Archive for the ‘Security’ Category

HOWTO: JDBC over an SSH Tunnel

First, credit where credit is due. Most of this code came from here (I just modified it a bit):

http://www.miranet.ch/posts/2008/09/23/howto_jdbc_over_ssh/

You’ll also need JSch (a java implementation of SSH):

http://www.jcraft.com/jsch/

The major function of SSH tunnels are to secure what would otherwise be an unsecure client/server connection. But another awfully handy use of SSH tunnels are accessing remote resources that are not normally exposed. Databases, for example.

I recently needed to access a MySQL database on a remote server from some local Java code. This database is off on a third party hosting server that does not allow outside access to MySQL, but I can login via SSH.

So, here goes:

import java.sql.Connection;
import java.sql.DriverManager;
import java.util.Properties;

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;

public class CTestDriver
{
  private static void doSshTunnel( String strSshUser, String strSshPassword, String strSshHost, int nSshPort, String strRemoteHost, int nLocalPort, int nRemotePort ) throws JSchException
  {
    final JSch jsch = new JSch();
    Session session = jsch.getSession( strSshUser, strSshHost, 22 );
    session.setPassword( strSshPassword );
    
    final Properties config = new Properties();
    config.put( "StrictHostKeyChecking", "no" );
    session.setConfig( config );
    
    session.connect();
    session.setPortForwardingL(nLocalPort, strRemoteHost, nRemotePort);
  }
  
  public static void main(String[] args)
  {
    try
    {
      String strSshUser = "ssh_user_name";                  // SSH loging username
      String strSshPassword = "abcd1234";                   // SSH login password
      String strSshHost = "your.ssh.hostname.com";          // hostname or ip or SSH server
      int nSshPort = 22;                                    // remote SSH host port number
      String strRemoteHost = "your.database.hostname.com";  // hostname or ip of your database server
      int nLocalPort = 3366;                                // local port number use to bind SSH tunnel
      int nRemotePort = 3306;                               // remote port number of your database 
      String strDbUser = "db_user_name";                    // database loging username
      String strDbPassword = "4321dcba";                    // database login password
      
      CTestDriver.doSshTunnel(strSshUser, strSshPassword, strSshHost, nSshPort, strRemoteHost, nLocalPort, nRemotePort);
      
      Class.forName("com.mysql.jdbc.Driver");
      Connection con = DriverManager.getConnection("jdbc:mysql://localhost:"+nLocalPort, strDbUser, strDbPassword);
      con.close();
    }
    catch( Exception e )
    {
      e.printStackTrace();
    }
    finally
    {
      System.exit(0);
    }
  }
}

So, now I can access the remote database and the traffic is encrypted on top of that!

Same disclaimer as always, this IS NOT production worthy code as is. The exception handling is crap and there’s lots more paranoia to be had. Please follow your own coding best-practices.

Free PKI Certificates from CAcert.org

If you don’t know what a digital certificate is or why you might need one, I’ll save you the effort and you can stop reading here.

If, like me, you are either too poor or too cheap to give VeriSign your money … CAcert.org seems like an ok option.

I know, I know … This IS NOT an enterprise class, super reliable way of certifying users.  However, it is probably good enough for playing with your friends.

Signup is easy, issuing certificates is easy, revoking your certificates is easy.  Go give it a try…

Here’s my cert:

-----BEGIN CERTIFICATE-----
MIIFOTCCAyGgAwIBAgIDCgssMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTExMDQwNDE5NTE0OFoXDTExMTAwMTE5NTE0OFowQDEY
MBYGA1UEAxMPQ0FjZXJ0IFdvVCBVc2VyMSQwIgYJKoZIhvcNAQkBFhVjcnlwdG9m
cmVla0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0
6L3yvvVcvWSkgv7UOaPGWQ9ShrMVfTFC7IpEzIbyluSPlZBNbBeXHdWsu/55X9uh
+A9T1gTwFNQeEXMsbf0rkEB5RwsH74wbkNNV8WYPMYyakdu1Wctlsaf10Wtfd1NR
1eQ4efiONMklZqjIyHRdKbBZLb2qGazMhHp+B3qzbt9vZufAzXcVn+b5Nk8mSbZg
KnPQ+uozy0KNfGs7x2sS9ti0g2G7S7ARdEKPGuJp+My5U8LUTcly4U65huN2uq/d
sh7Jruu0lzZDKqvFI7wnwikkZP/4XfA6Q4IXa58eVoLOCBIc5GVcNibY9kH3L4Ps
ot2TlA6uN9S1InG/9m4HAgMBAAGjggEBMIH+MAwGA1UdEwEB/wQCMAAwVgYJYIZI
AYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo
ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsG
AQUFBwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4
QgQBMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2Fj
ZXJ0Lm9yZzAgBgNVHREEGTAXgRVjcnlwdG9mcmVla0BnbWFpbC5jb20wDQYJKoZI
hvcNAQEFBQADggIBAMQ2N9WrIvJCDvT6xSD5wwz+twC919voLMQrRPMbxQWgGoKV
Krtnlh3eGjBzczNIAzFF/1hwhZi0hwwyhw2s+X+lTC/KRGTGw4LUvc0/Ush+uYdr
Kx8LD+BCh68p5LWCb/gJ8y/Q+3SLdxAafoZz4j0CKX3chGRHfMdUDzQDbPHD+SNw
fFAzJTzrWKWgf1zuw+vYAwE/QIFgXg0x3aCWyWXFwcYwmAeFdz0PI0TncWuhOQzU
Cy7PwAbOYp7Lds9zE7vtJol2UwswseRW8ZJ9sgOXzxRTAHm1nSpOO0joKkX+KrkG
QVFBDbZo6nyBclEaXuPtmWNdWflvWafzBWWismYNiFrcJrte0pPtDQsiLyRkSZps
teCxODnzxmfZySDQNnCxrafAajWl19d0B9SemS1sBUBK9sfm7WvcUFerzEqpc1b6
wXeg276hmdPEttmrlzQW/JQ9Sscfa94JzCE9+rHtJcSynv4HPJGH2A787gWODi8a
wWeafs+vAGZ/fNVtFFy4/BAwHbfX/KpoXS5CdIftixq6Mpfd5Tt+N5kk0jS8j74o
7cDPZh3W5ElX0m7AZEEWPSWzITfVXXZXvB1KP8ek/S16gJ9oavxegVIyqUr6ganj
szbkxSK3RKFXb/b+ILXjCoPU2dAP3cBxahA2wS6a2eqh/0w7aymnKRsyFMdJ
-----END CERTIFICATE-----

You can also grab the root and intermediate certificates here.