Authenticating to a DB with a key?

Alan Evans alanwevans at gmail.com
Sun Apr 7 23:34:23 MDT 2013


Is a VPN not an option?  Assuming this is on a budget and no additional
hardware can be used you could use OpenVPN or even good ol' IPSEC from box
to box.

What about SSH + keys + tunneling?

It might also help to know a bit more about the use case.

Are we talking about you interacting with the database via a GUI client,
shell client?  Or are we talking about an application on some other server
that needs to connect to the database over the Internet?  Maybe both?

It might be wise if you can to use additional hardware or at least not just
rely on SSL/TLS libs tied to your database.  Even if someone couldn't get
authenticated because they have a bad certificate they could DDOS your DB
server pretty easily by throwing lots of SSL/TLS negotiations attempts at
it.  Or depending on how the SSL/TLS connection handler on your database
works it might be that you are using up a database connection with every
connection attempt even if it fails.  Of course some iptables rate rules
would help this.

-Alan


On Sun, Apr 7, 2013 at 10:38 PM, S. Dale Morrey <sdalemorrey at gmail.com>wrote:

> I have a server that will be on the public internet.
> I'm afraid there is the possibility of it being compromised so I have
> locked it down the best I can.  However it must also connect to a DB.  The
> DB is behind a firewall and only accepts connections from the IP of the
> small handful of servers that need to connect to it.
>
> I'm still feeling a little paranoid and I'm wondering if there is any way
> to do a certificate based login (MySQL or PostGres are options here).
> Similar to how I use private certs instead of username password combos.
> This way if my public box is compromised I can just revoke the cert.
>
> Any experiences with this sort of thing?
>
> Thanks in advance!
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list