Add information on ssh tunnelling from Gene Selkov.

diff --git a/doc/src/sgml/security.sgml b/doc/src/sgml/security.sgml
index 85f9d08..bd2c87e 100644 (file)
--- a/doc/src/sgml/security.sgml
+++ b/doc/src/sgml/security.sgml
@@ -523,6 +523,90 @@ jolly=>
     </para>
    </sect2>
   </sect1>
+
+  <sect1>
+   <title>Secure TCP/IP Connection</title>
+
+   <para>
+    <note>
+     <title>Author</title>
+     <para>
+      From e-mail by
+      <ulink url="selkovjr@mcs.anl.gov">Gene Selkov, Jr.</ulink>
+      written on 1999-09-08 in response to a
+      question from Eric Marsden.
+     </para>
+    </note>
+   </para>
+
+   <para>
+    One can use <productname>ssh</productname> to encrypt the network
+    connection between clients and a
+    <productname>Postgres</productname> server. Done properly, this
+    should lead to an adequately secure network connection.
+   </para>
+
+   <para>
+    The documentation for <productname>ssh</productname> provides most 
+    of the information to get started.
+    Please refer to
+    <ulink url="http://www.heimhardt.de/htdocs/ssh.html">http://www.heimhardt.de/htdocs/ssh.html</ulink>
+    for better insight.
+   </para>
+
+   <para>
+    A step-by-step explanation can be done in just two steps.
+   </para>
+
+   <procedure>
+    <title>Running a secure tunnel via ssh</title>
+
+    <para>
+     A step-by-step explanation can be done in just two steps.
+    </para>
+
+    <step performance="required" id="establish-tunnel">
+     <para>
+      Establish a tunnel to the backend machine, like this:
+
+      <programlisting>
+ssh -L 3333:wit.mcs.anl.gov:5432 postgres@wit.mcs.anl.gov
+      </programlisting>
+
+      The first number in the -L argument, 3333, is the port number of
+      your end of the tunnel. The second number, 5432, is the remote
+      end of the tunnel -- the port number your backend is using. The
+      name or the address in between the port numbers belongs to the
+      server machine, as does the last argument to ssh that also includes
+      the optional user name. Without the user name, ssh will try the
+      name you are currently logged on as on the client machine. You can
+      use any user name the server machine will accept, not necessarily
+      those related to postgres.
+     </para>
+    </step>
+
+    <step performance="required">
+     <para>
+      Now that you have a running ssh session, you can connect a
+      postgres client to your local host at the port number you
+      specified in the previous step. If it's
+      <application>psql</application>, you will need another shell
+      because the shell session you used in
+      <xref linkend="establish-tunnel"> is now occupied with
+      <application>ssh</application>.
+
+      <programlisting>
+psql -h localhost -p 3333 -d mpw
+      </programlisting>
+
+      Note that you have to specify the <option>-h</option> argument
+      to cause your client to use the TCP socket instead of the Unix
+      socket. You can omit the port argument if you chose 5432 as your
+      end of the tunnel.
+     </para>
+    </step>
+   </procedure>
+  </sect1>
 </chapter>
 
 <!-- Keep this comment at the end of the file