Thread: secure ODBC connection
Hi, <<Sorry for partially O.T. >> is there a way to tunnel a win'98 ODBC connection into a ssh connection ? Tunnelling a TCP/IP connection in a ssh stream is a good and simple way to obtain acceptable levels of security in client-server applications. Unfortunately i've not found a way to do it on Win'95-98 boxes. I heared ssh tunnelling is supported at o.s.-level in win2000. Best regards, Silvio _________________________________________________________________ Scarica GRATUITAMENTE MSN Explorer all'indirizzo http://explorer.msn.it/intl.asp
On Thu, Sep 13, 2001 at 01:39:02PM +0000, Mister ics wrote: > Tunnelling a TCP/IP connection in a ssh stream is a good and simple > way to obtain acceptable levels of security in client-server > applications. Unfortunately i've not found a way to do it on > Win'95-98 boxes. PuTTY -- http://www.chiark.greenend.org.uk/~sgtatham/putty/ The CVS (not the released) version supports tunnelling, and it's free and extremely small (<300k for one of the executables, no DLLs). There are both terminal-like and command-line programs in the suite. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Hi Mike, does current CVS win32-ODBC support the TCP/IP tunnelling ? I can find various clients to connect to a ssh shell on port 22, my problem, instead, is to tunnel into ssh the ODBC Postgres SQL connection from-and-to the back-end. Thanks, Silvio >From: Mike Renfro <renfro@tntech.edu> >To: Mister ics <mister_ics@hotmail.com> >CC: pgsql-odbc@postgresql.org >Subject: Re: [ODBC] secure ODBC connection >Date: Thu, 13 Sep 2001 14:07:10 -0500 >MIME-Version: 1.0 >Received: from [149.149.11.250] by hotmail.com (3.2) with ESMTP id >MHotMailBD6A4F2D00B74004315695950BFA09720; Thu, 13 Sep 2001 12:08:30 -0700 >Received: from mwr by ch208d.cae.tntech.edu with local (Exim 3.12 #1 >(Debian))id 15hbpO-0004K8-00; Thu, 13 Sep 2001 14:07:10 -0500 From mwr@ch208d.cae.tntech.edu Thu, 13 Sep 2001 12:09:15 -0700 >Message-ID: <20010913140710.B14845@ch208d.cae.tntech.edu> >References: <F1549L3H0IFy9WYf68F0000f270@hotmail.com> >User-Agent: Mutt/1.2.5i >In-Reply-To: <F1549L3H0IFy9WYf68F0000f270@hotmail.com>; from >mister_ics@hotmail.com on Thu, Sep 13, 2001 at 01:39:02PM +0000 >Sender: Mike Renfro <mwr@ch208d.cae.tntech.edu> > >On Thu, Sep 13, 2001 at 01:39:02PM +0000, Mister ics wrote: > > > Tunnelling a TCP/IP connection in a ssh stream is a good and simple > > way to obtain acceptable levels of security in client-server > > applications. Unfortunately i've not found a way to do it on > > Win'95-98 boxes. > >PuTTY -- http://www.chiark.greenend.org.uk/~sgtatham/putty/ > >The CVS (not the released) version supports tunnelling, and it's free >and extremely small (<300k for one of the executables, no DLLs). There >are both terminal-like and command-line programs in the suite. > >-- >Mike Renfro / R&D Engineer, Center for Manufacturing Research, >931 372-3601 / Tennessee Technological University -- renfro@tntech.edu _________________________________________________________________ Scarica GRATUITAMENTE MSN Explorer all'indirizzo http://explorer.msn.it/intl.asp
Hi Cedar, Thank you for answering. I know CIPE: it's a very good program, but the problem is that actually it works only on win2000 platform. I have many customers using win98 boxes as clients, and they don't want to make micro$oft more rich upgrading a lot of licenses to win2000 . Althoug i understand that to write a tunnelling layer protocol we need to work at packet-protocol level, and maybe it is difficult, and/or dangerous to do this on win95-98 o.s': Anyway, waiting for the IPSEC standard, i hope that there is a solution for this problem: ODBC postgres SQL driver, sends clear text passwords and data on lan segment, and in some cases it can be very dangerous (sniffing a-go-go). Best Regards, Silvio > >I don't consider it off topic at all. Depending on your situation, you >may want to use some other sort of tunnel (I'm using CIPE). For example, >we have a few offices around the world. I have set up a linux server at >each location to do basic server stuff (mainly internet sharing). The >servers create a VPN over the internet, which for us is good enough. Of >course, this assumes a "safe" environment in the office (eg, not packet >sniffers). All that is needed is a linux box at each end (or possibly >even win2000) and CIPE. If you're interested, go google for 'cipe'. > >-Cedar _________________________________________________________________ Scarica GRATUITAMENTE MSN Explorer all'indirizzo http://explorer.msn.it/intl.asp
Simple way of doing this with almost anything, is to use SSH - Install SSH on the DB machine - Install an SSH client on Windows (lots of GUI versions, but there is a command line one that comes with Cywin.) - Using the SSH client, log onto the db machine, and forward the db port to a port on localhost. Using ssh.exe from cygwin like this: =============DOS PROMPT============== C:\>ssh -L 80:192.168.0.254:80 -l root -T 192.168.0.254 root@192.168.0.254's password: stdin: is not a tty exit 'dumb': unknown terminal type. Waiting for forwarded connections to terminate... The following connections are open: #0 listen port 80 for 192.168.0.254 port 80, connect from 127.0.0.1 port 1987 (t4 r1 i1/0 o16/0 fd 4/4) =============END PROMPT============== The above example forwards port 80 to localhost port 80, and specifies that no actual terminal session be started on the server you've logged onto (forward port only) - Setup you programs on the windows machine to connect to localhost via ODBC settings. Regards, Mathew ps - I use Win2k, and have not found an SSH client by default > -----Original Message----- > From: pgsql-odbc-owner@postgresql.org > [mailto:pgsql-odbc-owner@postgresql.org]On Behalf Of Mister ics > Sent: Thursday, 13 September 2001 1:39 PM > To: pgsql-odbc@postgresql.org > Subject: [ODBC] secure ODBC connection > > > Hi, > > <<Sorry for partially O.T. >> > > is there a way to tunnel a win'98 ODBC connection into a ssh connection ? > Tunnelling a TCP/IP connection in a ssh stream is a good and > simple way to > obtain acceptable levels of security in client-server applications. > Unfortunately i've not found a way to do it on Win'95-98 boxes. > I heared ssh tunnelling is supported at o.s.-level in win2000.
On Thu, Sep 13, 2001 at 09:17:46PM +0000, Mister ics wrote: > does current CVS win32-ODBC support the TCP/IP tunnelling ? I can > find various clients to connect to a ssh shell on port 22, my > problem, instead, is to tunnel into ssh the ODBC Postgres SQL > connection from-and-to the back-end. Doesn't matter. The whole point of ssh tunneling is to provide crypto for programs that wouldn't otherwise have it (certain pop, imap, http, whatever programs). As Matthew Frank pointed out, make an ssh tunnel from localhost:odbcport to odbchost:odpcport and point your ODBC client to localhost instead of odbchost. To try a simpler example, I've used putty's terminal app to tunnel localhost:9673 to a remote host's port 9673 (not for ODBC, but for web work). Pointed my web browser at localhost:9673 and up popped the remote web site. Secure as SSL, but without the cost. -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
Hi Mike, I understand now... but i still have a problem on server side :-) When i start the tunnel on back-end side: ssh -N -L 3333:myserver.myorg.com:5432 relay@myserver.myorg.com it starts to listen on port 3333 of the 127.0.0.1 host (lo). If i try to connect to myserver.myorg:3333 from the outside, the connection is refufed because the tunnel does not work on the network interface's address (es. 192.168.0.1), but only on the lo interface. How can i "export" that tunnel to the outside. Thaks in advance, Regards, Silvio >Doesn't matter. The whole point of ssh tunneling is to provide crypto >for programs that wouldn't otherwise have it (certain pop, imap, http, >whatever programs). > >As Matthew Frank pointed out, make an ssh tunnel from >localhost:odbcport to odbchost:odpcport and point your ODBC client to >localhost instead of odbchost. > >To try a simpler example, I've used putty's terminal app to tunnel >localhost:9673 to a remote host's port 9673 (not for ODBC, but for web >work). Pointed my web browser at localhost:9673 and up popped the >remote web site. Secure as SSL, but without the cost. > _________________________________________________________________ Scarica GRATUITAMENTE MSN Explorer all'indirizzo http://explorer.msn.it/intl.asp
Your starting it at the wrong place. You start the connection from the machine you are connectiong from - not the database server. Otherwise you are setting up a secure tunnel withing the machine, instead of accross the network! Run the SSH command on the Windows client machine. Regards, Mathew > -----Original Message----- > From: pgsql-odbc-owner@postgresql.org > [mailto:pgsql-odbc-owner@postgresql.org]On Behalf Of Mister ics > Sent: Sunday, 16 September 2001 9:36 AM > To: renfro@tntech.edu > Cc: pgsql-odbc@postgresql.org > Subject: Re: [ODBC] secure ODBC connection > > > Hi Mike, > > I understand now... but i still have a problem on server side :-) > > When i start the tunnel on back-end side: > > ssh -N -L 3333:myserver.myorg.com:5432 relay@myserver.myorg.com > > it starts to listen on port 3333 of the 127.0.0.1 host (lo). If i try to > connect to myserver.myorg:3333 from the outside, the connection > is refufed > because the tunnel does not work on the network interface's address (es. > 192.168.0.1), but only on the lo interface. > How can i "export" that tunnel to the outside. > > Thaks in advance, > > Regards, > Silvio > >Doesn't matter. The whole point of ssh tunneling is to provide crypto > >for programs that wouldn't otherwise have it (certain pop, imap, http, > >whatever programs). > > > >As Matthew Frank pointed out, make an ssh tunnel from > >localhost:odbcport to odbchost:odpcport and point your ODBC client to > >localhost instead of odbchost. > > > >To try a simpler example, I've used putty's terminal app to tunnel > >localhost:9673 to a remote host's port 9673 (not for ODBC, but for web > >work). Pointed my web browser at localhost:9673 and up popped the > >remote web site. Secure as SSL, but without the cost. > > > > > _________________________________________________________________ > Scarica GRATUITAMENTE MSN Explorer all'indirizzo > http://explorer.msn.it/intl.asp > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html
Hi Mathew, yep, it works fine now. Thank you vey much for help. i liked postgresql... but now that i have security and confidentiality.. i love it :-) LOL. Great Job guys. Thank you very much to all. > >Run the SSH command on the Windows client machine. > >Regards, >Mathew > _________________________________________________________________ Scarica GRATUITAMENTE MSN Explorer all'indirizzo http://explorer.msn.it/intl.asp