Authenticating to a DB with a key?

S. Dale Morrey sdalemorrey at gmail.com
Sun Apr 7 23:38:09 MDT 2013


Sorry I guess I should have been clearer.  Typical Apache & PHP setup with
the DB server sitting on a separate box.
I'm more concerned with authentication than encryption.  MySQL has a
ridiculously low max password length.  I would like to maybe tunnel it and
use a certificate exchange mechanism similar to how I use certs for SSH.
Just wonder what I need to look at.  You've given me some ideas though.


On Mon, Apr 8, 2013 at 12:34 AM, Alan Evans <alanwevans at gmail.com> wrote:

> Is a VPN not an option?  Assuming this is on a budget and no additional
> hardware can be used you could use OpenVPN or even good ol' IPSEC from box
> to box.
>
> What about SSH + keys + tunneling?
>
> It might also help to know a bit more about the use case.
>
> Are we talking about you interacting with the database via a GUI client,
> shell client?  Or are we talking about an application on some other server
> that needs to connect to the database over the Internet?  Maybe both?
>
> It might be wise if you can to use additional hardware or at least not just
> rely on SSL/TLS libs tied to your database.  Even if someone couldn't get
> authenticated because they have a bad certificate they could DDOS your DB
> server pretty easily by throwing lots of SSL/TLS negotiations attempts at
> it.  Or depending on how the SSL/TLS connection handler on your database
> works it might be that you are using up a database connection with every
> connection attempt even if it fails.  Of course some iptables rate rules
> would help this.
>
> -Alan
>
>
> On Sun, Apr 7, 2013 at 10:38 PM, S. Dale Morrey <sdalemorrey at gmail.com
> >wrote:
>
> > I have a server that will be on the public internet.
> > I'm afraid there is the possibility of it being compromised so I have
> > locked it down the best I can.  However it must also connect to a DB.
>  The
> > DB is behind a firewall and only accepts connections from the IP of the
> > small handful of servers that need to connect to it.
> >
> > I'm still feeling a little paranoid and I'm wondering if there is any way
> > to do a certificate based login (MySQL or PostGres are options here).
> > Similar to how I use private certs instead of username password combos.
> > This way if my public box is compromised I can just revoke the cert.
> >
> > Any experiences with this sort of thing?
> >
> > Thanks in advance!
> >
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> >
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list