Categories
Related Articles

SSH tunneling in your application

RSS Author RSS     Views:N/A
Bookmark and Share         


Introduction



This article is dedicated to the task of securing MySQL client-server connection using functionality provided by the Secure Shell (SSH) protocol. To be exact, the SSH tunneling concept is utilized. We will review the steps needed to build secure MySQL client applications and implement a sample one ourselves.




MySQL traffic is not the only kind of data that can be tunneled by the Secure Shell. SSH can be used to secure any application-layer TCP-based protocol, such as HTTP, SMTP and POP3. If your application needs to secure such a protocol by tunneling it through a protected SSH connection, this article will be useful to you.



Background



Let's imagine that we are developing an enterprise application that needs to send requests to a number of SQL servers all over the world and get responses from them (let's imagine that it's a super-powerful bank system that stores information about millions of accounts).



Let's take a look at what we have:






SSH (Secure Shell) is a protocol that may help in solving this problem. One of its outstanding features is its ability to tunnel different types of connections through a single, confident and integrity-protected connection.



It works in the following way:



  • Authentication of both client and server computers
  • Data integrity protection
  • Stability with regard to different kinds of network attacks
  • Compression of the data being tunneled
  • Complete independence of the operating system and network specifics




    • Tunneling (or forwarding) works in the following way:


    1. SSH client opens a listening port on some local network interface and tells the SSH server that he wishes to forward all connections accepted on this port to some remote host.
    2. When another connection is accepted on the listening port, the SSH client informs the SSH server about this fact and they together establish a logical tunnel for it. At the same time, the SSH server establishes a new TCP connection to the remote host agreed upon in step 1.

    3. The SSH client encrypts all the data it receives from the accepted connection and sends it to the SSH server. The SSH server decrypts the data received from the SSH client and sends it to the remote host.



    Please note, that the SSH client acts as a TCP server for the connections it accepts, and the SSH server acts as a TCP client for the connections it establishes to the remote host.



    A single SSH connection can tunnel as many application layer connections as needed. This means that you can defend your server by moving all the listening ports (e.g., database and application server ports) to a local network, leaving only the SSH port open. It is much easier to take care of a single port, rather than a dozen different listening ports.


    Into the Fire!



    Let's develop a small application that illustrates the use of SSH forwarding capabilities. We will consider an important task of securing a connection between a MySQL client application and a MySQL server. Imagine that we need to get information from the database server, which is located a thousand miles away from us, in a secure way.



    The following picture explains the scheme we will utilize:








    // Specifying address and port of SSH server



    Forwarding.Address = tbSSHAddress.Text;




    Forwarding.Port = Convert.ToInt32(tbSSHPort.Text);



    // Specifying network interface and port number to be opened locally




    Forwarding.ForwardedHost = "";



    Forwarding.ForwardedPort = Convert.ToInt32(tbFwdPort.Text);








    // Please note, that the destination should be specified according to



    // SSH servers localhost, not SSH clients one.



    Forwarding.DestHost = tbDBAddress.Text;



    Forwarding.DestPort = Convert.ToInt32(tbDBPort.Text);










    // forming connection string



    string connString = "database=" + tbDBName.Text + ";Connect Timeout=30;user id=" + tbDBUsername.Text + "; pwd=" + tbDBPassword.Text + ";";



    if (cbUseTunnelling.Checked)




    {



    local // specifying real MySQL server location if forwarding is not used



    connString = connString + "server=" + tbDBAddress.Text + "; port=" + tbDBPort.Text;



    }




    MySQLConnection.ConnectionString = connString;



    try



    {







    MySQLConnection.Open();



    Log("Connection to MySQL server established. Version: " + MySQLConnection.ServerVersion + ".");







    // closing both MySQL and SSH connections



    Log("Closing MySQL connection");



    reader.Close();




    MySQLConnection.Close();



    Forwarding.Close();



    }



    }




    catch (Exception ex)



    {



    Log("MySQL connection failed (" + ex.Message + ")");




    }



    }











    And, that's all!

    But there is one more thing I need to draw your attention to. As both SSH and MySQL protocols run in separate threads and access GUI controls from those threads, we need to handle the GUI access in a special way to prevent a cross-thread problems. I will illustrate this with the example of the Log() method:





    Now click the Start button and wait for the query results. If all the parameters have been specified correctly, we should get something like this:

    SFTP NET Compnents developer that has proven experience in .net coding.

    Report this article

    Bookmark and Share



    Ask a Question about this Article