One can use SSH to encrypt the network connection between clients and a PostgreSQL server. Done properly, this provides an adequately secure network connection, even for non-SSL-capable clients.
First make sure that an SSH server is
running properly on the same machine as the
PostgreSQL server and that you can log in using
ssh
as some user. Then you can establish a secure
tunnel with a command like this from the client machine:
ssh -L 3333:foo.com:5432 joe@foo.com
The first number in the -L
argument, 3333, is the
port number of your end of the tunnel; it can be chosen freely. The
second number, 5432, is the remote end of the tunnel: the port
number your server is using. The name or IP address between
the port numbers is the host with the database server you are going
to connect to. In order to connect to the database server using
this tunnel, you connect to port 3333 on the local machine:
psql -h localhost -p 3333 postgres
To the database server it will then look as though you are really
user joe@foo.com
and it will use whatever
authentication procedure was configured for connections from this
user and host. Note that the server will not think the connection is
SSL-encrypted, since in fact it is not encrypted between the
SSH server and the
PostgreSQL server. This should not pose any
extra security risk as long as they are on the same machine.
In order for the
tunnel setup to succeed you must be allowed to connect via
ssh
as joe@foo.com
, just
as if you had attempted to use ssh
to set up a
terminal session.
Several other applications exist that can provide secure tunnels using a procedure similar in concept to the one just described.