ideas needed to query remote database securely

Qiang has asked for the wisdom of the Perl Monks concerning the following question:

I am writing a program which report user print quota under unix by running >pquota (which do a whoami, and query the remote DB then)

the quota database(MySql) is not located the same machine where users log on. so here is the problem that i am not
sure how do i go about writing a program that query the remote database securely.

one way i am thinking of is to use Net::SSH::Perl log in the remote database server and do a local query, then
return the result. but then i will need a login user for this. in addition, i need to save this user name and password in somewhere that other users can't read.

any suggestions how to write a secure program does that?

if you know there is print quota app available, please do share.

thanks

Qiang

Comment on ideas needed to query remote database securely

Replies are listed 'Best First'.
Re: ideas needed to query remote database securely by hardburn (Abbot) on Nov 03, 2003 at 18:28 UTC
Possibilities: Open the MySQL server for remote access, using an SSH tunnel to encrypt everything Create a SOAP::Lite application, keeping in mind various security notes ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `: () { :\|:& };:` Note: All code is untested, unless otherwise stated	[reply] [d/l]
Re: Re: ideas needed to query remote database securely by Qiang (Friar) on Nov 03, 2003 at 18:41 UTC
Corion suggest that i could have the script (pquota) called another one (mypquota). but the difference is that pquota is 0755 lp staff mypquota 0700 lp lp then i can have the database user name and password in the mypquota scirpt that no once will see except lp group and user. that seems to be the easiest way, i guess.	[reply]
Re: ideas needed to query remote database securely by perrin (Chancellor) on Nov 03, 2003 at 19:38 UTC
What sort of security problem are you concerned about? MySQL supports connections over SSL, so you should be safe from network snoopers just by doing that.	[reply]
Re: ideas needed to query remote database securely by CountZero (Bishop) on Nov 03, 2003 at 22:01 UTC
Although one must be security conscious, one should not get totally paranoid either. Much will depend on the link to your remote DB. If this is over an internal network, there is not much use in creating a secure connection over your internal network and then sending the data to the user over a public network without any encryption. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]
Re: ideas needed to query remote database securely by bart (Canon) on Nov 04, 2003 at 17:34 UTC
Mysql can restrict the IP ranges from which it accepts a connection. Even when a 3rd party got a hold of username and password, he likely wouldn't be able to log in to the database, from where he sits. Actually, in our case, the whole section 4.2, "General Security Issues and the MySQL Access Privilege System", looks to be worth a read.	[reply]
Re: Re: ideas needed to query remote database securely by InfiniteSilence (Curate) on Nov 04, 2003 at 19:18 UTC
bart!!!! Haven't you heard of a man in the middle attack? You cannot guarantee that a client is who you think it is simply by the IP address. You need some form of encrypted key-passing and hashing both at time of initial connection with the foreign party AND for each subsequent packet to ensure security. Celebrate Intellectual Diversity	[reply]