Authenticating to a DB with a key?
S. Dale Morrey
sdalemorrey at gmail.com
Sun Apr 7 23:38:09 MDT 2013
Sorry I guess I should have been clearer. Typical Apache & PHP setup with
the DB server sitting on a separate box.
I'm more concerned with authentication than encryption. MySQL has a
ridiculously low max password length. I would like to maybe tunnel it and
use a certificate exchange mechanism similar to how I use certs for SSH.
Just wonder what I need to look at. You've given me some ideas though.
On Mon, Apr 8, 2013 at 12:34 AM, Alan Evans <alanwevans at gmail.com> wrote:
> Is a VPN not an option? Assuming this is on a budget and no additional
> hardware can be used you could use OpenVPN or even good ol' IPSEC from box
> to box.
> What about SSH + keys + tunneling?
> It might also help to know a bit more about the use case.
> Are we talking about you interacting with the database via a GUI client,
> shell client? Or are we talking about an application on some other server
> that needs to connect to the database over the Internet? Maybe both?
> It might be wise if you can to use additional hardware or at least not just
> rely on SSL/TLS libs tied to your database. Even if someone couldn't get
> authenticated because they have a bad certificate they could DDOS your DB
> server pretty easily by throwing lots of SSL/TLS negotiations attempts at
> it. Or depending on how the SSL/TLS connection handler on your database
> works it might be that you are using up a database connection with every
> connection attempt even if it fails. Of course some iptables rate rules
> would help this.
> On Sun, Apr 7, 2013 at 10:38 PM, S. Dale Morrey <sdalemorrey at gmail.com
> > I have a server that will be on the public internet.
> > I'm afraid there is the possibility of it being compromised so I have
> > locked it down the best I can. However it must also connect to a DB.
> > DB is behind a firewall and only accepts connections from the IP of the
> > small handful of servers that need to connect to it.
> > I'm still feeling a little paranoid and I'm wondering if there is any way
> > to do a certificate based login (MySQL or PostGres are options here).
> > Similar to how I use private certs instead of username password combos.
> > This way if my public box is compromised I can just revoke the cert.
> > Any experiences with this sort of thing?
> > Thanks in advance!
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG