Secure TCP/IP Connection

Author: From e-mail by Gene Selkov, Jr. written on 1999-09-08 in response to a question from Eric Marsden.

One can use ssh to encrypt the network connection between clients and a Postgres server. Done properly, this should lead to an adequately secure network connection.

The documentation for ssh provides most of the information to get started. Please refer to for better insight.

A step-by-step explanation can be done in just two steps.

Running a secure tunnel via ssh

A step-by-step explanation can be done in just two steps.

  1. Establish a tunnel to the backend machine, like this:

    ssh -L
    The first number in the -L argument, 3333, is the port number of your end of the tunnel. The second number, 5432, is the remote end of the tunnel -- the port number your backend is using. The name or the address in between the port numbers belongs to the server machine, as does the last argument to ssh that also includes the optional user name. Without the user name, ssh will try the name you are currently logged on as on the client machine. You can use any user name the server machine will accept, not necessarily those related to postgres.

  2. Now that you have a running ssh session, you can connect a postgres client to your local host at the port number you specified in the previous step. If it's psql, you will need another shell because the shell session you used in step 1 is now occupied with ssh.

    psql -h localhost -p 3333 -d mpw
    Note that you have to specify the -h argument to cause your client to use the TCP socket instead of the Unix socket. You can omit the port argument if you chose 5432 as your end of the tunnel.