简体繁体 English

如何通过ssh保护两个c ++程序之间的通信

[英]How to secure communication between two c++ programs over ssh

原文 2010-01-16 23:29:10 5 3 c++/ ssh/ security

This might be a non-programming question. 这可能是一个非编程问题。

Exposition: 博览会：

1) I am using Linux. 1）我正在使用Linux。

2) I have two C++ programs, "client" and "server"; 2）我有两个C ++程序，“客户端”和“服务器”; they run on different machines, they currently talk over tcpip. 他们在不同的机器上运行，目前正在谈论tcpip。 I have the source code to both programs. 我有两个程序的源代码。

3) Neither program does buffer over flow checking / defense against man in the middle atacks / mac / encryption. 3）这两个程序都没有在中间atacks / mac / encryption中对人员进行流量检查/防御缓冲。

4) I don't want to add this extra layer of complexity to my programs. 4）我不想在我的程序中添加这个额外的复杂层。

5) I want to have the two programs just talk over a ssh channel (but both client & server are running on machines that are multi-user; so if I just open up ports, other uses may access them too). 5）我想让两个程序只通过ssh通道（但是客户端和服务器都在多用户机器上运行;所以如果我只是打开端口，其他用途也可以访问它们）。

Question: 题：

What is the least intrusive way to get client&server to talk to each other over a secure channel? 让客户端和服务器通过安全通道相互通信的最少侵入性方法是什么？

Thanks! 谢谢！

3 个解决方案

As far as programming solutions go, you'd need OpenSSL or GNU TLS . 就编程解决方案而言，您需要OpenSSL或GNU TLS 。 Out of those two the latter is a lot more cleanly written (OpenSSL has many pitfalls). 在这两个中，后者写得更清晰（OpenSSL有很多陷阱）。

For a really elegant solution one would use OpenSSL via boost::asio , but that solution is probably suitable only if you're starting a new project. 对于一个非常优雅的解决方案，可以通过boost :: asio使用OpenSSL ，但该解决方案可能仅适用于您正在开始新项目的情况。

In terms of user-space solutions, if you could set up both programs to run as a specified user, you could probably setup an SSL tunnel for them, but that highly depends on how you want connections to be established. 在用户空间解决方案方面，如果您可以将两个程序设置为以指定用户身份运行，则可以为它们设置SSL隧道，但这在很大程度上取决于您希望如何建立连接。

Well, you can use ssh in tunnel proxy mode. 好吧，你可以在隧道代理模式下使用ssh。 You connect from the one machine to the other and set up the proxy port, and then the client connects to the local port on its machine and ssh proxies the TCP connection to the remote machine. 您从一台计算机连接到另一台计算机并设置代理端口，然后客户端连接到其计算机上的本地端口，ssh代理与远程计算机的TCP连接。

The option you need to the ssh command is -L . ssh命令需要的选项是-L 。

A comment points out that this is, at least in theory, at risk of some program on the client machine climbing onto the port. 评论指出，至少在理论上，这是客户机器上某些程序爬上港口的风险。

However, SSL requires a lot of mechanism. 但是，SSL需要很多机制。 If I had to do this, and I really didn't want to use -L, I'd dive into the source of ssh and come up with a scheme to do what -L does. 如果我必须这样做，而且我真的不想使用-L，我会深入研究ssh的源代码并提出一个方案来做-L的工作。

You basically have two options, and neither of them is SSH. 你基本上有两个选择，它们都不是SSH。 One, use SSL/TLS, which to give security against local users will require building it into your program. 一，使用SSL / TLS，为了给本地用户提供安全性，需要将其构建到您的程序中。 Two, use IPSEC or OpenVPN and some local-user rules in the firewall at each end to restrict use of the tunnel to only the user running the tasks in quesion. 二，在每端的防火墙中使用IPSEC或OpenVPN以及一些本地用户规则来限制隧道的使用仅限于运行任务的用户。