@@ -523,6 +523,90 @@ jolly=>
523523 </para>
524524 </sect2>
525525 </sect1>
526+
527+ <sect1>
528+ <title>Secure TCP/IP Connection</title>
529+
530+ <para>
531+ <note>
532+ <title>Author</title>
533+ <para>
534+ From e-mail by
535+ <ulink url="selkovjr@mcs.anl.gov">Gene Selkov, Jr.</ulink>
536+ written on 1999-09-08 in response to a
537+ question from Eric Marsden.
538+ </para>
539+ </note>
540+ </para>
541+
542+ <para>
543+ One can use <productname>ssh</productname> to encrypt the network
544+ connection between clients and a
545+ <productname>Postgres</productname> server. Done properly, this
546+ should lead to an adequately secure network connection.
547+ </para>
548+
549+ <para>
550+ The documentation for <productname>ssh</productname> provides most
551+ of the information to get started.
552+ Please refer to
553+ <ulink url="http://www.heimhardt.de/htdocs/ssh.html">http://www.heimhardt.de/htdocs/ssh.html</ulink>
554+ for better insight.
555+ </para>
556+
557+ <para>
558+ A step-by-step explanation can be done in just two steps.
559+ </para>
560+
561+ <procedure>
562+ <title>Running a secure tunnel via ssh</title>
563+
564+ <para>
565+ A step-by-step explanation can be done in just two steps.
566+ </para>
567+
568+ <step performance="required" id="establish-tunnel">
569+ <para>
570+ Establish a tunnel to the backend machine, like this:
571+
572+ <programlisting>
573+ ssh -L 3333:wit.mcs.anl.gov:5432 postgres@wit.mcs.anl.gov
574+ </programlisting>
575+
576+ The first number in the -L argument, 3333, is the port number of
577+ your end of the tunnel. The second number, 5432, is the remote
578+ end of the tunnel -- the port number your backend is using. The
579+ name or the address in between the port numbers belongs to the
580+ server machine, as does the last argument to ssh that also includes
581+ the optional user name. Without the user name, ssh will try the
582+ name you are currently logged on as on the client machine. You can
583+ use any user name the server machine will accept, not necessarily
584+ those related to postgres.
585+ </para>
586+ </step>
587+
588+ <step performance="required">
589+ <para>
590+ Now that you have a running ssh session, you can connect a
591+ postgres client to your local host at the port number you
592+ specified in the previous step. If it's
593+ <application>psql</application>, you will need another shell
594+ because the shell session you used in
595+ <xref linkend="establish-tunnel"> is now occupied with
596+ <application>ssh</application>.
597+
598+ <programlisting>
599+ psql -h localhost -p 3333 -d mpw
600+ </programlisting>
601+
602+ Note that you have to specify the <option>-h</option> argument
603+ to cause your client to use the TCP socket instead of the Unix
604+ socket. You can omit the port argument if you chose 5432 as your
605+ end of the tunnel.
606+ </para>
607+ </step>
608+ </procedure>
609+ </sect1>
526610</chapter>
527611
528612<!-- Keep this comment at the end of the file
