简体繁体 English

如何从Perl DBI保护与SQL Server的连接？

[英]How can I secure connection to SQL Server from Perl DBI?

原文 2009-05-28 13:10:52 7 3 sql-server/ perl/ security/ odbc/ dbi

I need to connect to a secure SQL Server database using Perl DBI. 我需要使用Perl DBI连接到安全的SQL Server数据库。 I need to find a way to authenticate the user securely (without fear of eavesdropping, and without storing passwords on the client side). 我需要找到一种安全地验证用户的方法（不用担心被窃听，也不需要在客户端存储密码）。 I'm using SQL Server 2008 on Windows Server 2008, and Perl 5.10 on XP. 我在Windows Server 2008, and Perl 5.10 SQL Server 2008上使用SQL Server 2008 Windows Server 2008, and Perl 5.10在XP上使用Windows Server 2008, and Perl 5.10 。

SQL Server supports encrypted connections via something called the "SQL Server Native Access Client API", but I cannot tell whether this is supported by any DBD driver, or how to use it if it is. SQL Server通过称为“SQL Server Native Access Client API”的东西支持加密连接，但我无法判断任何DBD驱动程序是否支持这种连接，或者如果它是如何使用它。

I am reluctant to use the DBD::ODBC driver with SQL Server authentication, because ODBC transmits user IDs and passwords in cleartext. 我不愿意将DBD::ODBC驱动程序与SQL Server身份验证一起使用，因为ODBC以明文形式传输用户ID和密码。

I can't use the DBD::ODBC driver with Windows authentication (trusted connection), because the server is not on any Active Directory domain that is accessible from the client's network. 我不能将DBD :: ODBC驱动程序与Windows身份验证（可信连接）一起使用，因为服务器不在可从客户端网络访问的任何Active Directory域上。

How can I secure my connections to the database? 如何保护与数据库的连接？ Thanks. 谢谢。

3 个解决方案

I am reluctant to use the DBD::ODBC driver with SQL Server authentication, because ODBC transmits user IDs and passwords in cleartext. 我不愿意将DBD :: ODBC驱动程序与SQL Server身份验证一起使用，因为ODBC以明文形式传输用户ID和密码。

That is not strictly true. 这不完全正确。 If you are using a recentish SQL Server and have not disabled encryption in it then the username/password and connection string are encrypted as follows: 如果您使用的是最近的SQL Server并且未在其中禁用加密，则用户名/密码和连接字符串将按如下方式加密：

The client contacts the server and tells it what it is capable of (eg, it can do SSL). 客户端联系服务器并告诉它它能够做什么（例如，它可以执行SSL）。 If the server then supports SSL it requires the client end to encrypt the connection info and falls back to unencrypted after that. 如果服务器然后支持SSL，则它要求客户端加密连接信息并在此之后回退到未加密。 You should also see the "Use Strong encryption for data" checkbox in the DSN. 您还应该在DSN中看到“对数据使用强加密”复选框。

Two options: 两种选择：

Create an IPSec tunnel between two locations. 在两个位置之间创建IPSec隧道。 Some info here: technet.microsoft.com/en-us/library/cc737154(WS.10).aspx technet.microsoft.com/en-us/library/cc786385(WS.10).aspx 这里有一些信息：technet.microsoft.com/en-us/library/cc737154(WS.10).aspx technet.microsoft.com/en-us/library/cc786385(WS.10).aspx
Enable SSL. 启用SSL。 I am not sure how well it would be protected. 我不确定它会受到多么好的保护。 technet.microsoft.com/en-us/library/ms189067.aspx technet.microsoft.com/en-us/library/ms189067.aspx

I would suggest that you use some kind of secured connection system. 我建议您使用某种安全连接系统。 It might be IPSec, but it is often viewed as complicated, so you might be better (or faster) off with OpenVPN, which I use, and generally am happy with. 它可能是IPSec，但它通常被认为是复杂的，所以你可能会更好（或更快）关闭我使用的OpenVPN，并且通常很满意。

It can be used on virtually any operating system, is fast, and free. 它几乎可以在任何操作系统上使用，速度快，免费。 You can check it here: http://openvpn.net/ 你可以在这里查看： http ： //openvpn.net/