@@ -2679,34 +2679,39 @@ openssl x509 -req -in server.csr -text -days 365 \
26792679 First make sure that an <application>SSH</application> server is
26802680 running properly on the same machine as the
26812681 <productname>PostgreSQL</productname> server and that you can log in using
2682- <command>ssh</command> as some user. Then you can establish a secure
2683- tunnel with a command like this from the client machine:
2682+ <command>ssh</command> as some user; you then can establish a
2683+ secure tunnel to the remote server. A secure tunnel listens on a
2684+ local port and forwards all traffic to a port on the remote machine.
2685+ Traffic sent to the remote port can arrive on its
2686+ <literal>localhost</literal> address, or different bind
2687+ address if desired; it does not appear as coming from your
2688+ local machine. This command creates a secure tunnel from the client
2689+ machine to the remote machine <literal>foo.com</literal>:
26842690<programlisting>
26852691ssh -L 63333:localhost:5432 joe@foo.com
26862692</programlisting>
26872693 The first number in the <option>-L</option> argument, 63333, is the
2688- port number of your end of the tunnel; it can be any unused port.
2689- (IANA reserves ports 49152 through 65535 for private use.) The
2690- second number, 5432, is the remote end of the tunnel: the port
2691- number your server is using. The name or IP address between the
2692- port numbers is the host with the database server you are going to
2693- connect to, as seen from the host you are logging in to, which
2694- is <literal>foo.com</literal> in this example. In order to connect
2695- to the database server using this tunnel, you connect to port 63333
2696- on the local machine:
2694+ local port number of the tunnel; it can be any unused port. (IANA
2695+ reserves ports 49152 through 65535 for private use.) The name or IP
2696+ address after this is the remote bind address you are connecting to,
2697+ i.e., <literal>localhost</literal>, which is the default. The second
2698+ number, 5432, is the remote end of the tunnel, e.g., the port number
2699+ your database server is using. In order to connect to the database
2700+ server using this tunnel, you connect to port 63333 on the local
2701+ machine:
26972702<programlisting>
26982703psql -h localhost -p 63333 postgres
26992704</programlisting>
2700- To the database server it will then look as though you are really
2705+ To the database server it will then look as though you are
27012706 user <literal>joe</literal> on host <literal>foo.com</literal>
2702- connecting to <literal>localhost</literal>in that context , and it
2707+ connecting tothe <literal>localhost</literal>bind address , and it
27032708 will use whatever authentication procedure was configured for
2704- connectionsfrom this userand host . Note that the server will not
2709+ connectionsby that userto that bind address . Note that the server will not
27052710 think the connection is SSL-encrypted, since in fact it is not
27062711 encrypted between the
27072712 <application>SSH</application> server and the
27082713 <productname>PostgreSQL</productname> server. This should not pose any
2709- extra security riskas long as they are on the same machine.
2714+ extra security riskbecause they are on the same machine.
27102715 </para>
27112716
27122717 <para>
@@ -2718,12 +2723,12 @@ psql -h localhost -p 63333 postgres
27182723 </para>
27192724
27202725 <para>
2721- You could also have set upthe port forwarding as
2726+ You could also have set up port forwarding as
27222727<programlisting>
27232728ssh -L 63333:foo.com:5432 joe@foo.com
27242729</programlisting>
27252730 but then the database server will see the connection as coming in
2726- on its <literal>foo.com</literal>interface , which is not opened by
2731+ on its <literal>foo.com</literal>bind address , which is not opened by
27272732 the default setting <literal>listen_addresses =
27282733 'localhost'</literal>. This is usually not what you want.
27292734 </para>