Forum > Databases

Connecting to remote MySQL database via SSH

(1/2) > >>

bruce.button:
I am developing a relatively simple desktop (Windows) app which will connect to a remote MySQL database (via the Internet). There will only be a few users, all of whom are known and trusted, so I don't think it's necessary to go to the extent of creating an api on the server and accessing the database from the desktop app via api calls.

However, I would like to increase the security by using a secure connection to the database. SSH is what comes to mind here. Is there a relatively straightforward way to connect a desktop app to the remote database via SSH? I've searched around and found some information on SSH in FreePascal/Lazarus, but none of it seems straightforward and it doesn't seem to relate directly to database connections.

Any help would be greatly appreciated!

PierceNg:
SSH is for tunneling the database connection.

Pre-requisite: <dbserver> allows incoming SSH connections.

Procedure: Connect to <dbserver> via SSH with port forwarding, such that, say, port 3306 on localhost is forwarded over the SSH connection to <dbserver>:3306. When your application connects to localhost:3306 using MySQL client library, the traffic is tunneled over the SSH connection to <dbserver>:3306.  See the documentation for your SSH client on setting up port forwarding.

Alternatively, set up MySQL to only allow TLS, and connect to <dbserver> using MySQL/TLS.

Nonetheless, whether SSH or MySQL/TLS, it's generally a bad idea to make your database directly accessible over the Internet. It's not about trustworthiness of your app's users. It's about trusting that their computers and <dbserver> won't be compromised, and that is usually being overly trusting.

af0815:
I use for the Tunneling always a VPN. So it does not depend on the server and client. In the firewall i can declare the way of packages through. So i have a one stop shop for the entry.

Direct using SSH or similar to expose a server in I-Net is for me a no go. No control if the server actual patched and have so security hole. I know the maintainer have to give security on the server, but with the firewall it is more safe, because nobody came unchecked and unwatched into the inner net. 

rvk:
I agree with the previous posters that using a full blown account for SSH is a big security risk.
You expose the complete machine to that one computer because the credentials for SSH are on the client and can be used by other apps/users to access your server.

On the other hand, if you only use SSH to a certain user which has absolutely no rights other than tunneling a connection (so not even a login), you might be more secure. There are ways to harden the security of SSH used only for tunneling. But you still expose all possible ports, although that's also the case with VPN. So if you want to go the SSH route, look into that. Otherwise, use VPN (but make sure both are secured).

For SSH see https://serverfault.com/a/360619/189940

bruce.button:
Thank you, PierceNG, Andreas and rvk for the helpful comments. I will attempt to digest them properly and make an appropriate decision from there.

Navigation

[0] Message Index

[#] Next page

Go to full version