securing postgresql on fbsd

Sheets, Jason (Manpower Contract) jason.sheets at hp.com
Thu Aug 19 13:53:32 PDT 2004 

It looks like you configured the tunnel to point to the public host
(dbsrv1) and configured PostgreSQL to only listen on the loopback
127.0.0.1.

Try tunneling to 127.0.0.1:5432 instead of dbsrv1

Something like

ssh -L 5001:127.0.0.1:5432 iddwb at dbsrv1

Jason
-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org] On Behalf Of David Bear
Sent: Thursday, August 19, 2004 12:38 PM
To: freebsd-questions at freebsd.org
Subject: securing postgresql on fbsd


This is not strictly a freebsd question, but this group is the
smartest around... so

I've installed postgresql on freebsd  4.10-rel.  I want to secure ALL
connections to postgres through ssh. So I first configured postgresql
to connect ONLY to 127.0.0.1 port 5432.  Then, when attempting to ssh
to tunnel to it from another machine I got an error:
---------------
Aug 19 10:31:12 dbsrv1 sshd[157]: Accepted publickey for iddwb from
+129.219.69.200 port 33068 ssh2
Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to 129.219.69.206
port 5432:
+Connection refused
Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to dbsrv1.pp.asu.edu
port 5432:
+failed.
----------------
So it looks like I wasn't building the tunnel correctly. From the
remote host connecting to the freebsd postgresql server I was using:

ssh -L 5001:dbsrv1:5432 iddwb at dbsrv1

But it looks like that is forbidden to connect to 'localhost' on the
remote machine, ie on dbsrv1.

I was able to get postgresql to bind to all adapters, and connect to
it using the above tunnel.  But then I have an open port on dbsrv1
that anyone can connect to... ie I can straight telnet dbsrv1 5432 and
reach it unencrypted. It binds to a public interface, and I don't want
that.

I know postgresql has an ssl option, but I was hoping to just use ssh
tunneling.

hoping this make sense, I'm wondering what other freebsd users have
done to secure postgresql? or how to make ssh tunnel 'all the way
through to the remote "localhost"'..

-- 
David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, everyone will be suspect of trespassing"


----- End forwarded message -----

-- 
David Bear
phone: 	480-965-8257
fax: 	480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
 "Beware the IP portfolio, everyone will be suspect of trespassing"
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list