In the SSH setup instructions, change

ssh -L 3333:foo.com:5432 [email protected]

I think this should be changed to

ssh -L 3333:localhost:5432 [email protected]

The reason is that this assumes the postgres server on foo.com allows
connections from foo.com, which is not allowed by the default
listen_addresses setting.  Add more detail explaining this.

pointed out by Faheem Mitha

Also change the example port number 3333 to 63333 so no one can complain
that we are stealing a reserved port number.

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 2c9342272a074fa7de67a64e83f5c91d015c9a70..b9989d4c859de25c8e6c97a9432f4d6ee3439e63 100644 (file)
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,4 +1,4 @@
-
+
 
 
  Operating System Environment
@@ -1771,27 +1771,33 @@ chmod og-rwx server.key
    ssh as some user. Then you can establish a secure
    tunnel with a command like this from the client machine:
 
-ssh -L 3333:foo.com:5432 [email protected]
+ssh -L 63333:localhost:5432 [email protected]
 
-   The first number in the -L argument, 3333, is the
-   port number of your end of the tunnel; it can be chosen freely. The
+   The first number in the -L argument, 63333, is the
+   port number of your end of the tunnel; it can be chosen freely.
+   (IANA reserves ports 49152 through 65535 for private use.)  The
    second number, 5432, is the remote end of the tunnel: the port
-   number your server is using. The name or IP address between
-   the port numbers is the host with the database server you are going
-   to connect to. In order to connect to the database server using
-   this tunnel, you connect to port 3333 on the local machine:
+   number your server is using. The name or IP address between the
+   port numbers is the host with the database server you are going to
+   connect to, as seen from the host you are logging in to, which
+   is foo.com in this example. In order to connect
+   to the database server using this tunnel, you connect to port 63333
+   on the local machine:
 
-psql -h localhost -p 3333 postgres
+psql -h localhost -p 63333 postgres
 
    To the database server it will then look as though you are really
-   user [email protected] and it will use whatever
-   authentication procedure was configured for connections from this
-   user and host.  Note that the server will not think the connection is
-   SSL-encrypted, since in fact it is not encrypted between the
+   user joe on host foo.com
+   connecting to localhost in that context, and it
+   will use whatever authentication procedure was configured for
+   connections from this user and host.  Note that the server will not
+   think the connection is SSL-encrypted, since in fact it is not
+   encrypted between the
    SSH server and the
    PostgreSQL server.  This should not pose any
    extra security risk as long as they are on the same machine.
   
+
   
    In order for the
    tunnel setup to succeed you must be allowed to connect via
@@ -1800,6 +1806,28 @@ psql -h localhost -p 3333 postgres
    terminal session.
   
 
+  
+   You could also have set up the port forwarding as
+
+ssh -L 63333:foo.com:5432 [email protected]
+
+   but then the database server will see the connection as coming in
+   on its foo.com interface, which is not opened by
+   the default setting listen_addresses =
+   'localhost'.  This is usually not what you want.
+  
+
+  
+   If you have to hop to the database server via some
+   login host, one possible setup could look like this:
+
+ssh -L 63333:db.foo.com:5432 [email protected]
+
+   SSH offers quite a few configuration possibilities when the network
+   is restricted in various ways.  Please refer to the SSH
+   documentation for details.
+  
+
   
    
     Several other applications exist that can provide secure tunnels using