tags:

views:

232

answers:

3

This might be a non-programming question.

Exposition:

1) I am using Linux.

2) I have two C++ programs, "client" and "server"; they run on different machines, they currently talk over tcpip. I have the source code to both programs.

3) Neither program does buffer over flow checking / defense against man in the middle atacks / mac / encryption.

4) I don't want to add this extra layer of complexity to my programs.

5) I want to have the two programs just talk over a ssh channel (but both client & server are running on machines that are multi-user; so if I just open up ports, other uses may access them too).

Question:

What is the least intrusive way to get client&server to talk to each other over a secure channel?

Thanks!

+7  A: 

As far as programming solutions go, you'd need OpenSSL or GNU TLS. Out of those two the latter is a lot more cleanly written (OpenSSL has many pitfalls).

For a really elegant solution one would use OpenSSL via boost::asio, but that solution is probably suitable only if you're starting a new project.

In terms of user-space solutions, if you could set up both programs to run as a specified user, you could probably setup an SSL tunnel for them, but that highly depends on how you want connections to be established.

Kornel Kisielewicz
+6  A: 

Well, you can use ssh in tunnel proxy mode. You connect from the one machine to the other and set up the proxy port, and then the client connects to the local port on its machine and ssh proxies the TCP connection to the remote machine.

The option you need to the ssh command is -L.

A comment points out that this is, at least in theory, at risk of some program on the client machine climbing onto the port.

However, SSL requires a lot of mechanism. If I had to do this, and I really didn't want to use -L, I'd dive into the source of ssh and come up with a scheme to do what -L does.

bmargulies
The OP required security from other users on the local host. SSH port forwarding does nothing to prevent another user from snooping on the same socket as only the link between hosts is encrypted.
P-Nuts
I can't think of a really practical multi-user machine attack, though I admit that it's theoretically possible. If you pick a random port, fork and exec ssh, and then connect to it ...
bmargulies
+1  A: 

You basically have two options, and neither of them is SSH. One, use SSL/TLS, which to give security against local users will require building it into your program. Two, use IPSEC or OpenVPN and some local-user rules in the firewall at each end to restrict use of the tunnel to only the user running the tasks in quesion.

Andrew McGregor