Thread: secure ODBC connection

Hi,

<<Sorry for partially O.T. >>

is there a way to tunnel a win'98 ODBC connection into a ssh connection ?
Tunnelling a TCP/IP connection in a ssh stream is a good and simple way to
obtain acceptable levels of security in client-server applications.
Unfortunately i've not found a way to do it on Win'95-98 boxes.
I heared ssh tunnelling is supported at o.s.-level in win2000.

Best regards,
   Silvio

_________________________________________________________________
Scarica GRATUITAMENTE MSN Explorer all'indirizzo
http://explorer.msn.it/intl.asp

On Thu, Sep 13, 2001 at 01:39:02PM +0000, Mister ics wrote:

> Tunnelling a TCP/IP connection in a ssh stream is a good and simple
> way to obtain acceptable levels of security in client-server
> applications.  Unfortunately i've not found a way to do it on
> Win'95-98 boxes.

PuTTY -- http://www.chiark.greenend.org.uk/~sgtatham/putty/

The CVS (not the released) version supports tunnelling, and it's free
and extremely small (<300k for one of the executables, no DLLs). There
are both terminal-like and command-line programs in the suite.

--
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu

Hi Mike,

does current CVS win32-ODBC support the TCP/IP tunnelling ?
I can find various clients to connect to a ssh shell on port 22, my problem,
instead, is to tunnel into ssh the ODBC Postgres SQL connection from-and-to
the back-end.

Thanks,
  Silvio

>From: Mike Renfro <renfro@tntech.edu>
>To: Mister ics <mister_ics@hotmail.com>
>CC: pgsql-odbc@postgresql.org
>Subject: Re: [ODBC] secure ODBC connection
>Date: Thu, 13 Sep 2001 14:07:10 -0500
>MIME-Version: 1.0
>Received: from [149.149.11.250] by hotmail.com (3.2) with ESMTP id
>MHotMailBD6A4F2D00B74004315695950BFA09720; Thu, 13 Sep 2001 12:08:30 -0700
>Received: from mwr by ch208d.cae.tntech.edu with local (Exim 3.12 #1
>(Debian))id 15hbpO-0004K8-00; Thu, 13 Sep 2001 14:07:10 -0500
From mwr@ch208d.cae.tntech.edu Thu, 13 Sep 2001 12:09:15 -0700
>Message-ID: <20010913140710.B14845@ch208d.cae.tntech.edu>
>References: <F1549L3H0IFy9WYf68F0000f270@hotmail.com>
>User-Agent: Mutt/1.2.5i
>In-Reply-To: <F1549L3H0IFy9WYf68F0000f270@hotmail.com>; from
>mister_ics@hotmail.com on Thu, Sep 13, 2001 at 01:39:02PM +0000
>Sender: Mike Renfro <mwr@ch208d.cae.tntech.edu>
>
>On Thu, Sep 13, 2001 at 01:39:02PM +0000, Mister ics wrote:
>
> > Tunnelling a TCP/IP connection in a ssh stream is a good and simple
> > way to obtain acceptable levels of security in client-server
> > applications.  Unfortunately i've not found a way to do it on
> > Win'95-98 boxes.
>
>PuTTY -- http://www.chiark.greenend.org.uk/~sgtatham/putty/
>
>The CVS (not the released) version supports tunnelling, and it's free
>and extremely small (<300k for one of the executables, no DLLs). There
>are both terminal-like and command-line programs in the suite.
>
>--
>Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
>931 372-3601 / Tennessee Technological University -- renfro@tntech.edu


_________________________________________________________________
Scarica GRATUITAMENTE MSN Explorer all'indirizzo
http://explorer.msn.it/intl.asp

Hi Cedar,

Thank you for answering.
I know CIPE: it's a very good program, but the problem is that actually it
works only on win2000 platform. I have many customers using win98 boxes as
clients, and they don't want to make micro$oft more rich upgrading a lot of
licenses to win2000 .
Althoug i understand that to write a tunnelling layer protocol we need to
work at packet-protocol level, and maybe it is difficult, and/or dangerous
to do this on win95-98 o.s': Anyway, waiting for the IPSEC standard, i hope
that there is a solution for this problem: ODBC postgres SQL driver, sends
clear text passwords and data on lan segment, and in some cases it can be
very dangerous (sniffing a-go-go).

Best Regards,
   Silvio

>
>I don't consider it off topic at all.  Depending on your situation, you
>may want to use some other sort of tunnel (I'm using CIPE).  For example,
>we have a few offices around the world.  I have set up a linux server at
>each location to do basic server stuff (mainly internet sharing).  The
>servers create a VPN over the internet, which for us is good enough.  Of
>course, this assumes a "safe" environment in the office (eg, not packet
>sniffers).  All that is needed is a linux box at each end (or possibly
>even win2000) and CIPE.  If you're interested, go google for 'cipe'.
>
>-Cedar



_________________________________________________________________
Scarica GRATUITAMENTE MSN Explorer all'indirizzo
http://explorer.msn.it/intl.asp

Simple way of doing this with almost anything, is to use SSH
- Install SSH on the DB machine
- Install an SSH client on Windows (lots of GUI versions, but there is a
command line one that comes with Cywin.)
- Using the SSH client, log onto the db machine, and forward the db port to
a port on localhost.
    Using ssh.exe from cygwin like this:
    =============DOS PROMPT==============
    C:\>ssh -L 80:192.168.0.254:80 -l root -T 192.168.0.254
    root@192.168.0.254's password:
    stdin: is not a tty
    exit
    'dumb': unknown terminal type.
    Waiting for forwarded connections to terminate...
    The following connections are open:
      #0 listen port 80 for 192.168.0.254 port 80, connect from 127.0.0.1 port
    1987
    (t4 r1 i1/0 o16/0 fd 4/4)
    =============END PROMPT==============
The above example forwards port 80 to localhost port 80, and specifies that
no actual terminal session be started on the server you've logged onto
(forward port only)

- Setup you programs on the windows machine to connect to localhost via ODBC
settings.

Regards,
Mathew
ps - I use Win2k, and have not found an SSH client by default

> -----Original Message-----
> From: pgsql-odbc-owner@postgresql.org
> [mailto:pgsql-odbc-owner@postgresql.org]On Behalf Of Mister ics
> Sent: Thursday, 13 September 2001 1:39 PM
> To: pgsql-odbc@postgresql.org
> Subject: [ODBC] secure ODBC connection
>
>
> Hi,
>
> <<Sorry for partially O.T. >>
>
> is there a way to tunnel a win'98 ODBC connection into a ssh connection ?
> Tunnelling a TCP/IP connection in a ssh stream is a good and
> simple way to
> obtain acceptable levels of security in client-server applications.
> Unfortunately i've not found a way to do it on Win'95-98 boxes.
> I heared ssh tunnelling is supported at o.s.-level in win2000.

On Thu, Sep 13, 2001 at 09:17:46PM +0000, Mister ics wrote:

> does current CVS win32-ODBC support the TCP/IP tunnelling ?  I can
> find various clients to connect to a ssh shell on port 22, my
> problem, instead, is to tunnel into ssh the ODBC Postgres SQL
> connection from-and-to the back-end.

Doesn't matter. The whole point of ssh tunneling is to provide crypto
for programs that wouldn't otherwise have it (certain pop, imap, http,
whatever programs).

As Matthew Frank pointed out, make an ssh tunnel from
localhost:odbcport to odbchost:odpcport and point your ODBC client to
localhost instead of odbchost.

To try a simpler example, I've used putty's terminal app to tunnel
localhost:9673 to a remote host's port 9673 (not for ODBC, but for web
work). Pointed my web browser at localhost:9673 and up popped the
remote web site. Secure as SSL, but without the cost.

--
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu

Hi Mike,

I understand now... but i still have a problem on server side :-)

When i start the tunnel on back-end side:

ssh -N -L 3333:myserver.myorg.com:5432 relay@myserver.myorg.com

it starts to listen on port 3333 of the 127.0.0.1 host (lo). If i try to
connect to myserver.myorg:3333 from the outside, the connection is refufed
because the tunnel does not work on the network interface's address (es.
192.168.0.1), but only on the lo interface.
How can i "export" that tunnel to the outside.

Thaks in advance,

Regards,
Silvio
>Doesn't matter. The whole point of ssh tunneling is to provide crypto
>for programs that wouldn't otherwise have it (certain pop, imap, http,
>whatever programs).
>
>As Matthew Frank pointed out, make an ssh tunnel from
>localhost:odbcport to odbchost:odpcport and point your ODBC client to
>localhost instead of odbchost.
>
>To try a simpler example, I've used putty's terminal app to tunnel
>localhost:9673 to a remote host's port 9673 (not for ODBC, but for web
>work). Pointed my web browser at localhost:9673 and up popped the
>remote web site. Secure as SSL, but without the cost.
>


_________________________________________________________________
Scarica GRATUITAMENTE MSN Explorer all'indirizzo
http://explorer.msn.it/intl.asp

Your starting it at the wrong place.  You start the connection from the
machine you are connectiong from - not the database server.  Otherwise you
are setting up a secure tunnel withing the machine, instead of accross the
network!

Run the SSH command on the Windows client machine.

Regards,
Mathew

> -----Original Message-----
> From: pgsql-odbc-owner@postgresql.org
> [mailto:pgsql-odbc-owner@postgresql.org]On Behalf Of Mister ics
> Sent: Sunday, 16 September 2001 9:36 AM
> To: renfro@tntech.edu
> Cc: pgsql-odbc@postgresql.org
> Subject: Re: [ODBC] secure ODBC connection
>
>
> Hi Mike,
>
> I understand now... but i still have a problem on server side :-)
>
> When i start the tunnel on back-end side:
>
> ssh -N -L 3333:myserver.myorg.com:5432 relay@myserver.myorg.com
>
> it starts to listen on port 3333 of the 127.0.0.1 host (lo). If i try to
> connect to myserver.myorg:3333 from the outside, the connection
> is refufed
> because the tunnel does not work on the network interface's address (es.
> 192.168.0.1), but only on the lo interface.
> How can i "export" that tunnel to the outside.
>
> Thaks in advance,
>
> Regards,
> Silvio
> >Doesn't matter. The whole point of ssh tunneling is to provide crypto
> >for programs that wouldn't otherwise have it (certain pop, imap, http,
> >whatever programs).
> >
> >As Matthew Frank pointed out, make an ssh tunnel from
> >localhost:odbcport to odbchost:odpcport and point your ODBC client to
> >localhost instead of odbchost.
> >
> >To try a simpler example, I've used putty's terminal app to tunnel
> >localhost:9673 to a remote host's port 9673 (not for ODBC, but for web
> >work). Pointed my web browser at localhost:9673 and up popped the
> >remote web site. Secure as SSL, but without the cost.
> >
>
>
> _________________________________________________________________
> Scarica GRATUITAMENTE MSN Explorer all'indirizzo
> http://explorer.msn.it/intl.asp
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html

Hi Mathew,

yep, it works fine now.
Thank you vey much for help.
i liked postgresql... but now that i have security and confidentiality.. i
love it :-) LOL.
Great Job guys. Thank you very much to all.

>
>Run the SSH command on the Windows client machine.
>
>Regards,
>Mathew
>



_________________________________________________________________
Scarica GRATUITAMENTE MSN Explorer all'indirizzo
http://explorer.msn.it/intl.asp