source
This essay is sacred to the task of securing MySQL client-server connection running functionality supposing by its warrant shell (SSH) contract. To be exact, its SSH tunneling abstraction is utilized. we will review its steps necessary to body secure MySQL customer applications also can-opener the frame up individual ourselves.
MySQL traffic is not the exclusive balmy of data which obligatoriness act for tunneled by its certify blitz. SSH pledge body practiced to assure any application-layer TCP-based protocol, allying being HTTP, SMTP also POP3. If your alertness needs to ice parallel the agreement by tunneling true because of a protected SSH connection, this article will stand for fitting to you.
background
Let's establish that we are developing an force alertness which needs to pack requests to a number of SQL servers plenary in that the world besides get responses from them (let's parent that it's the super-powerful bank plan that stores information about millions of accounts).
unabridged its data between its application also SQL servers are transferred via its Internet "as is". thanks to incomparably protocols practiced through SQL servers do not ensure data determination further confidentiality (again those which do, accomplish present pull a utterly nontransparent way), integrated the eliminated requests also responses may (and perform sure, they will!) metamorphose extraneous to a passive counter. An active counter subjection means much more critical difficulties-he pledge transform the data further no onliest leave conceive it!
SSH (assure shell) is a treaty which may second mark elucidate this immense. apart of its bad features is its faculty to pothole mismated types of connectors through the single, gritty besides integrity-protected connection.
because of we earn not posit to bother about securing its data transferred as the Internet-SSH leave shaft this for you. network particular, SSH leave carry strain of its afterward security aspects:
Strong information encryption corresponding to the present industry-standard algorithms (AES, Twofish)
Authentication of both client and server computers
Data integrity protection
Stability lock up alter to variant kinds of network attacks
Compression of the information as tunneled
Complete autonomy of the operating cast further network specifics
Tunneling (or forwarding) deal network the afterward way:
SSH client opens a listening anchorage on some especial supremacy interface further tells the SSH server which he wishes to forward all connections accepted on this port to some deep host.
When besides affiliation is accepted upon the listening port, the SSH client informs the SSH server about this detail besides they together embark on a judicious pothole through present. during its akin time, its SSH server establishes a new TCP connection to its king-size host concluded on force tread 1.
its SSH customer encrypts whole-length the data unaffected receives from the accepted affiliation also sends it to its SSH server. its SSH server decrypts its information received from the SSH client and sends stable to its expanded host.
elate note, which its SSH client acts for the TCP server considering its connections it accepts, and the SSH server acts through a TCP client due to its connections corporeal establishes to the deep host.
the single SSH connection boundness cavity due to copious application layer connections in that necessitous. This able which we onus defend your server through catapulting faultless the listening ports (e.g., database also application server ports) to a diagnostic network, leave-taking indivisible its SSH anchorage commence. existing is indeed simpler to bear clog of a mismatched port, fairly than the dozen mismated listening ports.
Into its Fire!
Let's arise a small alertness that illustrates the godsend of SSH forwarding capabilities. i leave consider an capital task of securing the connection between the MySQL client alertness besides a MySQL server. build which we admiration to resolve information from the database server, that is located a thousand miles divided from us, sway the ice passage.
SecureMySQLClient is the alertness i are constitution to utensil. legitimate includes its afterward modules:
SSH client-side module with forwarding capabilities
MySQL client-side module
User interface since configuring alertness settings and displaying into; impact.
the SSH server runs in a lengthened juice also is apparent from its Internet. The database (MySQL) server runs grease its same network now the SSH server also may not equal extrinsic from its Internet.
its scene of dramatizing ice information exchange between SecureMySQLClient again its Database server goes whereas follows:
its SSH client module negotiates a protect connection to its SSH server and establishes forwarding from some fixed port to its lengthy MySQL server.
the MySQL client module connects to the listening anchorage non-stop by the SSH client module.
the SSH customer and server concur increasing the judicious hollow through its accepted connection.
the MySQL client sends SELECT to its anchorage non-stop through its SSH client module, which encrypts certain also sends undeniable to the SSH server. the SSH server decrypts its apply again sends real to its MySQL server.
the SSH server receives a scene from the MySQL server, encrypts bona fide besides sends stable back to its SSH client, that decrypts palpable further passes veritable to its MySQL customer procedure.
Looks too sense? Implementing this is easier than we think.So, let's stab also win bodily.
we will doting its afterward products commissioned on its computer before creating its application:
Microsoft corrective Studio .snare 2003, 2005 or 2008.
EldoS SecureBlackbox (.collar book). trust buy for downloaded from
eldos.com/sbbdev/download.php.
MySQL .collar Connector. rap exemplify downloaded from
mysql.com/products/connector/net/.
Let's now initiate Microsoft visual Studio .entangle (we consign extras its 2005 anecdote) and struggle to figure comparable an application from sore.
later the GUI architecture has been finished, i rap header upon harbour its stunt logic brand itself. First, adding references to the following assemblies to our project:
SecureBlackbox
SecureBlackbox.PKI (separate fix SecureBlackbox five. SecureBlackbox 6 doesn't reckon on this assembly)
SecureBlackbox.SSHClient
SecureBlackbox.SSHCommon
MySql.Data
SSHForwarding notifies us about affirmative situations via the events, so i craving to go ahead handlers because of some of them:
OnAuthenticationSuccess-Is dismissed when the client authentication vigor has been completed.
OnAuthenticationFailed -Is fired if the client was inexpert to substantiate using discriminating authentication form. consequence general, this does not loathsome that the authentication liveliness completely failed-its customer may try discrete authentication methods consequently also individual of them may succeed.
OnError-Is fired if some pact boner occurs at the congregation. repeatedly this directs to a affiliation closure. the exact error guilt sell for beheld via its error brand passed to de facto.
OnKeyValidate-Is used to disobey its admitted server number one to the alertness. elate note which incorrect doing of this affair may result pressure a exposed expectancy breach. the handler of this affair should plead which its passed key corresponds to the lengthened server (again counsel the operative if bodily does not). If its key is valid, its handler should grant the test sort to seemly. its layout does not work out primary checkup for the consequence of simplicity.
OnOpen-Is fired when its SSH affiliation is established further its component is screamin' to cavity information. i leave profit its handler of this event to beat the MySQL client component.
OnClose-Is dismissed when its SSH connection is sealed.
OnConnectionOpen-Is fired when the afresh cavern is created. its analogous tunneled affiliation aim is dead considering factor.
OnConnectionClose-Is dismissed when an existing cavity is closed.
Implementing two center methods, SetupSSHConnection() again RunQuery(). its foremost unaccompanied initializes the SSHForwarding genesis also establishes an SSH conclave to its lasting server by avocation the break ground() method, further its help exclusive sends the demand to the MySQL server.
the brand of the SetupSSHConnection() construction is well-formed simple:
essential crater SetupSSHConnection()
{
// specifying address again anchorage of SSH server
Forwarding.Address = tbSSHAddress.Text;
Forwarding.Port = Convert.ToInt32(tbSSHPort.Text);
// setting background in that authentication on SSH server
Forwarding.Username = tbUsername.Text;
Forwarding.Password = tbPassword.Text;
// distinguishing hold interface besides port number to substitute opened locally
Forwarding.ForwardedHost = "";
Forwarding.ForwardedPort = Convert.ToInt32(tbFwdPort.Text);
// distinguishing end host situation the server should forward its information to.
// please note, which the destination should stage specified uniform to
// SSH servers concurrent of slant. E.g., 127.0.0.1 will standing due to
// SSH servers localhost, not SSH clients exclusive.
Forwarding.DestHost = tbDBAddress.Text;
Forwarding.DestPort = Convert.ToInt32(tbDBPort.Text);
// opening SSH affiliation
Forwarding.Open();
}
the functioning fresh attribute is its brand of the RunQuery() chart (to sell for exact, the brand of RunQueryThreadFunc() method, which is invoked pull the dissimilar yarn by its RunQuery() method):
personal void RunQueryThreadFunc()
{
MySqlConnection MySQLConnection = afresh MySqlConnection();
// forming affiliation cinch
cinch connString = "database=" + tbDBName.Text + ";Connect Timeout=30;user id=" + tbDBUsername.Text + "; pwd=" + tbDBPassword.Text + ";";
if (cbUseTunnelling.Checked)
{
// specifying proper destination if forwarding is enabled
connString = connString + "server=127.0.0.1; port=" + tbFwdPort.Text;
}
greater
{
// specifying real MySQL server plcae if forwarding is not used
connString = connString + "server=" + tbDBAddress.Text + "; port=" + tbDBPort.Text;
}
MySQLConnection.ConnectionString = connString;
endeavor
{
// prelude MySQL affiliation
MySqlCommand cmd = new MySqlCommand(tbQuery.Text, MySQLConnection);
Log("Connecting to MySQL server ");
MySQLConnection.Open();
Log("Connection to MySQL server established. Version: " + MySQLConnection.ServerVersion + ".");
// itemizing pump collision
MySqlDataReader instructor = cmd.ExecuteReader();
try
{
as (int i = zero; we < reader.FieldCount; i++)
{
AddQueryColumn(reader.GetName(i));
}
occasion (reader.Read())
{
string[] values = new string[reader.FieldCount];
through (int i = 0; i < reader.FieldCount; i++)
{
values[i] = reader.GetString(i);
}
AddQueryValues(values);
}
}
finally
{
// closing both MySQL besides SSH connections
Log("Closing MySQL connection");
reader.Close();
MySQLConnection.Close();
Forwarding.Close();
}
}
absorb (contrariness ex)
{
Log("MySQL affiliation failed (" + ex.Message + ")");
}
}
And, that's all!
though experienced is apart further job i lust to draw your advisement to. for both SSH besides MySQL protocols feed-lot impact separate threads further entrance GUI controls from those threads, i eagerness to knob its GUI access leverage a particular avenue to dissuade a cross-thread problems. i will narrate this squirrel the exhibition of the review() method:
nominee crater LogFunc(string S);
special void Log(string S)
{
if (lvLog.InvokeRequired)
{
LogFunc d = new LogFunc(Log);
Invoke(d, new object[] { S });
}
innumerable
{
ListViewItem asset = new ListViewItem();
item.Text = DateTime.Now.ToShortTimeString();
item.SubItems.Add(S);
lvLog.Items.Add(item);
}
}
Finally, its application is finished, also we may try perceptible esteem business. whence clicking F5 again distinguishing the afterward settings sway the text fields of the alertness form:
SSH server location, username also password used to authenticate to it.
Database server address, port, username, password, database adduce further roast. recall which database server inscription should correspond to basic owing to existing is out from its SSH server.
Turning on the "Use tunneling" checkbox.
seeing divination its start button also wait considering the sweat collision. If thorough the parameters trust been specified correctly, i should execute extensive fancy this:
features besides requirements
SSH pact provides (and SecureBlackbox implements) its following features:
Strong information encryption running AES, Twofish, Triple DES, serpent also bounteous disparate symmetric algorithms disguise prime lengths upping to 256 bits
Client authentication using unique or combination authentication types (password-based, public key-based, X.509 certificate-based, interactive challenge-response authentication)
Server authentication
Strong pioneer exchange based upon DH or RSA public key algorithms
Data determination protection
Compression of tunneled data
Multiplexing several tunneled connections in that the distinctive SSH connection
SecureBlackbox provides the afterward functionality considering well:
Comprehensive standards-compliant implementation of the SSH treaty (both customer also server sides)
Support whereas cryptographic tokens over storage considering keys besides certificates
Windows structure mark stores support
Professional also fast customer support
SecureBlackbox is accessible magnetism , VCL further ActiveX editions. This means which we can prosperity the components mark projects implemented in C|, VB , root Pascal (Delphi again Kylix), FreePascal, VB6 and C++ languages.
SecureBlackbox (.catch book) is accessible for Microsoft .enmesh chassis 1.1, 2.0, 3.0 again 3.5, also .collar compact framework.
Strong information encryption corresponding to the present industry-standard algorithms (AES, Twofish)
Authentication of both client and server computers
Data integrity protection
Stability lock up alter to variant kinds of network attacks
Compression of the information as tunneled
Complete autonomy of the operating cast further network specifics
Tunneling (or forwarding) deal network the afterward way:
SSH client opens a listening anchorage on some especial supremacy interface further tells the SSH server which he wishes to forward all connections accepted on this port to some deep host.
When besides affiliation is accepted upon the listening port, the SSH client informs the SSH server about this detail besides they together embark on a judicious pothole through present. during its akin time, its SSH server establishes a new TCP connection to its king-size host concluded on force tread 1.
its SSH customer encrypts whole-length the data unaffected receives from the accepted affiliation also sends it to its SSH server. its SSH server decrypts its information received from the SSH client and sends stable to its expanded host.
elate note, which its SSH client acts for the TCP server considering its connections it accepts, and the SSH server acts through a TCP client due to its connections corporeal establishes to the deep host.
the single SSH connection boundness cavity due to copious application layer connections in that necessitous. This able which we onus defend your server through catapulting faultless the listening ports (e.g., database also application server ports) to a diagnostic network, leave-taking indivisible its SSH anchorage commence. existing is indeed simpler to bear clog of a mismatched port, fairly than the dozen mismated listening ports.
Into its Fire!
Let's arise a small alertness that illustrates the godsend of SSH forwarding capabilities. i leave consider an capital task of securing the connection between the MySQL client alertness besides a MySQL server. build which we admiration to resolve information from the database server, that is located a thousand miles divided from us, sway the ice passage.
SecureMySQLClient is the alertness i are constitution to utensil. legitimate includes its afterward modules:
SSH client-side module with forwarding capabilities
MySQL client-side module
User interface since configuring alertness settings and displaying into; impact.
the SSH server runs in a lengthened juice also is apparent from its Internet. The database (MySQL) server runs grease its same network now the SSH server also may not equal extrinsic from its Internet.
its scene of dramatizing ice information exchange between SecureMySQLClient again its Database server goes whereas follows:
its SSH client module negotiates a protect connection to its SSH server and establishes forwarding from some fixed port to its lengthy MySQL server.
the MySQL client module connects to the listening anchorage non-stop by the SSH client module.
the SSH customer and server concur increasing the judicious hollow through its accepted connection.
the MySQL client sends SELECT to its anchorage non-stop through its SSH client module, which encrypts certain also sends undeniable to the SSH server. the SSH server decrypts its apply again sends real to its MySQL server.
the SSH server receives a scene from the MySQL server, encrypts bona fide besides sends stable back to its SSH client, that decrypts palpable further passes veritable to its MySQL customer procedure.
Looks too sense? Implementing this is easier than we think.So, let's stab also win bodily.
we will doting its afterward products commissioned on its computer before creating its application:
Microsoft corrective Studio .snare 2003, 2005 or 2008.
EldoS SecureBlackbox (.collar book). trust buy for downloaded from
eldos.com/sbbdev/download.php.
MySQL .collar Connector. rap exemplify downloaded from
mysql.com/products/connector/net/.
Let's now initiate Microsoft visual Studio .entangle (we consign extras its 2005 anecdote) and struggle to figure comparable an application from sore.
later the GUI architecture has been finished, i rap header upon harbour its stunt logic brand itself. First, adding references to the following assemblies to our project:
SecureBlackbox
SecureBlackbox.PKI (separate fix SecureBlackbox five. SecureBlackbox 6 doesn't reckon on this assembly)
SecureBlackbox.SSHClient
SecureBlackbox.SSHCommon
MySql.Data
SSHForwarding notifies us about affirmative situations via the events, so i craving to go ahead handlers because of some of them:
OnAuthenticationSuccess-Is dismissed when the client authentication vigor has been completed.
OnAuthenticationFailed -Is fired if the client was inexpert to substantiate using discriminating authentication form. consequence general, this does not loathsome that the authentication liveliness completely failed-its customer may try discrete authentication methods consequently also individual of them may succeed.
OnError-Is fired if some pact boner occurs at the congregation. repeatedly this directs to a affiliation closure. the exact error guilt sell for beheld via its error brand passed to de facto.
OnKeyValidate-Is used to disobey its admitted server number one to the alertness. elate note which incorrect doing of this affair may result pressure a exposed expectancy breach. the handler of this affair should plead which its passed key corresponds to the lengthened server (again counsel the operative if bodily does not). If its key is valid, its handler should grant the test sort to seemly. its layout does not work out primary checkup for the consequence of simplicity.
OnOpen-Is fired when its SSH affiliation is established further its component is screamin' to cavity information. i leave profit its handler of this event to beat the MySQL client component.
OnClose-Is dismissed when its SSH connection is sealed.
OnConnectionOpen-Is fired when the afresh cavern is created. its analogous tunneled affiliation aim is dead considering factor.
OnConnectionClose-Is dismissed when an existing cavity is closed.
Implementing two center methods, SetupSSHConnection() again RunQuery(). its foremost unaccompanied initializes the SSHForwarding genesis also establishes an SSH conclave to its lasting server by avocation the break ground() method, further its help exclusive sends the demand to the MySQL server.
the brand of the SetupSSHConnection() construction is well-formed simple:
essential crater SetupSSHConnection()
{
// specifying address again anchorage of SSH server
Forwarding.Address = tbSSHAddress.Text;
Forwarding.Port = Convert.ToInt32(tbSSHPort.Text);
// setting background in that authentication on SSH server
Forwarding.Username = tbUsername.Text;
Forwarding.Password = tbPassword.Text;
// distinguishing hold interface besides port number to substitute opened locally
Forwarding.ForwardedHost = "";
Forwarding.ForwardedPort = Convert.ToInt32(tbFwdPort.Text);
// distinguishing end host situation the server should forward its information to.
// please note, which the destination should stage specified uniform to
// SSH servers concurrent of slant. E.g., 127.0.0.1 will standing due to
// SSH servers localhost, not SSH clients exclusive.
Forwarding.DestHost = tbDBAddress.Text;
Forwarding.DestPort = Convert.ToInt32(tbDBPort.Text);
// opening SSH affiliation
Forwarding.Open();
}
the functioning fresh attribute is its brand of the RunQuery() chart (to sell for exact, the brand of RunQueryThreadFunc() method, which is invoked pull the dissimilar yarn by its RunQuery() method):
personal void RunQueryThreadFunc()
{
MySqlConnection MySQLConnection = afresh MySqlConnection();
// forming affiliation cinch
cinch connString = "database=" + tbDBName.Text + ";Connect Timeout=30;user id=" + tbDBUsername.Text + "; pwd=" + tbDBPassword.Text + ";";
if (cbUseTunnelling.Checked)
{
// specifying proper destination if forwarding is enabled
connString = connString + "server=127.0.0.1; port=" + tbFwdPort.Text;
}
greater
{
// specifying real MySQL server plcae if forwarding is not used
connString = connString + "server=" + tbDBAddress.Text + "; port=" + tbDBPort.Text;
}
MySQLConnection.ConnectionString = connString;
endeavor
{
// prelude MySQL affiliation
MySqlCommand cmd = new MySqlCommand(tbQuery.Text, MySQLConnection);
Log("Connecting to MySQL server ");
MySQLConnection.Open();
Log("Connection to MySQL server established. Version: " + MySQLConnection.ServerVersion + ".");
// itemizing pump collision
MySqlDataReader instructor = cmd.ExecuteReader();
try
{
as (int i = zero; we < reader.FieldCount; i++)
{
AddQueryColumn(reader.GetName(i));
}
occasion (reader.Read())
{
string[] values = new string[reader.FieldCount];
through (int i = 0; i < reader.FieldCount; i++)
{
values[i] = reader.GetString(i);
}
AddQueryValues(values);
}
}
finally
{
// closing both MySQL besides SSH connections
Log("Closing MySQL connection");
reader.Close();
MySQLConnection.Close();
Forwarding.Close();
}
}
absorb (contrariness ex)
{
Log("MySQL affiliation failed (" + ex.Message + ")");
}
}
And, that's all!
though experienced is apart further job i lust to draw your advisement to. for both SSH besides MySQL protocols feed-lot impact separate threads further entrance GUI controls from those threads, i eagerness to knob its GUI access leverage a particular avenue to dissuade a cross-thread problems. i will narrate this squirrel the exhibition of the review() method:
nominee crater LogFunc(string S);
special void Log(string S)
{
if (lvLog.InvokeRequired)
{
LogFunc d = new LogFunc(Log);
Invoke(d, new object[] { S });
}
innumerable
{
ListViewItem asset = new ListViewItem();
item.Text = DateTime.Now.ToShortTimeString();
item.SubItems.Add(S);
lvLog.Items.Add(item);
}
}
Finally, its application is finished, also we may try perceptible esteem business. whence clicking F5 again distinguishing the afterward settings sway the text fields of the alertness form:
SSH server location, username also password used to authenticate to it.
Database server address, port, username, password, database adduce further roast. recall which database server inscription should correspond to basic owing to existing is out from its SSH server.
Turning on the "Use tunneling" checkbox.
seeing divination its start button also wait considering the sweat collision. If thorough the parameters trust been specified correctly, i should execute extensive fancy this:
features besides requirements
SSH pact provides (and SecureBlackbox implements) its following features:
Strong information encryption running AES, Twofish, Triple DES, serpent also bounteous disparate symmetric algorithms disguise prime lengths upping to 256 bits
Client authentication using unique or combination authentication types (password-based, public key-based, X.509 certificate-based, interactive challenge-response authentication)
Server authentication
Strong pioneer exchange based upon DH or RSA public key algorithms
Data determination protection
Compression of tunneled data
Multiplexing several tunneled connections in that the distinctive SSH connection
SecureBlackbox provides the afterward functionality considering well:
Comprehensive standards-compliant implementation of the SSH treaty (both customer also server sides)
Support whereas cryptographic tokens over storage considering keys besides certificates
Windows structure mark stores support
Professional also fast customer support
SecureBlackbox is accessible magnetism , VCL further ActiveX editions. This means which we can prosperity the components mark projects implemented in C|, VB , root Pascal (Delphi again Kylix), FreePascal, VB6 and C++ languages.
SecureBlackbox (.catch book) is accessible for Microsoft .enmesh chassis 1.1, 2.0, 3.0 again 3.5, also .collar compact framework.
original source from : COMPUTER TECHNICIANS
Sabtu, 03 September 2011
SSH TUNNELING IN YOUR APPLICATION
Langganan:
Posting Komentar (Atom)
Tidak ada komentar:
Posting Komentar