简体繁体 English

SSH隧道和Python 3.3

[英]SSH tunnel and Python 3.3

原文 2013-08-10 01:27:08 6 1 python/ ssh/ putty/ paramiko/ tunnel

i need to create an application (python 3.3 strictly) where users will save/load their settings online to a remote hosted database. 我需要创建一个应用程序（严格来说是python 3.3），用户可以在其中在线保存/加载设置到远程托管数据库。 I do not wish to change the database from listening to any other thing than localhost for security reasons, so i assume the best solution for me would be to make the program create some ssh tunnels before the saving/loading happens. 由于安全性原因，我不希望更改数据库以使其不监听localhost以外的任何内容，因此我认为对我来说最好的解决方案是在保存/加载发生之前让程序创建一些ssh隧道。

Would this policy make my database unsecure? 此策略会使我的数据库不安全吗？

How could i make this work? 我该如何进行这项工作？ I tried installing paramiko but it is not python 3+ ready. 我尝试安装paramiko，但尚未安装python 3+。 I also thought maybe i could include into the application's installation, putty tray too and some proper scripting so that i can create that tunnel, but im looking for something clever and efficient here. 我还认为也许我可以将其包含在应用程序的安装中，腻子托盘中以及一些适当的脚本编写中，以便我可以创建该隧道，但是我在这里寻找的是聪明高效的东西。 Ofcourse i would really really really prefer avoiding any extra tray icons or shells from appearing every time a tunnel would activate. 当然，我真的非常希望避免每次激活隧道时都出现任何多余的托盘图标或外壳。

Im asking here so that i can hear an opinion from someone with expirience. 我在这里问，以便我能听到有经验的人的意见。 As im lacking of that :) . 由于即时通讯缺乏:)。 What would be your suggestion? 您的建议是什么？

thx in advance 提前

1 个解决方案

I am dealing with similar problems at the moment (trying to use Docker's remote API which at the moment doesn't offer authentication). 目前，我正在处理类似的问题（尝试使用目前不提供身份验证的Docker远程API）。 I am currently using bgtunnel , though I'm getting some errors now and then (usually resolved by a webpage refresh) - at first glance due to trying to establish a connection when one already exists. 我目前正在使用bgtunnel ，尽管有时会出现一些错误（通常通过刷新网页来解决）-乍一看是由于尝试在已经存在的情况下建立连接。 This can probably be solved using some thread.isAlive() stuff, but all in all it is kind of messy managing the connection - is it already alive? 这可能可以使用一些thread.isAlive()来解决，但是总的来说，管理连接有点混乱-它已经存在了吗？ Should I check before any request or try and establish it and redo the API call on an exception. 我应该先检查请求还是尝试建立请求并在异常时重做API调用。 It's a bit tricky. 这有点棘手。 I'm also starting to explore Paramiko, hoping it might be a bit easier to handle from Python - the process of porting to Python 3 seems is almost finished at the moment. 我也开始探索Paramiko，希望从Python处理起来可能会更容易- 移植到Python 3的过程目前似乎已完成。

That said, I'd expect any decent database to have good-enough baked-in authentication and encryption that I shouldn't be afraid to use it remotely without any ssh tunnelling. 就是说，我希望任何体面的数据库都具有足够好的内置身份验证和加密功能，我不应该害怕在没有任何ssh隧道的情况下远程使用它。 It appears from this SO answer that Postrges for example can be configured this way. 从该SO答案看来，例如Postrges可以通过这种方式配置。 This means you can kick out ssh and that's one thing in the stack less to think of. 这意味着您可以踢出ssh，这是堆栈中无需考虑的一件事。 They are working on implementing remote auth in Docker's remote API too, at which point I'll gladly do the same :) 他们也在努力在Docker的远程API中实现远程身份验证，这时我很乐意做同样的事情:)