How to secure communication between two c++ programs over ssh
This might be a non-programming question.
Exposition:
1) I am using Linux.
2) I have two C++ programs, "client" and "server"; they run on different machines, they currently talk over tcpip. I have the source code to both 开发者_JS百科programs.
3) Neither program does buffer over flow checking / defense against man in the middle atacks / mac / encryption.
4) I don't want to add this extra layer of complexity to my programs.
5) I want to have the two programs just talk over a ssh channel (but both client & server are running on machines that are multi-user; so if I just open up ports, other uses may access them too).
Question:
What is the least intrusive way to get client&server to talk to each other over a secure channel?
Thanks!
As far as programming solutions go, you'd need OpenSSL or GNU TLS. Out of those two the latter is a lot more cleanly written (OpenSSL has many pitfalls).
For a really elegant solution one would use OpenSSL via boost::asio, but that solution is probably suitable only if you're starting a new project.
In terms of user-space solutions, if you could set up both programs to run as a specified user, you could probably setup an SSL tunnel for them, but that highly depends on how you want connections to be established.
Well, you can use ssh in tunnel proxy mode. You connect from the one machine to the other and set up the proxy port, and then the client connects to the local port on its machine and ssh proxies the TCP connection to the remote machine.
The option you need to the ssh command is -L
.
A comment points out that this is, at least in theory, at risk of some program on the client machine climbing onto the port.
However, SSL requires a lot of mechanism. If I had to do this, and I really didn't want to use -L, I'd dive into the source of ssh and come up with a scheme to do what -L does.
You basically have two options, and neither of them is SSH. One, use SSL/TLS, which to give security against local users will require building it into your program. Two, use IPSEC or OpenVPN and some local-user rules in the firewall at each end to restrict use of the tunnel to only the user running the tasks in quesion.
精彩评论