From owner-freebsd-questions@FreeBSD.ORG Thu Aug 19 18:43:32 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B92916A4CE for ; Thu, 19 Aug 2004 18:43:32 +0000 (GMT) Received: from post5.inre.asu.edu (post5.inre.asu.edu [129.219.110.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5D2543D55 for ; Thu, 19 Aug 2004 18:43:31 +0000 (GMT) (envelope-from David.Bear@asu.edu) Received: from conversion.post5.inre.asu.edu by asu.edu (PMDF V6.1-1X6 #30769) id <0I2P00101IESBP@asu.edu> for freebsd-questions@freebsd.org; Thu, 19 Aug 2004 11:37:40 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) by asu.edu (PMDF V6.1-1X6 #30769) with ESMTP id <0I2P0015SIES57@asu.edu> for freebsd-questions@freebsd.org; Thu, 19 Aug 2004 11:37:40 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.69.200]) (8.12.10/8.12.10/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id i7JIbc71015367 for ; Thu, 19 Aug 2004 11:37:39 -0700 (MST) Received: by moroni.pp.asu.edu (Postfix, from userid 500) id F38BCD3F; Thu, 19 Aug 2004 11:37:39 -0700 (MST) Date: Thu, 19 Aug 2004 11:37:39 -0700 From: David Bear To: freebsd-questions@freebsd.org Message-id: <20040819183739.GD23172@asu.edu> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.4.1i Subject: securing postgresql on fbsd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: David.Bear@asu.edu List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 18:43:32 -0000 This is not strictly a freebsd question, but this group is the smartest around... so I've installed postgresql on freebsd 4.10-rel. I want to secure ALL connections to postgres through ssh. So I first configured postgresql to connect ONLY to 127.0.0.1 port 5432. Then, when attempting to ssh to tunnel to it from another machine I got an error: --------------- Aug 19 10:31:12 dbsrv1 sshd[157]: Accepted publickey for iddwb from +129.219.69.200 port 33068 ssh2 Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to 129.219.69.206 port 5432: +Connection refused Aug 19 10:31:40 dbsrv1 sshd[159]: error: connect_to dbsrv1.pp.asu.edu port 5432: +failed. ---------------- So it looks like I wasn't building the tunnel correctly. From the remote host connecting to the freebsd postgresql server I was using: ssh -L 5001:dbsrv1:5432 iddwb@dbsrv1 But it looks like that is forbidden to connect to 'localhost' on the remote machine, ie on dbsrv1. I was able to get postgresql to bind to all adapters, and connect to it using the above tunnel. But then I have an open port on dbsrv1 that anyone can connect to... ie I can straight telnet dbsrv1 5432 and reach it unencrypted. It binds to a public interface, and I don't want that. I know postgresql has an ssl option, but I was hoping to just use ssh tunneling. hoping this make sense, I'm wondering what other freebsd users have done to secure postgresql? or how to make ssh tunnel 'all the way through to the remote "localhost"'.. -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing" ----- End forwarded message ----- -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"