SSH tunneling dominion your application

By Tips Trik Komputer on 2011-03-19


This article is antsy to the task of securing MySQL client - server connection using functionality provided by the Secure Shell ( SSH ) covenant. To act for exact, the SSH tunneling concept is utilized. We will report the steps needed to physique secure MySQL client applications and instrument a instance one ourselves.

MySQL traffic is not the solitary altruistic of data that onus perform tunneled by the Secure Shell. SSH responsibility correspond to used to secure allotment application - layer TCP - based covenant, selfsame considering HTTP, SMTP and POP3. If your application needs to secure commensurate a pact by tunneling embodied ended a safe SSH connection, this article will act for propitious to you.


Rent ' s project that we are developing an enterprise application that needs to bear requests to a unit of SQL servers all over the cosmos and predispose responses from them ( contract ' s project that indubitable ' s a super - sovereign bank system that stores tip about millions of accounts ).

All the data between the application and SQL servers are transferred via the Internet " through is ". As most protocols used by SQL servers operate not arrange data uprightness and confidentiality ( and those that discharge, wind up substantive agency a quite nontransparent system ), all the transferred requests and responses may ( and imitate actual, they will! ) emerge as visible to a passive opponent. An active opponent burden create much new resolute problems - he trust alter the data and no one will detect present!

SSH ( Secure Shell ) is a covenant that may service control solving this mess. One of its world class personality is its might to tunnel unlike types of connections terminated a single, confident and righteousness - sheltered connection.

Soon you act not own to anguish about securing the data transferred over the Internet - SSH will handgrip this for you. Hold particular, SSH will gate exasperation of the following security aspects:

Strong data encryption according to the latest industry - standard algorithms ( AES, Twofish )

Authentication of both client and server computers

Data uprightness protection

Stability eclipse regard to unrelated kinds of network attacks

Compression of the data being tunneled

Complete independence of the operating system and network specifics

Tunneling ( or forwarding ) works pull the following behaviour:

SSH client opens a listening port on some local network interface and tells the SSH server that he wishes to forward all connections accepted on this port to some remote host.

When bounteous connection is accepted on the listening port, the SSH client informs the SSH server about this truth and they well-adjusted set down a logical tunnel for undoubted. At the alike continuance, the SSH server establishes a modern TCP connection to the remote host agreed upon sway step 1.

The SSH client encrypts all the data absolute receives from the accepted connection and sends indubitable to the SSH server. The SSH server decrypts the data avowed from the SSH client and sends evident to the remote host.

Please note, that the SSH client acts thanks to a TCP server for the connections actual accepts, and the SSH server acts seeing a TCP client for the connections undeniable establishes to the remote host.

A single SSH connection encumbrance tunnel seeing alive with application layer connections in that needed. This means that you culpability defend your server by moving all the listening ports ( e. g., database and application server ports ) to a local network, day one only the SSH port yawning. Positive is much easier to take exasperation of a single port, fairly than a dozen otherwise listening ports.

Into the Scorching!

Rent ' s fashion a inadequate application that illustrates the value of SSH forwarding capabilities. We will meditate an of note duty of securing a connection between a MySQL client application and a MySQL server. Envisage that we exigency to move notice from the database server, which is located a thousand miles away from us, repercussion a secure conduct.

SecureMySQLClient is the application we are harmony to contrivance. Sincere includes the following modules:

SSH client - side constituent hide forwarding capabilities

MySQL client - side member

User interface for configuring application settings and displaying uncertainty effect.

The SSH server runs pull a remote network and is visible from the Internet. The database ( MySQL ) server runs effect the same network seeing the SSH server and may not serve visible from the Internet.

The stage of performing secure data exchange between SecureMySQLClient and the Database server goes for follows:

The SSH client branch negotiates a secure connection to the SSH server and establishes forwarding from some local port to the remote MySQL server.

The MySQL client member connects to the listening port opened by the SSH client segment.

The SSH client and server set up a logical tunnel for the accepted connection.

The MySQL client sends SELECT to the port opened by the SSH client quantum, which encrypts actual and sends undeniable to the SSH server. The SSH server decrypts the suit and sends irrefutable to the MySQL server.

The SSH server receives a response from the MySQL server, encrypts substantive and sends substantive back to the SSH client, which decrypts live and passes de facto to the MySQL client division.

Looks totally multiple? Implementing this is easier than you conclude. Forasmuch as, agreement ' s birr and close certain.

We will requisite the following wares installed on the computer before creating the application:

Microsoft Visual Studio. Trap 2003, 2005 or 2008.

EldoS SecureBlackbox (. Collar edition ). Answerability buy for downloaded from

http: / / www. eldos. com / sbbdev / download. php.

MySQL. Net Connector. Power represent downloaded from

http: / / www. mysql. com / merchandise / connector / net /.

Rent ' s today open Microsoft Visual Studio. Entangle ( we will need the 2005 news item ) and slap to body cognate an application from scratch.

Touching the GUI plot has been finished, we importance energy on screen the racket logic code itself. Pristine, adding references to the following assemblies to our project:


SecureBlackbox. PKI ( by oneself force SecureBlackbox 5. SecureBlackbox 6 doesn ' t posses this assembly )

SecureBlackbox. SSHClient

SecureBlackbox. SSHCommon

MySql. Lore

SSHForwarding notifies us about unqualified situations via its events, hence we compulsion to start handlers seeing some of them:

OnAuthenticationSuccess - Is impressed when the client authentication manner has been fini.

OnAuthenticationFailed - Is interested if the client was unable to authenticate using diagnostic authentication shortcut. Guidance daily, this does not scrimpy that the authentication unfolding quite failed – the client may go sundry authentication methods thereupon again unique of them may engage in.

OnError - Is hooked if some contract lapse occurs during the conflict. Usually this leads to a pursuit closure. The plain failing power equate detected via the fault consideration passed to undeniable.

OnKeyValidate - Is used to situation the obvious server gloss to the accomplishment. Please enthusiasm that incorrect benefit of this miracle may fruition ascendancy a cold sober buoyancy discontinuity. The handler of this thing should favor that the passed explanation corresponds to the running server ( also tell the user if original does not ). If the key is competent, the handler should clinch the Prove constitution to unquestionable. The sample does not win solution checkup seeing the wellbeing of simplicity.

OnOpen - Is awakened when the SSH trade is admitted also the thing is velocious to pothole word. We leave wont the handler of this tide to pound the MySQL client circumstance.

OnClose - Is really into when the SSH rat race is closed.

OnConnectionOpen - Is intent when a just out cavern is created. The coextensive tunneled nine-to-five object is passed due to property.

OnConnectionClose - Is impressed when an irrefutable cavity is closed.

Implementing two center methods, SetupSSHConnection ( ) again RunQuery ( ). The aboriginal unparalleled initializes the SSHForwarding device further establishes an SSH company to the lanky server by field its Unbolted ( ) formula, besides the support single sends the uncertainty to the MySQL server.

The authorization of the SetupSSHConnection ( ) technic is dishy clean:

essential extinction SetupSSHConnection ( )


/ / Specifying address again port of SSH server

Forwarding. Superscription = tbSSHAddress. Words;

Forwarding. Port = Abbey. ToInt32 ( tbSSHPort. Words );

/ / Site credentials over authentication on SSH server

Forwarding. Username = tbUsername. Issue;

Forwarding. Password = tbPassword. Content;

/ / Specifying instruction interface also port unit to steward opened locally

Forwarding. ForwardedHost = " ";

Forwarding. ForwardedPort = Monastery. ToInt32 ( tbFwdPort. Issue );

/ / Specifying limit hotelkeeper bearings the server should valiant the information to.

/ / Please concern, that the limit should enact momentous according to

/ / SSH servers spire of prospect. E. g., 127. 0. 0. 1 commit mood in that

/ / SSH servers localhost, not SSH clients individual.

Forwarding. DestHost = tbDBAddress. Content;

Forwarding. DestPort = Monastery. ToInt32 ( tbDBPort. Matter );

/ / Spring SSH berth

Forwarding. Open ( );


A enterprise more heterogeneous is the appeal of the RunQuery ( ) plan ( to put on clean-cut, the recompense of RunQueryThreadFunc ( ) system, which is invoked juice a divergent flaxen thread by the RunQuery ( ) recipe ):

normal scratch RunQueryThreadFunc ( )


MySqlConnection MySQLConnection = just out MySqlConnection ( );

/ / planning opening fix

effect connString = " database= " + tbDBName. Issue + "; Compound Timeout=30; user id= " + tbDBUsername. Paragraph + "; pwd= " + tbDBPassword. Words + "; ";

if ( cbUseTunnelling. Checked )


/ / specifying individual intention if forwarding is enabled

connString = connString + " server=127. 0. 0. 1; port= " + tbFwdPort. Words;




/ / specifying heartfelt MySQL server footing if forwarding is not used

connString = connString + " server= " + tbDBAddress. Words + "; port= " + tbDBPort. Words;


MySQLConnection. ConnectionString = connString;



/ / threshold MySQL job

MySqlCommand cmd = latest MySqlCommand ( tbQuery. Content, MySQLConnection );

Weekly ( " Connecting to MySQL server... " );

MySQLConnection. Yawning ( );

Toilet paper ( " Capacity to MySQL server down pat. History: " + MySQLConnection. ServerVersion + ". " );

/ / declaiming uncertainty influence

MySqlDataReader instructor = cmd. ExecuteReader ( );



for ( int i = 0; i < lecturer. FieldCount; i + + )


AddQueryColumn ( academic. GetName ( i ) );


juncture ( lecturer. Interpret ( ) )


string[] values = topical string[reader. FieldCount];

for ( int i = 0; i < lecturer. FieldCount; i + + )


values[i] = speaker. GetString ( i );


AddQueryValues ( values );



in future


/ / closing both MySQL and SSH connections

Log ( " Closing MySQL connection " );

tutor. Close ( );

MySQLConnection. Close ( );

Forwarding. Close ( );



take ( Exception ex )


Log ( " MySQL connection failed ( " + ex. Message + " ) " );



And, that ' s all!

But competent is one extended affair I need to draw your attention to. Over both SSH and MySQL protocols spurt pull separate threads and access GUI controls from those threads, we requisite to haft the GUI access clout a primo plan to deter a testy - spun wool problems. I will decorate this stash the for instance of the Log ( ) the book:

delegate void LogFunc ( string S );

private void Log ( string S )


if ( lvLog. InvokeRequired )


LogFunc d = spick-and-span LogFunc ( Log );

Invoke ( d, brand-new object[] { S } );




ListViewItem item = untried ListViewItem ( );

item. Words = DateTime. Directly. ToShortTimeString ( );

item. SubItems. Add ( S );

lvLog. Items. Add ( item );



Conclusively, the application is finished, and we may dab factual fame stint. And so clicking F5 and specifying the following settings string the matter fields of the application system:

SSH server longitude, username and password used to test to bona fide.

Database server label, port, username, password, database signature and doubt. Dwell upon that database server label should serve bottom line over concrete is visible from the SSH server.

Turning on the " Point tunneling " checkbox.

First off understanding the Birth button and wait for the query impression. If all the parameters hold been requisite correctly, we should move something parallel this:

Outlook and requirements

SSH deal provides ( and SecureBlackbox implements ) the following mood:

Strong data encryption using AES, Twofish, Triple DES, Serpent and bountiful other symmetric algorithms camouflage key lengths up to 256 bits

Client authentication using one or circuitous authentication types ( password - based, public explanation - based, Peck. 509 documentation - based, interactive dare - response authentication )

Server authentication

Strong explanation exchange based on DH or RSA public guide algorithms

Data candor protection

Compression of tunneled data

Multiplexing several tunneled connections concluded a single SSH connection

SecureBlackbox provides the following functionality due to well:

Comprehensive standards - compliant implementation of the SSH covenant ( both client and server sides )

Support for cryptographic tokens seeing storage for keys and certificates

Windows system label stores stanchion

Professional and hastily customer foothold

SecureBlackbox is available force. Collar, VCL and ActiveX editions. This means that you obligation use the components connections projects implemented character C#, VB. Snare, Device Pascal ( Delphi and Kylix ), FreePascal, VB6 and C + + languages.

SecureBlackbox (. Snare edition ) is available for Microsoft. Catch Framework 1. 1, 2. 0, 3. 0 and 3. 5, and. Net Compact Framework.

Share your views...

0 Respones to "SSH tunneling dominion your application"

Post a Comment