Monday, January 2, 2012

Postgresql - Security : SSH Tunneling your PostgreSQL communications

In my previous entry, I highlighted the importance of having encrypted communications between the clients and the backend server. The first approach I'll attack, is to use the ssh tunneling facility as depicted on the official docs, I regard it as being the most straightforward option (or at least the fastest to implement).

http://www.postgresql.org/docs/9.1/static/ssh-tunnels.html

Testing scenario
+ one postgresql client running on a windows machine (IP 192.168.56.66)
+ one postgresql backend server running on fedora linux (IP 192.168.56.101)


Prerequisites:
+ A ssh server running where the postgresql backend server lives.
+ A linux account with which you can connect to the postgresql server host (and it's properly configured in the pg_hba.conf file (if necessary) .
+ Putty for windows
+ Having understood what the on-line postgresql documentation says on this matter.

This is the tutorial I'm using for the putty configuration:
http://oldsite.precedence.co.uk/nc/putty.html

- Note that I'm connecting through the port 22 (default port for ssh)


- 63333 is the port that will listen for connections on the client host, and it will be the port the I'll specify in the psql connection.



- Make the ssh connection to the host where the postgresql server is running (this is the tunnel).
http://img848.imageshack.us/img848/2262/82292019.th.png


- Using the ssh tunnel : Connect to the server using psql -h localhost -p 63333


Drawbacks:
+ Encryption is not enforced for the clients to be able to connect to the server.
+ I think that relying on the clients to set the tunnel might not be a good idea

No comments:

Post a Comment