ssh tunneling

live_in_hades has asked for the wisdom of the Perl Monks concerning the following question:

Hey guys,

I currently have a cgi application that has to talk to a remote mysql server.
I would very much like to encrypt these transactions since some of the information is fairly important. I haven't been able to see any perl modules ( such as Net::SSH and Net::SSH::Perl ) which provide methods for building and tearing down ssh tunnels.
I can fork a process to build the tunnel myself but this is messy and despite my best efforts to tear it down often leaves the tunnel standing. This forked process ( for tunnel building ) also means that I am currently sleeping the cgi process for a set interval to allow time for the tunnel to build and I am also concerned that if there is high traffic everything could fail ( though I try to handle that gracefully ).

simplistically the code looks like this

my $childPid = fork();

if ($childPid)
{
     sleep 2;
## then open the database
## do stuff
     kill 'HUP', $childPid;
}
else
{ 
     exec("ssh $user\@$host -L 3306:$host:3306 -N");
}
[download]

With this background my question is do you guys know of a module that I haven't found that deals with ssh tunneling so that the tunnel becomes an object to be used or something??

or alternatively can you suggest a way to get the code to recognise when the tunnel is up and inform the other process so that I am not dependant on a fixed sleep interval??

Thanks in Advance

Comment on ssh tunneling Download Code

Replies are listed 'Best First'.
Re: ssh tunneling by tachyon (Chancellor) on Oct 11, 2004 at 02:06 UTC
You (probably) just need to rebuild your DBD::Mysql with the --ssl flag. Then you can pass the mysql_ssl=1 param with the DBI connect. You may also need to set mysql_ssl_client_key mysql_ssl_client_cert mysql_ssl_ca_file mysql_ssl_ca_path and mysql_ssl_cipher. See the DBD::Mysql docs for details. stunnel is a general purpose widget to be aware of for securing connections, although you should not need it in this case. cheers tachyon	[reply]
Re: ssh tunneling by atcroft (Abbot) on Oct 11, 2004 at 02:03 UTC
First of all, there appears (according to the documentation for DBD::mysql/DBI) to be parameters for making the connection over SSL. Secondly, if that is not an option, you may wish to look at Net::SSLeay for setting up secure sockets layer (SSL) connections. That, possibly in connection with the stunnel application, might be another option to look into. Hope that helps.	[reply]
Re: ssh tunneling by hsinclai (Deacon) on Oct 11, 2004 at 02:02 UTC
Have you considered using the same ssh port forwarding mechanism and simply leaving the tunnel up permanently (invoked through a wrapper script to bring it back up if disconnected)? It seems that tearing the connection up and down from your CGI would introduce complexity and expense - sorry if I misunderstood your setup..	[reply]