http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.

php

Home / SecureBlackbox® / SSH tunneling in your application SITE SEARCH
Search
Advanced search

Using SSH tunneling for securing MySQL connections
Introduction
This article is dedicated to the task of securing MySQL client-server connection using functionality provided by the Secure

Support and Resources Knowledgebase Documentation on-line Forum Ask a question in HelpDesk

SOLUTION GUIDE For Software Developers For Business Integrators PRODUCT LINES BizCrypto SecureBlackbox Callback File System CallbackFilter CallbackDisk SolFS (Solid File System) RawDisk MsgConnect VoxPopuli Custom services NEED HELP? Support options Knowledgebase Forums HelpDesk CUSTOMER RELATIONS Testimonials Geography Contact Us My Control Center

Shell (SSH) protocol. To be exact, the SSH tunneling concept is utilized. We will review the steps needed to build secure MySQL client applications and implement a sample one ourselves. MySQL traffic is not the only kind of data that can be tunneled by the Secure Shell. SSH can be used to secure any application-layer TCP-based protocol, such as HTTP, SMTP and POP3. If your application needs to secure such a protocol by tunneling it through a protected SSH connection, this article will be useful to you.

Latest version 8.2.197

Background
Let's imagine that we are developing an enterprise application that needs to send requests to a number of SQL servers all over the world and get responses from them (let's imagine that it's a super-powerful bank system that stores information about millions of accounts). Let's take a look at what we have:

Released 17 March 2011
New And Improved Features Change list Download

Most wanted features
Direct support for spanish government format "facturae" for electronic invoices Add CAB compression and CAB signing support Planned Fill PDF forms
In progress

As you see, all the data between the application and SQL servers are transferred via the Internet "as is". As most protocols used by SQL servers do not provide data integrity and confidentiality (and those that do, do it in a quite nontransparent way), all the transferred requests and responses may (and be sure, they will!) become visible to a passive adversary. An active adversary can cause much more serious problems - he can alter the data and no one will detect it! SSH (Secure Shell) is a protocol that may help in solving this problem. One of its outstanding features is its ability to

Vote or request a feature

COMPANY INFORMATION Company news Corporate information For investors For press For partners

tunnel different types of connections through a single, confident and integrity-protected connection. It works in the following way:

Now you do not have to worry about securing the data transferred over the Internet - SSH will handle this for you. In particular, SSH will take care of the following security aspects: Strong data encryption according to the latest industry-standard algorithms (AES, Twofish) Authentication of both client and server computers Data integrity protection Stability with regard to different kinds of network attacks Compression of the data being tunneled

1 of 9

let's go and do it. The MySQL client module connects to the listening port opened by the SSH client module. SSH client opens a listening port on some local network interface and tells the SSH server that he wishes to forward all connections accepted on this port to some remote host. Into the Fire! Let's develop a small application that illustrates the use of SSH forwarding capabilities.php. the SSH client informs the SSH server about this fact and they together establish a logical tunnel for it. We will consider an important task of securing a connection between a MySQL client application and a MySQL server. which decrypts it and passes it to the MySQL client module. and the SSH server acts as a TCP client for the connections it establishes to the remote host. Can be downloaded from http://www.mysql.NET 2003. At the same time.eldos. database and application server ports) to a local network. 4. encrypts it and sends it back to the SSH client. It is much easier to take care of a single port. The SSH server runs in a remote network and is visible from the Internet.eldos.com/products/connector/net/. The SSH server decrypts the data received from the SSH client and sends it to the remote host.http://www. Looks too complex? Implementing this is easier than you think. which is located a thousand miles away from us.NET edition).php Complete independence of the operating system and network specifics Tunneling (or forwarding) works in the following way: 1. that the SSH client acts as a TCP server for the connections it accepts.NET (we will use the 2005 version) and try to build such an application from scratch. which encrypts it and sends it to the SSH server. 2005 or 2008. The database (MySQL) server runs in the same network as the SSH server and may not be visible from the Internet. 3. We will need the following products installed on the computer before creating the application: Microsoft Visual Studio .com/sbb/download. the SSH server establishes a new TCP connection to the remote host agreed upon in step 1. 2. The SSH client and server set up a logical tunnel for the accepted connection. When another connection is accepted on the listening port. A single SSH connection can tunnel as many application layer connections as needed. 2 of 9 . The SSH client module negotiates a secure connection to the SSH server and establishes forwarding from some local port to the remote MySQL server. The following picture explains the scheme we will utilize: SecureMySQLClient is the application we are planning to implement. It includes the following modules: SSH client-side module with forwarding capabilities MySQL client-side module User interface for configuring application settings and displaying query results. Can be downloaded from http://www. Let's now open Microsoft Visual Studio . The SSH client encrypts all the data it receives from the accepted connection and sends it to the SSH server. EldoS SecureBlackbox (. The process of performing secure data exchange between SecureMySQLClient and the Database server goes as follows: 1. leaving only the SSH port open.NET Connector. 5. The SSH server decrypts the request and sends it to the MySQL server. The SSH server receives a response from the MySQL server.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling. MySQL . Please note. The MySQL client sends SELECT to the port opened by the SSH client module.So.. rather than a dozen different listening ports. Imagine that we need to get information from the database server. 2. 3. in a secure way.g. This means that you can defend your server by moving all the listening ports (e.

SSHClient SecureBlackbox.Data 3 of 9 .SSHCommon MySql. we can go on with the business logic code itself.http://www.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.PKI (only in SecureBlackbox 5. adding references to the following assemblies to our project: SecureBlackbox SecureBlackbox. First.eldos. SecureBlackbox 6 doesn't have this assembly) SecureBlackbox.php Let's start by creating a simple user interface: After the GUI design has been finished.

OnKeyValidate Is used to pass the received server key to the application. OnAuthenticationFailed I OnError Is fired if some protocol error occurs during the session. OnClose Is fired when the SSH connection is closed.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling. SetupSSHConnection() and RunQuery(). We will use the handler of this event to kick the MySQL client component. OnConnectionClose Is fired when an existing tunnel is closed. and the second one sends the query to the MySQL server. OnConnectionOpen Is fired when a new tunnel is created. so we need to create handlers for some of them: OnAuthenticationSuccess Is fired when the client authentication process has been completed. Please note that incorrect handling of this event may result in a serious security breach. Usually this leads to a connection closure.php Placing ElSSHLocalPortForwarding component on the form and giving it the SSHForwarding name: SSHForwarding notifies us about certain situations via its events. The sample does not perform key checkup for the sake of simplicity. Implementing two core methods. If the key is valid. The first one initializes the SSHForwarding object and establishes an SSH session to the remote server by calling its Open() method. OnOpen Is fired when the SSH connection is established and the component is ready to tunnel data.http://www. The corresponding tunneled connection object is passed as parameter. 4 of 9 . The handler of this event should verify that the passed key corresponds to the remote server (and warn the user if it does not). The exact error can be detected via the error code passed to it.eldos. the handler should set the Validate parameter to true.

Open().eldos. // Specifying destination host where the server should forward the data to.1 will stand for // SSH servers localhost. Forwarding. E. // Specifying network interface and port number to be opened locally Forwarding.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.Text. 5 of 9 .Password = tbPassword. Forwarding.ForwardedPort = Convert.g.Text). that the destination should be specified according to // SSH servers point of view.ToInt32(tbSSHPort.Username = tbUsername.Text).Text.php The logic is displayed on the following picture: The code of the SetupSSHConnection() method is pretty simple: private void SetupSSHConnection() { // Specifying address and port of SSH server Forwarding. Forwarding.Text. // Setting credentials for authentication on SSH server Forwarding.0.Text).Text.Address = tbSSHAddress. // Please note.http://www. Forwarding.ForwardedHost = "".DestPort = Convert. 127. Forwarding.Port = Convert.ToInt32(tbFwdPort.ToInt32(tbDBPort. // Opening SSH connection Forwarding.DestHost = tbDBAddress. not SSH clients one..0.

Version: " + MySQLConnection.FieldCount.eldos.Text + ".0.Checked) { // specifying local destination if forwarding is enabled connString = connString + "server=127. // forming connection string string connString = "database=" + tbDBName.ConnectionString = connString.http://www. MySQLConnection. pwd=" + tbDBPassword.Connect Timeout=30.user id=" + tbDBUsername. MySQLConnection).. Log("Connection to MySQL server established. the code of RunQueryThreadFunc() method. // reading query results MySqlDataReader reader = cmd.php } A bit more complex is the code of the RunQuery() method (to be exact.Text + ".Text.Open(). } else { // specifying real MySQL server location if forwarding is not used connString = connString + "server=" + tbDBAddress.Text + ".Text. if (cbUseTunnelling.1."). i++) { 6 of 9 . } MySQLConnection.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling. try { // opening MySQL connection MySqlCommand cmd = new MySqlCommand(tbQuery. port=" + tbDBPort. Log("Connecting to MySQL server.Text + ". which is invoked in a separate thread by the RunQuery() method): private void RunQueryThreadFunc() { MySqlConnection MySQLConnection = new MySqlConnection(). port=" + tbFwdPort..ExecuteReader().". try { for (int i = 0. i < reader.").ServerVersion + ".Text.0.

i < reader. } } catch (Exception ex) { Log("MySQL connection failed (" + ex.eldos.Close(). I will illustrate this with the example of the Log() method: delegate void LogFunc(string S). that's all! But there is one more thing I need to draw your attention to. Forwarding.Message + ")").Close(). private void Log(string S) { if (lvLog.FieldCount.Close(). for (int i = 0. } } And.FieldCount].GetName(i)).GetString(i). As both SSH and MySQL protocols run in separate threads and access GUI controls from those threads.InvokeRequired) 7 of 9 . i++) { values[i] = reader. } while (reader. } } finally { // closing both MySQL and SSH connections Log("Closing MySQL connection"). } AddQueryValues(values).php AddQueryColumn(reader. we need to handle the GUI access in a special way to prevent a crossthread problems. MySQLConnection. reader.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.http://www.Read()) { string[] values = new string[reader.

item. } else { ListViewItem item = new ListViewItem(). If all the parameters have been specified correctly. password. and we may try it in work. database name and query.Add(item). we should get something like this: Features and requirements 8 of 9 . username and password used to authenticate to it. So clicking F5 and specifying the following settings in the text fields of the application form: SSH server location. lvLog.SubItems. } } Finally. Database server address. Invoke(d.Text = DateTime.Items.ToShortTimeString(). the application is finished.http://www. item.eldos. new object[] { S }).Now.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling. Turning on the "Use tunneling" checkbox. port. Remember that database server address should be specified as it is visible from the SSH server. Now click the Start button and wait for the query results. username.php { LogFunc d = new LogFunc(Log).Add(S).

http://www. SecureBlackbox (.0 and 3.php SSH protocol provides (and SecureBlackbox implements) the following features: Strong data encryption using AES.com/SecureBlackbox/articles/ssh_tunneling/SSHTunneling.1.NET Framework 1. Object Pascal (Delphi). EldoS Corporation Design by Web Arsenal 9 of 9 . Serpent and many other symmetric algorithms with key lengths up to 256 bits Client authentication using one or multiple authentication types (password-based.NET Compact Framework. VCL and ActiveX editions.5. FreePascal.0. X. interactive challenge-response authentication) Server authentication Strong key exchange based on DH or RSA public key algorithms Data integrity protection Compression of tunneled data Multiplexing several tunneled connections through a single SSH connection SecureBlackbox provides the following functionality as well: Comprehensive standards-compliant implementation of the SSH protocol (both client and server sides) Support for cryptographic tokens as storage for keys and certificates Windows system certificate stores support Professional and fast customer support SecureBlackbox is available in . | Contact Us | Terms of Use | Trademarks | Privacy Statement | Site Index Copyright (c) 1998-2011. public key-based.NET. and . 2. VB6 and C++ languages.NET edition) is available for Microsoft . 3. Triple DES.NET.eldos. This means that you can use the components in projects implemented in C#. Twofish.509 certificate-based. VB.