[GENERAL] Connect to postgres from a dynamic IP
Dear Sirs, it is possible to connect to PostgreSQL server from a client with a dynamic IP (or from an unknown IP)? How I have to configure pg_hba.conf (and/or eventually my router, where the server is located)? I have no possibility to change the settings of clients (my customers) Thank you. Domenico No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date: 02/03/2008 15:59 ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] Connect to postgres from a dynamic IP
yes, it is possible if you use a service like dyndns: http://www.dyndns.com/ to convert your dynamic ip. If you use this service you connect your dynamic ip to a hostname, which is dynamically updated by this service. after that you can change your windows hosts file to add the hostname you have registered with dyndns to your localhost (or the ip that resides in the network serving PostgreSQL). when you have done all this, you can change your pg_hba.conf file like you wish... Steven On Mon, Mar 3, 2008 at 11:01 AM, dfx [EMAIL PROTECTED] wrote: Dear Sirs, it is possible to connect to PostgreSQL server from a client with a dynamic IP (or from an unknown IP)? How I have to configure pg_hba.conf (and/or eventually my router, where the server is located)? I have no possibility to change the settings of clients (my customers) Thank you. Domenico No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date: 02/03/2008 15:59 ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] Connect to postgres from a dynamic IP
Em Monday 03 March 2008 07:01:17 dfx escreveu: it is possible to connect to PostgreSQL server from a client with a dynamic IP (or from an unknown IP)? How I have to configure pg_hba.conf (and/or eventually my router, where the server is located)? You'll have to make PostgreSQL accept connections from ANY IP in the possible range assigned to the networks where your customers are. There are IP ranges for specific countries available... You can also allow access from anywhere in the world. I'd also recommend that you require the use of some cryptography such as SSL for that. -- Jorge Godoy [EMAIL PROTECTED] ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] Connect to postgres from a dynamic IP
am Mon, dem 03.03.2008, um 11:01:17 +0100 mailte dfx folgendes: Dear Sirs, it is possible to connect to PostgreSQL server from a client with a dynamic IP (or from an unknown IP)? Of course, yes. How I have to configure pg_hba.conf (and/or eventually my router, where the server is located)? Set the CIDR to 0.0.0.0/32. I have no possibility to change the settings of clients (my customers) Keep in mind, with this way everyone from around the world have access to your database-server. Consider other solutions like a VPN or a SSH-Tunnel. At least you should use strong authentication (md5) or SSL. Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: - Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] Connect to postgres from a dynamic IP
I apologize for my confuse exposition. My server has a static, well known IP. The problem is that I don't know the IP of my customers (client side) and then I cannot insert those addresses in pg_hba.conf file. The question il: Is there a method to avoid to insert the addesses of the clients in the pg_hba.conf and to allow connections from internet with security assured only by username and password? The unique (mandatory) solution to solve this problem id to use web services (and then port 80) or there are some other solutions? Thank you Domenico No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.21.3/1307 - Release Date: 02/03/2008 15:59 ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] Connect to postgres from a dynamic IP
On Mon, Mar 03, 2008 at 11:33:17AM +0100, A. Kretschmer wrote: am Mon, dem 03.03.2008, um 11:01:17 +0100 mailte dfx folgendes: Dear Sirs, it is possible to connect to PostgreSQL server from a client with a dynamic IP (or from an unknown IP)? Of course, yes. How I have to configure pg_hba.conf (and/or eventually my router, where the server is located)? Set the CIDR to 0.0.0.0/32. That should be 0.0.0.0/0, I beleive. //Magnus ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [GENERAL] Connect to postgres from a dynamic IP
am Mon, dem 03.03.2008, um 11:59:36 +0100 mailte Magnus Hagander folgendes: How I have to configure pg_hba.conf (and/or eventually my router, where the server is located)? Set the CIDR to 0.0.0.0/32. That should be 0.0.0.0/0, I beleive. //Magnus Magnus, right. Thx. Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47150, D1: 0160/7141639 (mehr: - Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net ---(end of broadcast)--- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
Re: [GENERAL] Connect to postgres from a dynamic IP
On 03/03/2008 11:01, dfx wrote: The question il: Is there a method to avoid to insert the addesses of the clients in the pg_hba.conf and to allow connections from internet with security assured only by username and password? Yes, that's what people have been explaining: you insert a line something like: host [database] [user] 0.0.0.0/0 md5 if you're asking if pg_hba.conf can be bypassed completely, then as far as I know the answer is no. However, inserting the line above will have a similar effect, at least with regard to incoming network connections. HTH, Ray. --- Raymond O'Donnell, Director of Music, Galway Cathedral, Ireland [EMAIL PROTECTED] --- ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [GENERAL] Connect to postgres from a dynamic IP
Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu: On 03/03/2008 11:01, dfx wrote: The question il: Is there a method to avoid to insert the addesses of the clients in the pg_hba.conf and to allow connections from internet with security assured only by username and password? Yes, that's what people have been explaining: you insert a line something like: host [database] [user] 0.0.0.0/0 md5 But make it hostssl instead of host, to require some cryptography in the channel used, specially to authenticate the connection. Opening your access to everyone without crypto sounds like something you don't want to do. Specially if users can change their own passwords... -- Jorge Godoy [EMAIL PROTECTED] ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] Connect to postgres from a dynamic IP
Jorge Godoy wrote: Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu: On 03/03/2008 11:01, dfx wrote: The question il: Is there a method to avoid to insert the addesses of the clients in the pg_hba.conf and to allow connections from internet with security assured only by username and password? Yes, that's what people have been explaining: you insert a line something like: host [database] [user] 0.0.0.0/0 md5 But make it hostssl instead of host, to require some cryptography in the channel used, specially to authenticate the connection. Opening your access to everyone without crypto sounds like something you don't want to do. Specially if users can change their own passwords... My understanding is no password is sent in the clear with md5 per: http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD Paul ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] Connect to postgres from a dynamic IP
Collin wrote: But make it hostssl instead of host, to require some cryptography in the channel used, specially to authenticate the connection. Opening your access to everyone without crypto sounds like something you don't want to do. Specially if users can change their own passwords... My understanding is no password is sent in the clear with md5 per: http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD Paul However, it depends on the sort of data you are accessing. Sending a MD5 password is all well and good but if your data consists of credit card info or trade secrets then you'll want that encrypted too. Yes true, if your data is sensitive, go with SSL. On the other hand, if you're sending credit card data around, you must comply with the PCI audit regulation, in which case there is exactly 0.0% chance you're putting your database port on a public network. Regards, Paul ---(end of broadcast)--- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
Re: [GENERAL] Connect to postgres from a dynamic IP
But make it hostssl instead of host, to require some cryptography in the channel used, specially to authenticate the connection. Opening your access to everyone without crypto sounds like something you don't want to do. Specially if users can change their own passwords... My understanding is no password is sent in the clear with md5 per: http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSWORD Paul However, it depends on the sort of data you are accessing. Sending a MD5 password is all well and good but if your data consists of credit card info or trade secrets then you'll want that encrypted too. ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [GENERAL] Connect to postgres from a dynamic IP
Hello, Jorge Godoy wrote: Em Monday 03 March 2008 08:08:36 Raymond O'Donnell escreveu: On 03/03/2008 11:01, dfx wrote: The question il: Is there a method to avoid to insert the addesses of the clients in the pg_hba.conf and to allow connections from internet with security assured only by username and password? Yes, that's what people have been explaining: you insert a line something like: host [database] [user] 0.0.0.0/0 md5 But make it hostssl instead of host, to require some cryptography in the channel used, specially to authenticate the connection. Opening your access to everyone without crypto sounds like something you don't want to do. Specially if users can change their own passwords... Does anybody ever measured performance slowdown for SSL connections? -- Andrei Kovalevski PostgreSQL Replication, Consulting, Custom Development, 24x7 support Managed Services, Shared and Dedicated Hosting Co-Authors: plPHP, ODBCng - http://www.commandprompt.com/
Re: [GENERAL] Connect to postgres from a dynamic IP
Andrei Kovalevski [EMAIL PROTECTED] writes: Does anybody ever measured performance slowdown for SSL connections? It's pretty significant percentage-wise on a local-loopback connection, but for a connection over the open Internet I doubt it'd be an issue. Unless your data is completely not private I'd recommend SSL for such a situation. regards, tom lane ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [GENERAL] Connect to postgres from a dynamic IP
Em Monday 03 March 2008 13:17:03 vocĂȘ escreveu: My understanding is no password is sent in the clear with md5 per: http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW ORD But the MD5 hash is. This page states that the password can't be directly sniffed, but one can still get the hash of the password and perform a dictionary attack against it on a local copy (i.e., without ever trying to connect to the server). After a successful attack then one can connect directly to the server as if the password was known to him/her. Crypting the channell -- be it with SSL or SSH, for example -- will prevent the sniffer from being able to capture the hash, so your password will be safer. -- Jorge Godoy [EMAIL PROTECTED] ---(end of broadcast)--- TIP 5: don't forget to increase your free space map settings
Re: [GENERAL] Connect to postgres from a dynamic IP
Jorge Godoy wrote: Em Monday 03 March 2008 13:17:03 vocĂȘ escreveu: My understanding is no password is sent in the clear with md5 per: http://www.postgresql.org/docs/8.3/interactive/auth-methods.html#AUTH-PASSW ORD But the MD5 hash is. This page states that the password can't be directly sniffed, but one can still get the hash of the password and perform a dictionary attack against it on a local copy (i.e., without ever trying to connect to the server). After a successful attack then one can connect directly to the server as if the password was known to him/her. No sense in pretending. I should think that password *would* be known in that scenario. (ignoring hash collisions, of course) ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster