Академический Документы
Профессиональный Документы
Культура Документы
php
SITE SEARCH
Using SSH tunneling for securing MySQL connections
Search
Support and Resources
Introduction
Advanced search Knowledgebase
This article is dedicated to the task of securing MySQL client-server connection using functionality provided by the Secure Documentation on-line
SOLUTION GUIDE Shell (SSH) protocol. To be exact, the SSH tunneling concept is utilized. We will review the steps needed to build secure Forum
MySQL client applications and implement a sample one ourselves. Ask a question in HelpDesk
For Software Developers
For Business Integrators
MySQL traffic is not the only kind of data that can be tunneled by the Secure Shell. SSH can be used to secure any
application-layer TCP-based protocol, such as HTTP, SMTP and POP3. If your application needs to secure such a protocol Latest version
PRODUCT LINES
by tunneling it through a protected SSH connection, this article will be useful to you.
8.2.197
BizCrypto
Background Released 17 March 2011
SecureBlackbox
Let's imagine that we are developing an enterprise application that needs to send requests to a number of SQL servers New And Improved
Callback File System
all over the world and get responses from them (let's imagine that it's a super-powerful bank system that stores Features
CallbackFilter
information about millions of accounts). Change list
CallbackDisk
Download
SolFS (Solid File System) Let's take a look at what we have:
RawDisk
MsgConnect Most wanted features
VoxPopuli
Custom services Direct support for
spanish government
format "facturae" for
NEED HELP? electronic invoices
Add CAB compression
Support options
and CAB signing
Knowledgebase support
Forums Planned
For partners
Now you do not have to worry about securing the data transferred over the Internet - SSH will handle this for you. In
particular, SSH will take care of the following security aspects:
Strong data encryption according to the latest industry-standard algorithms (AES, Twofish)
Authentication of both client and server computers
Data integrity protection
Stability with regard to different kinds of network attacks
Compression of the data being tunneled
1 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
1. SSH client opens a listening port on some local network interface and tells the SSH server that he wishes to
forward all connections accepted on this port to some remote host.
2. When another connection is accepted on the listening port, the SSH client informs the SSH server about this fact
and they together establish a logical tunnel for it. At the same time, the SSH server establishes a new TCP
connection to the remote host agreed upon in step 1.
3. The SSH client encrypts all the data it receives from the accepted connection and sends it to the SSH server. The
SSH server decrypts the data received from the SSH client and sends it to the remote host.
Please note, that the SSH client acts as a TCP server for the connections it accepts, and the SSH server acts as a TCP
client for the connections it establishes to the remote host.
A single SSH connection can tunnel as many application layer connections as needed. This means that you can defend
your server by moving all the listening ports (e.g., database and application server ports) to a local network, leaving only
the SSH port open. It is much easier to take care of a single port, rather than a dozen different listening ports.
Let's develop a small application that illustrates the use of SSH forwarding capabilities. We will consider an important task
of securing a connection between a MySQL client application and a MySQL server. Imagine that we need to get
information from the database server, which is located a thousand miles away from us, in a secure way.
SecureMySQLClient is the application we are planning to implement. It includes the following modules:
The SSH server runs in a remote network and is visible from the Internet. The database (MySQL) server runs in the
same network as the SSH server and may not be visible from the Internet.
The process of performing secure data exchange between SecureMySQLClient and the Database server goes as follows:
1. The SSH client module negotiates a secure connection to the SSH server and establishes forwarding from some
local port to the remote MySQL server.
2. The MySQL client module connects to the listening port opened by the SSH client module.
3. The SSH client and server set up a logical tunnel for the accepted connection.
4. The MySQL client sends SELECT to the port opened by the SSH client module, which encrypts it and sends it to
the SSH server. The SSH server decrypts the request and sends it to the MySQL server.
5. The SSH server receives a response from the MySQL server, encrypts it and sends it back to the SSH client, which
decrypts it and passes it to the MySQL client module.
Looks too complex? Implementing this is easier than you think.So, let's go and do it.
We will need the following products installed on the computer before creating the application:
Let's now open Microsoft Visual Studio .NET (we will use the 2005 version) and try to build such an application from
scratch.
2 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
After the GUI design has been finished, we can go on with the business logic code itself. First, adding references to the
following assemblies to our project:
SecureBlackbox
SecureBlackbox.PKI (only in SecureBlackbox 5. SecureBlackbox 6 doesn't have this assembly)
SecureBlackbox.SSHClient
SecureBlackbox.SSHCommon
MySql.Data
3 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
Placing ElSSHLocalPortForwarding component on the form and giving it the SSHForwarding name:
SSHForwarding notifies us about certain situations via its events, so we need to create handlers for some of them:
OnAuthenticationSuccess Is fired when the client authentication process has been completed.
OnAuthenticationFailed I
OnError Is fired if some protocol error occurs during the session. Usually this leads
to a connection closure. The exact error can be detected via the error code
passed to it.
OnKeyValidate Is used to pass the received server key to the application. Please note that
incorrect handling of this event may result in a serious security breach. The
handler of this event should verify that the passed key corresponds to the
remote server (and warn the user if it does not). If the key is valid, the
handler should set the Validate parameter to true.
The sample does not perform key checkup for the sake of simplicity.
OnOpen Is fired when the SSH connection is established and the component is
ready to tunnel data. We will use the handler of this event to kick the
MySQL client component.
Implementing two core methods, SetupSSHConnection() and RunQuery(). The first one initializes the SSHForwarding
object and establishes an SSH session to the remote server by calling its Open() method, and the second one sends the
query to the MySQL server.
4 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
Forwarding.Address = tbSSHAddress.Text;
Forwarding.Port = Convert.ToInt32(tbSSHPort.Text);
Forwarding.Username = tbUsername.Text;
Forwarding.Password = tbPassword.Text;
Forwarding.ForwardedHost = "";
Forwarding.ForwardedPort = Convert.ToInt32(tbFwdPort.Text);
// Specifying destination host where the server should forward the data to.
Forwarding.DestHost = tbDBAddress.Text;
Forwarding.DestPort = Convert.ToInt32(tbDBPort.Text);
Forwarding.Open();
5 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
A bit more complex is the code of the RunQuery() method (to be exact, the code of RunQueryThreadFunc() method,
which is invoked in a separate thread by the RunQuery() method):
if (cbUseTunnelling.Checked)
else
MySQLConnection.ConnectionString = connString;
try
MySQLConnection.Open();
try
6 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
AddQueryColumn(reader.GetName(i));
while (reader.Read())
values[i] = reader.GetString(i);
AddQueryValues(values);
finally
reader.Close();
MySQLConnection.Close();
Forwarding.Close();
if (lvLog.InvokeRequired)
7 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
else
item.Text = DateTime.Now.ToShortTimeString();
item.SubItems.Add(S);
lvLog.Items.Add(item);
Finally, the application is finished, and we may try it in work. So clicking F5 and specifying the following settings in the
text fields of the application form:
Now click the Start button and wait for the query results. If all the parameters have been specified correctly, we should
get something like this:
8 of 9
http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.php
Strong data encryption using AES, Twofish, Triple DES, Serpent and many other symmetric algorithms with key
lengths up to 256 bits
Client authentication using one or multiple authentication types (password-based, public key-based, X.509
certificate-based, interactive challenge-response authentication)
Server authentication
Strong key exchange based on DH or RSA public key algorithms
Data integrity protection
Compression of tunneled data
Multiplexing several tunneled connections through a single SSH connection
Comprehensive standards-compliant implementation of the SSH protocol (both client and server sides)
Support for cryptographic tokens as storage for keys and certificates
Windows system certificate stores support
Professional and fast customer support
SecureBlackbox is available in .NET, VCL and ActiveX editions. This means that you can use the components in projects
implemented in C#, VB.NET, Object Pascal (Delphi), FreePascal, VB6 and C++ languages.
SecureBlackbox (.NET edition) is available for Microsoft .NET Framework 1.1, 2.0, 3.0 and 3.5, and .NET Compact
Framework.
|
9 of 9