> However, it depends on the sort of data you are accessing. Sending a
> MD5 password is all well and good but if your data consists of credit
> card info or trade secrets then you'll want that encrypted too.
>

Yes true, if your data is sensitive, go with SSL.

On the other hand, if you're sending credit card data around, you must
comply with the PCI audit regulation, in which case there is exactly
0.0% chance you're putting your database port on a public network.

Regards,
Paul

>>
>> But make it "hostssl" instead of "host", to require some cryptography
>> in the channel used, specially to authenticate the connection.
>>
>> Opening your access to everyone without crypto sounds like something
>> you don't want to do.  Specially if users can change their own
>> passwords...
>
> My understanding is no password is sent in the clear with md5 per:
>
> http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD
>
>
>
> Paul
>
However, it depends on the sort of data you are accessing. Sending a MD5
password is all well and good but if your data consists of credit card
info or trade secrets then you'll want that encrypted too.

Hello,

Jorge Godoy wrote:

Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu: 

On 03/03/2008 11:01, dfx wrote:   

The question il: Is there a method to avoid to insert the addesses of
the clients in the pg_hba.conf and to allow connections from internet
with security assured only by username and password?     

Yes, that's what people have been explaining: you insert a line
something like:
  host  [database]   [user]   0.0.0.0/0   md5   

But make it "hostssl" instead of "host", to require some cryptography in the 
channel used, specially to authenticate the connection.

Opening your access to everyone without crypto sounds like something you don't 
want to do.  Specially if users can change their own passwords...

Does anybody ever measured performance slowdown for SSL connections?

-- 
Andrei Kovalevski
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Managed Services, Shared and Dedicated Hosting
Co-Authors: plPHP, ODBCng - http://www.commandprompt.com/

Andrei Kovalevski <andyk@commandprompt.com> writes:
> Does anybody ever measured performance slowdown for SSL connections?

It's pretty significant percentage-wise on a local-loopback connection,
but for a connection over the open Internet I doubt it'd be an issue.

Unless your data is completely not private I'd recommend SSL for such a
situation.

            regards, tom lane

Em Monday 03 March 2008 13:17:03 você escreveu:
>
> My understanding is no password is sent in the clear with md5 per:
>
> http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW
>ORD

But the MD5 hash is.  This page states that the password can't be directly
sniffed, but one can still get the hash of the password and perform a
dictionary attack against it on a local copy (i.e., without ever trying to
connect to the server).

After a successful attack then one can connect directly to the server as if
the password was known to him/her.

Crypting the channell -- be it with SSL or SSH, for example -- will prevent
the sniffer from being able to capture the hash, so your password will be
safer.

--
Jorge Godoy      <jgodoy@gmail.com>

Jorge Godoy wrote:
> Em Monday 03 March 2008 13:17:03 você escreveu:
>> My understanding is no password is sent in the clear with md5 per:
>>
>> http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW
>> ORD
>
> But the MD5 hash is.  This page states that the password can't be directly
> sniffed, but one can still get the hash of the password and perform a
> dictionary attack against it on a local copy (i.e., without ever trying to
> connect to the server).
>
> After a successful attack then one can connect directly to the server as if
> the password was known to him/her.
>

No sense in pretending. I should think that password *would* be known in
that scenario.

(ignoring hash collisions, of course)