ssh tunneling in your application

8/6/2019 SSH Tunneling in Your Application

1/9

SITE SEARCH

Search

Advanced search

SOLUTION GUIDE

For Software Developers

For Business Integrators

PRODUCT LINES

BizCrypto

SecureBlackbox

Callback File System

CallbackFilter

CallbackDisk

SolFS (Solid File System)

RawDisk

MsgConnect

VoxPopuli

Custom services

NEED HELP?

Support options

Knowledgebase

Forums

HelpDesk

CUSTOMER RELATIONS

Testimonials

Geography

Contact Us

My Control Center

COMPANY INFORMATION

Company news

Corporate information

For investors

For press

For partners

Support and Res

Knowledgebase

Documentation o

Forum

Ask a question in

Latest version

8.2.197

Released 17 March

New And Improv

Features

Change list

Download

Most wanted fea

Direct support for

spanish government

format "facturae" foelectronic invoices

Add CAB compressi

and CAB signing

support

Planned

Fill PDF forms

In progress

Vote or request a

Home / SecureBlackbox / SSH tunneling in your application

Using SSH tunneling for securing MySQL connectionsIntroduction

This article is dedicated to the task of securing MySQL client-server connection using functionality provided by the Secure

Shell (SSH) protocol. To be exact, the SSH tunneling concept is utilized. We will review the steps needed to build secure

MySQL client applications and implement a sample one ourselves.

MySQL traffic is not the only kind of data that can be tunneled by the Secure Shell. SSH can be used to secure any

application-layer TCP-based protocol, such as HTTP, SMTP and POP3. If your application needs to secure such a protocol

by tunneling it through a protected SSH connection, this article will be useful to you.

Background

Let's imagine that we are developing an enterprise application that needs to send requests to a number of SQL servers

all over the world and get responses from them (let's imagine that it's a super-powerful bank system that stores

information about millions of accounts).

Let's take a look at what we have:

As you see, all the data between the application and SQL servers are transferred via the Internet "as is". As most

protocols used by SQL servers do not provide data integrity and confidentiality (and those that do, do it in a quite

nontransparent way), all the transferred requests and responses may (and be sure, they will!) become visible to a

passive adversary. An active adversary can cause much more serious problems - he can alter the data and no one will

detect it!

SSH (Secure She ll) is a protocol that may help in solving this prob lem. One of its outstanding features is its ability to

tunnel different types of connections through a single, confident and integrity-protected connection.

It works in the following way:

Now you do not have to worry about securing the data transferred over the Internet - SSH will handle this for you. In

particular, SSH will take care of the following security aspects:

Strong data encryption according to the latest industry-standard algorithms (AES, Twofish)

Authentication of both client and server computers

Data integrity protection

Stability with regard to d ifferent kinds of network attacks

Compression of the data being tunneled

http://www.eldos.com/SecureBlackbox/articles/ssh_tunneling/SSHTunn


2/9

Complete independence of the operating system and network specifics

Tunneling (or forwarding) works in the following way:

SSH client opens a listening port on some local network interface and tells the SSH server that he wishes to

forward all connections accepted on this port to some remote host.

1.

When another connection is accepted on the listening port, the SSH client informs the SSH server about this fact

and they together establish a logical tunnel for it. At the same time, the SSH server establishes a new TCPconnection to the remote host agreed upon in step 1.

2.

The SSH client encrypts all the data it receives from the accepted connection and sends it to the SSH server. The

SSH server decrypts the data received from the SSH client and sends it to the remote host.

3.

Please note, that the SSH client acts as a TCP server for the connections it accepts, and the SSH server acts as a TCP

client for the connections it establishes to the remote host.

A single SSH connection can tunnel as many application layer connections as needed. This means that you can defend

your server by moving all the listening ports (e.g., database and application server ports) to a local network, leaving only

the SSH port open. It is much easier to take care of a single port, rather than a dozen different listening ports.

Into the Fire!

Let's develop a small application that illustrates the use of SSH forwarding capabilities. We will consider an important task

of securing a connection between a MySQL client application and a MySQL server. Imagine that we need to get

information from the database server, which is located a thousand miles away from us, in a secure way.

The following picture explains the scheme we will utilize:

SecureMySQLClient is the application we are planning to implement. It includes the following modules:

SSH client-side module with forwarding capabilities

MySQL client-side module

User interface for configuring app lication settings and displaying query results.

The SSH server runs in a remote network and is visible from the Internet. The database (MySQL) server runs in the

same network as the SSH server and may not be visible from the Internet.

The process of performing secure data exchange between SecureMySQLClient and the Database server goes as follows:

The SSH client module negotiates a secure connection to the SSH server and establishes forwarding from some

local port to the remote MySQL server.

1.

The MySQL client module connects to the listening port opened by the SSH client module.2.

The SSH client and server set up a logical tunnel for the accepted connection.3.

The MySQL client sends SELECT to the port opened by the SSH client module, which encrypts it and sends it to

the SSH server. The SSH server decrypts the request and sends it to the MySQL server.

4.

The SSH server receives a response from the MySQL server, encrypts it and sends it back to the SSH client, which

decrypts it and passes it to the MySQL client module.

5.

Looks too complex? Implementing this is easier than you think.So, let's go and do it.

We will need the following products installed on the computer before creating the application:

Microsoft Visual Studio .NET 2003, 2005 or 2008.

EldoS SecureBlackbox (.NET edition). Can be downloaded from http://www.eldos.com/sbb/download.php.

MySQL .NET Connector. Can be downloaded from http://www.mysql.com/products/connector/net/.

Let's now open Microsoft Visual Studio .NET (we will use the 2005 version) and try to build such an app lication from

scratch.



3/9

Let's start by creating a simple user interface:

After the GUI design has been finished, we can go on with the business logic code itself. First, adding references to the

following assemblies to our project:

SecureBlackbox

SecureBlackbox.PKI (only in SecureBlackbox 5. SecureBlackbox 6 doesn't have this assembly)

SecureBlackbox.SSHClient

SecureBlackbox.SSHCommon

MySql.Data



4/9

Placing ElSSHLocalPortForwarding component on the form and g iving it the SSHForwarding name:

SSHForwarding notifies us about certain situations via its events, so we need to create handlers for some of them:

OnAuthenticationSuccess Is fired when the client authentication process has been completed.

OnAuthenticationFailed I

OnError Is fired if some protocol error occurs during the session. Usually this leads

to a connection closure. The exact error can be detected via the error code

passed to it.

OnKeyValidate Is used to pass the received server key to the application. Please note that

incorrect handling of this event may result in a serious security breach. The

handler of this event should verify that the passed key corresponds to the

remote server (and warn the user if it does not). If the key is valid, thehandler should set the Validate parameter to true.

The sample does not perform key checkup for the sake of simplicity.

OnOpen Is fired when the SSH connection is established and the component is

ready to tunnel data. We will use the handler of this event to kick the

MySQL client component.

OnClose Is fired when the SSH connection is closed.

OnConnectionOpen Is f ired when a new tunnel is created. The corresponding tunneled

connection object is passed as parameter.

OnConnectionClose Is fired when an existing tunnel is closed.

Implementing two core methods, SetupSSHConnection() and RunQuery(). The first one initializes the SSHForwarding

object and establishes an SSH session to the remote server by calling its Open() method, and the second one sends the

query to the MySQL server.



5/9

The logic is displayed on the following picture:

The code of the SetupSSHConnection() method is pretty simple:

private void SetupSSHConnection()

{

// Specifying address and port of SSH server

Forwarding.Address = tbSSHAddress.Text;

Forwarding.Port = Convert.ToInt32(tbSSHPort.Text);

// Setting credentials for authentication on SSH server

Forwarding.Username = tbUsername.Text;

Forwarding.Password = tbPassword.Text;

// Specifying network interface and port number to be opened locally

Forwarding.ForwardedHost = "";

Forwarding.ForwardedPort = Convert.ToInt32(tbFwdPort.Text);

// Specifying destination host where the server should forward the data to.

// Please note, that the destination should be specified according to

// SSH servers point of view. E.g. , 127.0.0.1 will stand for

// SSH servers localhost, not SSH clients one.

Forwarding.DestHost = tbDBAddress.Text;

Forwarding.DestPort = Convert.ToInt32(tbDBPort.Text);

// Opening SSH connection

Forwarding.Open();



6/9

}

A bit more complex is the code of the RunQuery() method (to be exact, the code of RunQueryThreadFunc() method,

which is invoked in a separate thread by the RunQuery() method):

private void RunQueryThreadFunc()

{

MySqlConnection MySQLConnection = new MySqlConnection();

// forming connection string

string connString = "database=" + tbDBName.Text + ";Connect Timeout=30;user id=" +

tbDBUsername.Text + "; pwd=" + tbDBPassword.Text + ";";

if (cbUseTunnelling.Checked)

{

// specifying local destination if forwarding is enabled

connString = connString + "server=127.0.0.1; port=" + tbFwdPort.Text;

}

else

{

// specifying real MySQL server location if forwarding is not used

connString = connString + "server=" + tbDBAddress.Text + "; port=" + tbDBPort.Text;

}

MySQLConnection.ConnectionString = connString;

try

{

// opening MySQL connection

MySqlCommand cmd = new MySqlCommand(tbQuery.Text, MySQLConnection);

Log("Connecting to MySQL server...");

MySQLConnection.Open();

Log("Connection to MySQL server established. Version: " + MySQLConnection.ServerVersion + ".");

// reading query results

MySqlDataReader reader = cmd.ExecuteReader();

try

{

for (int i = 0; i < reader.FieldCount; i++)

{



7/9

AddQueryColumn(reader.GetName(i));

}

while (reader.Read())

{

string[] values = new string[reader.FieldCount];

for (int i = 0; i < reader.FieldCount; i++)

{

values[i] = reader.GetString(i);

}

AddQueryValues(values);

}

}

finally

{

// closing both MySQL and SSH connections

Log("Closing MySQL connection");

reader.Close();

MySQLConnection.Close();

Forwarding.Close();

}

}

catch (Exception ex)

{

Log("MySQL connection failed (" + ex.Message + ")");

}

}

And, that's all!

But there is one more thing I need to draw your attention to. As both SSH and MySQL protocols run in separate threads

and access GUI controls from those threads, we need to handle the GUI access in a special way to prevent a cross-

thread problems. I will illustrate this with the example of the Log() method:

delegate void LogFunc(string S);

private void Log(string S)

{

if (lvLog.InvokeRequired)



8/9

{

LogFunc d = new LogFunc(Log);

Invoke(d, new object[] { S });

}

else

{

ListViewItem item = new ListViewItem();

item.Text = DateTime.Now.ToShortTimeString();

item.SubItems.Add(S);

lvLog.Items.Add(item);

}

}

Finally, the application is finished, and we may try it in work. So clicking F5 and specifying the following settings in the

text fields of the application form:

SSH server location, username and password used to authenticate to it.

Database server address, port, username, password, database name and query. Remember that database server

address should be specified as it is visible from the SSH server.

Turning on the "Use tunneling" checkbox.

Now click the Start button and wait for the query results. If all the parameters have been specified correctly, we should

get something like this:

Features and requirements



9/9

|

SSH protocol provides (and SecureBlackbox implements) the following features:

Strong data encryption using AES, Twofish, Triple DES, Serpent and many other symmetric algorithms with key

lengths up to 256 bits

Client authentication using one or multiple authentication types (password-based, public key-based, X.509

certificate-based, interactive challenge-response authentication)

Server authentication

Strong key exchange based on DH or RSA public key algorithmsData integrity protection

Compression of tunneled data

Multiplexing several tunneled connections through a single SSH connection

SecureBlackbox provides the following functionality as well:

Comprehensive standards-compliant implementation of the SSH protocol (both client and server sides)

Support for cryptographic tokens as storage for keys and certificates

Windows system certificate stores support

Professional and fast customer support

SecureBlackbox is available in .NET, VCL and ActiveX editions. This means that you can use the components in projects

implemented in C#, VB.NET, Object Pascal (Delphi), FreePascal, VB6 and C++ languages.

SecureBlackbox (.NET edition) is available for Microsoft .NET Framework 1.1, 2.0, 3.0 and 3.5, and .NET Compact

Framework.

Contact Us | Terms of Use | Trademarks | Privacy Statement | Site Index

Copyright (c) 1998-2011, EldoS Corporation

Design by Web Arsenal


ssh tunneling in your application

Documents