I received this error when trying to establish an SSH tunnel using pgAdmin3
I specified the private key location on my local machine (had to
enable hidden files on my Mac finder to see it),
entered the tunnel
host (used public host IP) and
checked the 'Identity file' option.
I don't have a password set on my key.
Received this error:
Authentication by identify file failed with error code -18
What am I doing wrong (or what do I need to do differently)?
I was getting this continously on windows (VM).
So I decided pgAdmin's built in ssh tunnel was no good and just used gSTM (On linux).
Forwarding the port from the remote server 5432 to local host 5555 worked.
Then I could just use pgAdmin III on Linux to connect.
You could probably use command line like this if you don't want to use a graphical tool such as gSTM.
ssh -fNg -L 5555:localhost:5432 {your_username}#{yourdomain.com}
Source: http://dustindavis.me/ssh-tunnel-in-pgadmin3-for-postgresql/
You can also use putty on windows to forward ports.
See Connection | SSH | Tunnels menu in the PuTTY Configuration.
http://www.akadia.com/services/ssh_putty.html
Then you can access it.
Of course be very carefull messing about in a remote database.
It is a good idea to label them a red or orange colour in pgAdmin to easily identify the ones that are not on your local network.
Related
I am trying to access a postgres server that has limited IP access in pg_hba.conf file.
I am trying to use dbeaver to access it.
I am - computer A
postgres server - computer C
server i can access postgres server from - computer B
In my computer I have this view.
As far as I understand I need to trick my computer into using the computer B.
So when i write postgreserver.blaah.com into host/ip and port 5432. It will ssh to computer B and then access it from there.
So in my ssh config file i wrote this:
LocalForward 5432:postgreserver.blaah.com:5432 myuser#server.b.com
Well this didn't work.
Any suggestions?
I don't think you should do anything in your ssh config (and which computer's ssh config was it?). DBeaver's SSH tab is an alternative to manually setting up your own tunnel.
If you have already manually set up your own tunnel, then you would just point DBeaver to it, you wouldn't tell DBeaver that it is using a tunnel. It doesn't need to know.
If you want DBeaver to set up the tunnel, then "computer_B" would go in the Host/IP field of the SSH tab. "computer_C" would go in the Host field of the Main tab.
I ended up using
ssh -L5432:databasehostname:5432 intermediatehostname
So this is running in a random shell somewhere on my screen while i am working with the database.
In DBeaver the hostname is localhost and port is 5432
and i am using Main connection tab not ssh tunnel.
I recently installed https://dbeaver.io/ on a Windows PC and wish to access a database on a remote Linux server from it.
My Linux username is my_username and I also have a system user psql_user. I also have two existing PostgreSQL databases with the same name as their respective user. Typically, only the psql_user is used and is access by a php-fpm pool listening to a Unix socket and running as user psql_user, and as such have configured /var/lib/pgsql/12/data/pg_hba.conf as:
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
host all all 127.0.0.1/32 ident
host all all ::1/128 ident
local replication all peer
host replication all 127.0.0.1/32 ident
host replication all ::1/128 ident
With the above configuration, after ssh'ing onto the server, I can access the my_username database by executing psql and can also access the psql_user database by executing sudo -u psql_user psql and do not need to use a password for either.
But now, how to connect from the remote Windows PC?
To attempt to do so, I first created ssh keys without passphrases on the Windows PC for both my_username and psql_user and added the public key to each Linux user's authorized_keys (had to manually create /home/psql_user/ because it is a systems user). I can can successfully PuTTY to the server as either using the ssh keys.
Next, on the DBeaver connection settings SSH tab, I checked "Use SSH Tunnel", entered the username and private key location and the Test tunnel configuration successfully shows connected with the client version as SSH-2.0-JSCH-01.54 and server version as SSH-2.0-OpenSSH_7.4. I also made no changes to the Advanced portion of this tab such as local and remote hosts and ports, and have also left the "You can use variables in SSH parameters" at their default values.
Using my server IP in the main tab, Authentication "Database Native", and leave password empty, I test the connection but get The connection attempt failed. syslog reports that connection to the IP on port 5432 failed which makes sense because I am set up using Unix sockets.
So, then I change the server IP on the main tab to 127.0.0.1 (or localhost) and try again but get FATAL: Ident authentication failed for user "my_username". Okay, a little closer, but not quite there.
I think it might be because DBeaver is passing the port so I attempt to disable this part by got to the Edit Driver tab and changing jdbc:postgresql://{host}[:{port}]/[{database}] to jdbc:postgresql://{host}/[{database}], but now get Connection to 127.0.0.1:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
Not sure where to go next. When I PuTTY into the Linux machine, all is good but not when connecting remotely using DBeaver, and thought it would be the same if I am using SSH to connect DBeaver to the server. How can this be accomplished?
As pointed out in the other answer, DBeaver's SSH tunnel option doesn't support sockets currently. It is always TCP port based, so only connections using the host options in pg_hba.conf can be made (I've placed a feature request for SSH socket forwarding in DBeaver).
Here's how to set up forwarding of a local TCP port to a remote Unix socket. This allows you to use peer authentication over the Unix socket, so you don't have to provide a password for the PostgreSQL role:
ssh username#dbserver.example.com -L 5555:/var/run/postgresql/.s.PGSQL.5432 -fN
While I think that ssh tunnelling can be set up to connect to a unix socket rather than a port, I don't think dbeaver offers a way to do that, so you would have to set it up separately.
Although ident should also work if your server runs the identd service. I think most linux don't do that by default, but just apt install oidentd or whatever the equiv would be on your package manager should fix that.
The easier solution would be to just change the method from ident to md5 or scram, and assign a password (which dbeaver offers to memorize).
I'm trying to follow the digital ocean tutorial on configuring pgadmin4 in server mode, but damn it is long, and I have to first configure apache server, python and virtualenv (via other 2 tutorials).
I don't want to install so many dependencies in my server just to access postgres via pgamin 4.
How do you guys do it?
I'm running a go webserver via https listening on ports 443 and redirecting 80 to 443
Seeing your other answer I would like to offer a more secure alternative.
What's wrong with the current approach?
Your PostgreSQL instance is accessible from the internet. Generally you should try to limit access only where it is required. Especially if you are not using SSL to connect to PostgreSQL, an open port like this is a target for traffic interception and brute force attacks.
Alternative
Seeing that you are you using JetBrains IDE's you only need one other step to access your data - setting up a SSH tunnel.
This encrypts with SSH all your connections between development host and server without exposing PostgreSQL to the outside world.
In the connection settings for your database in the Jetbrains IDE select the SSH/SSL tab and "Use SSH tunnel". Input the information of your server and the SSH user + password/SSH key (use SSH keys for better security) into the relevant input fields.
Undo the settings changes you did to open the firewall and configure PostgreSQL to listen to all nodes.
Connections to your database are now possible over encrypted tunnels without exposing your database to any unwanted attacks.
So this is what I did to achieve connection from my laptop to my ubuntu VPS, via webstorm (I suppose any intellij works also should work with other IDE's)
0 login to your server
1. Locate postgresql.conf usually under /etc/postgresql/10/main
2. sudo nano postgresql.conf
3. Locate and change line at connections
listen_addresses = '*'
Then in same dir edit: sudo nano pg_hba.conf
#TYPE DATABASE USER ADDRESS METHOD
host all all 0.0.0.0/0 md5
Md5 means I connect with user and his password
5 Dont forget to allow ufw (firewall)
sudo ufw allow 5432/tcp
Open webstorm > Database (tab) > click + to add PostgtresSQL source (fill relevant info, user name, password, database name, host and port, etc...)
jdbc:postgresql://example.com:5432/my_database_name
Press on schemas and synchronize OR press:
Source > Settings > Schemas tab > [check] All Databases > refresh
I have a droplet on DigitalCloud with Ubuntu 14.04 and PostgreSQL 9.3. On local machine i have the same configuration.
My ssh connection is working so there is no problem with it. It must be somewhere in my Postgres connection or environment settings.
So what i have already done on the server is:
changed the listening port in /etc/ssh/sshd_config
Port 4321
enabled remote connections in /etc/postgresql/9.3/main/pg_hba.conf
host all all 0.0.0.0/0 md5
added listening addresses in /etc/postgresql/9.3/main/postgresql.conf
listen_addresses = '*'
And here is my local connection settings:
Here is my Properties tab screen
Here is my SSH Tunnel tab screen
I use just the same (and only) id_rsa.pub file which i used to establish my ssh connection before. Which is working. And this is an error that i get upon trying to connect:
SSH error: Authentication by identify file failed with error code -16
[Unable to extract public key from private key file: Wrong passphrase
or invalid/unrecognized private key file format]
My passphrase was set to empty.
If i try to connect without SSH tunnel there is another error:
Error connecting to the server: SSL error: unknown protocol expected
authentication request from server, but received S
I'm a complete newbie to it and I may have missed something important. So tell me if you want me to provide any other info on this matter.
EDIT 1:
If i use correct id_rsa file (without pub) then i get this same error:
Error connecting to the server: SSL error: unknown protocol expected
authentication request from server, but received S
I use just the same (and only) id_rsa.pub file
The first issue is that this is the wrong file. See if you have a file in the same place named "id_rsa" without the ".pub" extension. That is the file you should use as the identity file.
RSA ssh keys come in two files: "id_rsa" contains the private key, while "id_rsa.pub" contains the public key. id_rsa.pub is installed onto the server that you are connecting to, while id_rsa is used by the client that is making the connection to the server.
(Key files can be named something other than "id_rsa", of course. The point is that the private key is in foobar, while the public key is in foobar.pub.)
If you don't have an id_rsa file, then you should generate a new key and keep both files this time.
The second issue is that you have the wrong port on the Properties tab. The port number on the properties tab is the port that the PG server is running on. You should set this to 5432 or whatever port your server is actually listening on. It seems you should also set the "host" on the properties tab to "localhost", but I don't know if this is required.
Error connecting to the server: SSL error: unknown protocol expected authentication request from server, but received S
What is happening now is that your tunneled PG connection is going to port 4321 on the remote host, which is the SSH server. It happens that the first thing an SSH server sends to a new client is a version string, which looks like "SSH-2.0-OpenSSH_6.9" I don't know the PG protocol, but apparently your client reads the "S" in the SSH string and immediately knows it's not connected to a PG server.
I am running openerp(odoo) application from amazon cloud server using putty and it is ubuntu Headless(NO GUI) server. PostgreSQL is the database used for this application. Right now I am only able to access it in command mode as there is no gui in Putty. In Windows, I have installed pgadmin3. Is it possible to access it from here by configuring?
You can configure your security group to open up the postgres port accessible from your IP address (I would highly recommend the access to be limited that way). After that you can just point your GUI client the external IP address of your instance using the port where the service is running on.
I suggest you to use pgadmin gui tool to access postgres database.
You can set up an SSH tunnel in putty and use that to access the remote database with your local pgadmin3. This is a very good and secure way to do things.
First, in Putty (Connection / SSH / Tunnels) add a source port of your choice, 5000 for example. Then enter localhost:5432 for Destination (providing postgres is running on port 5432 on the server). Press Add and save your session. Next time you open your ssh connection with Putty, the tunnel will be active.
After this, set up a new connection in pgadmin3, Host: localhost and Port: 5000 (and your username and pasword, of course). Now, if the putty session is active, you should be able to connect.
In postgresql.conf file, find a line called
listen_addresses = 'localhost' and change it to '*'
Next in pg_hba.conf add this line in IPV4 local connections,
host all all (Your external ip address in CIDR format) trust
Finally restart the database using this command,sudo service postgresql restart