@@ -2611,34 +2611,39 @@ openssl x509 -req -in server.csr -text -days 365 \
26112611 First make sure that an <application>SSH</application> server is
26122612 running properly on the same machine as the
26132613 <productname>PostgreSQL</productname> server and that you can log in using
2614- <command>ssh</command> as some user. Then you can establish a secure
2615- tunnel with a command like this from the client machine:
2614+ <command>ssh</command> as some user; you then can establish a
2615+ secure tunnel to the remote server. A secure tunnel listens on a
2616+ local port and forwards all traffic to a port on the remote machine.
2617+ Traffic sent to the remote port can arrive on its
2618+ <literal>localhost</literal> address, or different bind
2619+ address if desired; it does not appear as coming from your
2620+ local machine. This command creates a secure tunnel from the client
2621+ machine to the remote machine <literal>foo.com</literal>:
26162622<programlisting>
26172623ssh -L 63333:localhost:5432 joe@foo.com
26182624</programlisting>
26192625 The first number in the <option>-L</option> argument, 63333, is the
2620- port number of your end of the tunnel; it can be any unused port.
2621- (IANA reserves ports 49152 through 65535 for private use.) The
2622- second number, 5432, is the remote end of the tunnel: the port
2623- number your server is using. The name or IP address between the
2624- port numbers is the host with the database server you are going to
2625- connect to, as seen from the host you are logging in to, which
2626- is <literal>foo.com</literal> in this example. In order to connect
2627- to the database server using this tunnel, you connect to port 63333
2628- on the local machine:
2626+ local port number of the tunnel; it can be any unused port. (IANA
2627+ reserves ports 49152 through 65535 for private use.) The name or IP
2628+ address after this is the remote bind address you are connecting to,
2629+ i.e., <literal>localhost</literal>, which is the default. The second
2630+ number, 5432, is the remote end of the tunnel, e.g., the port number
2631+ your database server is using. In order to connect to the database
2632+ server using this tunnel, you connect to port 63333 on the local
2633+ machine:
26292634<programlisting>
26302635psql -h localhost -p 63333 postgres
26312636</programlisting>
2632- To the database server it will then look as though you are really
2637+ To the database server it will then look as though you are
26332638 user <literal>joe</literal> on host <literal>foo.com</literal>
2634- connecting to <literal>localhost</literal>in that context , and it
2639+ connecting tothe <literal>localhost</literal>bind address , and it
26352640 will use whatever authentication procedure was configured for
2636- connectionsfrom this userand host . Note that the server will not
2641+ connectionsby that userto that bind address . Note that the server will not
26372642 think the connection is SSL-encrypted, since in fact it is not
26382643 encrypted between the
26392644 <application>SSH</application> server and the
26402645 <productname>PostgreSQL</productname> server. This should not pose any
2641- extra security riskas long as they are on the same machine.
2646+ extra security riskbecause they are on the same machine.
26422647 </para>
26432648
26442649 <para>
@@ -2650,12 +2655,12 @@ psql -h localhost -p 63333 postgres
26502655 </para>
26512656
26522657 <para>
2653- You could also have set upthe port forwarding as
2658+ You could also have set up port forwarding as
26542659<programlisting>
26552660ssh -L 63333:foo.com:5432 joe@foo.com
26562661</programlisting>
26572662 but then the database server will see the connection as coming in
2658- on its <literal>foo.com</literal>interface , which is not opened by
2663+ on its <literal>foo.com</literal>bind address , which is not opened by
26592664 the default setting <literal>listen_addresses =
26602665 'localhost'</literal>. This is usually not what you want.
26612666 </para>