@@ -2596,34 +2596,39 @@ openssl x509 -req -in server.csr -text -days 365 \
25962596 First make sure that an <application>SSH</application> server is
25972597 running properly on the same machine as the
25982598 <productname>PostgreSQL</productname> server and that you can log in using
2599- <command>ssh</command> as some user. Then you can establish a secure
2600- tunnel with a command like this from the client machine:
2599+ <command>ssh</command> as some user; you then can establish a
2600+ secure tunnel to the remote server. A secure tunnel listens on a
2601+ local port and forwards all traffic to a port on the remote machine.
2602+ Traffic sent to the remote port can arrive on its
2603+ <literal>localhost</literal> address, or different bind
2604+ address if desired; it does not appear as coming from your
2605+ local machine. This command creates a secure tunnel from the client
2606+ machine to the remote machine <literal>foo.com</literal>:
26012607<programlisting>
26022608ssh -L 63333:localhost:5432 joe@foo.com
26032609</programlisting>
26042610 The first number in the <option>-L</option> argument, 63333, is the
2605- port number of your end of the tunnel; it can be any unused port.
2606- (IANA reserves ports 49152 through 65535 for private use.) The
2607- second number, 5432, is the remote end of the tunnel: the port
2608- number your server is using. The name or IP address between the
2609- port numbers is the host with the database server you are going to
2610- connect to, as seen from the host you are logging in to, which
2611- is <literal>foo.com</literal> in this example. In order to connect
2612- to the database server using this tunnel, you connect to port 63333
2613- on the local machine:
2611+ local port number of the tunnel; it can be any unused port. (IANA
2612+ reserves ports 49152 through 65535 for private use.) The name or IP
2613+ address after this is the remote bind address you are connecting to,
2614+ i.e., <literal>localhost</literal>, which is the default. The second
2615+ number, 5432, is the remote end of the tunnel, e.g., the port number
2616+ your database server is using. In order to connect to the database
2617+ server using this tunnel, you connect to port 63333 on the local
2618+ machine:
26142619<programlisting>
26152620psql -h localhost -p 63333 postgres
26162621</programlisting>
2617- To the database server it will then look as though you are really
2622+ To the database server it will then look as though you are
26182623 user <literal>joe</literal> on host <literal>foo.com</literal>
2619- connecting to <literal>localhost</literal>in that context , and it
2624+ connecting tothe <literal>localhost</literal>bind address , and it
26202625 will use whatever authentication procedure was configured for
2621- connectionsfrom this userand host . Note that the server will not
2626+ connectionsby that userto that bind address . Note that the server will not
26222627 think the connection is SSL-encrypted, since in fact it is not
26232628 encrypted between the
26242629 <application>SSH</application> server and the
26252630 <productname>PostgreSQL</productname> server. This should not pose any
2626- extra security riskas long as they are on the same machine.
2631+ extra security riskbecause they are on the same machine.
26272632 </para>
26282633
26292634 <para>
@@ -2635,12 +2640,12 @@ psql -h localhost -p 63333 postgres
26352640 </para>
26362641
26372642 <para>
2638- You could also have set upthe port forwarding as
2643+ You could also have set up port forwarding as
26392644<programlisting>
26402645ssh -L 63333:foo.com:5432 joe@foo.com
26412646</programlisting>
26422647 but then the database server will see the connection as coming in
2643- on its <literal>foo.com</literal>interface , which is not opened by
2648+ on its <literal>foo.com</literal>bind address , which is not opened by
26442649 the default setting <literal>listen_addresses =
26452650 'localhost'</literal>. This is usually not what you want.
26462651 </para>