0

I have given remote read-only database access to some users as follows:

  • Postgres is listening to a port [opened on firewall]
  • ip address s/usernames/passes are added to pg_hba.conf file
  • Privileges are configured on database

Is it safe enough to give them postgresql direct access like the way I did it or should I secure the connection with SSH tunnels

PHA
  • 1,588
  • 5
  • 18
  • 37
  • what makes you be sure it is read only access?.. please define what you call "safe enough" – Vao Tsun Aug 04 '15 at 04:55
  • I revoke users write access from all objects. By safe enough I mean two parts: database itself: data remains unchanged. Server itself: not opening a way for intruders to use opened port to access our server – PHA Aug 04 '15 at 08:41
  • first mentioned depends on how you grant/revoke access, so does nothing to ssh tunneling. and next one is safer with hostssl or yes with ssh tunneling. just for making it harder to to sniff the passowrd. but in general no difference if you connect directly to postgres or through tunnel - you either connect or not – Vao Tsun Aug 04 '15 at 08:55

1 Answers1

0

Only if you enforce the use of SSL by postgres.

To enforce the use of ssl use hostssl lines in your pg_hba.conf instead of plane host.

Eelke
  • 20,897
  • 4
  • 50
  • 76