Secure Postgres access
Reid Priedhorsky
reid at reidster.net
Sat Sep 9 13:40:20 EDT 2006
On Thu, 07 Sep 2006 18:36:32 -0700, Paul Rubin wrote:
> Reid Priedhorsky <reid at umn.edu> writes:
>> > Wouldn't they need a database password?
>>
>> Well, right now, no. I have Postgres configured to trust the OS on who is
>> who.
>
> You trust the OS on the client machine, but not the client machine's
> users? Does it run identd? Maybe you could use that. I'd consider
> this shaky for any real security application, but it might be better
> than nothing depending on what you're doing.
Hi Paul,
Thanks for your help.
No -- I suppose I wasn't clear. There are two machines involved:
A) Database server. Run by me. I trust the OS on who is who, and there is
only one user (me). So database clients run on this box don't require
a password.
B) Work machine. Run by others, many users. I'd like to also run my
database client (Python) here. SSH tunnel is unsatisfactory because other
folks can slip down the tunnel after I set it up and then connect to the
DB as me. Having the DB on (A) listen to the Internet as well as localhost
for connections is also unsatisfactory, because I don't want to set up
database passwords.
What I'd like is functionality similar to what Subversion does with
"svn+ssh://" URLs: an SSH tunnel that accepts only one connection and
doesn't have race conditions.
Thanks again,
Reid
More information about the Python-list
mailing list