Needed to be guided trought SSH Tunnel with a delphi Application

Question

Hi there

I created a Delphi 2010 application. It is use by many company in the region from trusted to untrusted users. The application authenticate users with MySQL behind MD5 encrypted password. Following this, the application need to upload and download many files trought ftp.

The fact is : any network sniffer (such as Ethereal also known as WireShark) can grab my plain user and password from the ftp part of my application. Encrypted password can also be grab and anyone can log with any ftp application to my server and make unpleaseant things.

[TindyFTP] is used to manage the FTP connexion itself. This object those not support SFTP which I tought that could be the end of my problem.

[tMyMac] from DEVART is used to manage MYSQL connexion.

What is my point by now : It is a good way to use SSH Tunneling to control the IO Handler of both (ftp and mysql) transaction type onto my application ? I'm doing some test right now with SecureBridge from DEVART which is compatible with MyDAC component and TIndy.

Do I simply need to get connected to SSH Tunnel and go trought it with mysql and ftp ? Do I also need to encrypt ftp password while using SSH Tunnel ? For the MySQL part, the password seem to be encrypted or obfuscated when I try to intercept it with WireShark.

Thanks to let me know your idea from that point without changing all the structure of my program which is 99% completed :)

Thanks, Jonathan

Answer 1

First you need to determine, what exactly protocol you should / can use. FTP is not SFTP, and FTP over SSH makes little sense as well (though it's possible). Let's review the options:

1. use FTPS (FTP-over-SSL). Requires that your FTP server has SSL certificate, otherwise it's a vialbe option. Con: doesn't secure MySQL connection.
2. use FTP over SSH tunnel. Don't see why one would do this if he can use SFTP. FTP over SSH is possible with Indy and our SecureBlackbox product.
3. use SFTP (SSH File Transfer Protocol) to transfer files and use SSH port forwarding for securing MySQL connection. Technically it's possible to run both SFTP subsystem and port forwarding via one established SSH session, and our SecureBlackbox supports this. I don't know about DevArt stuff, though, because their SSH/SFTP client is quite young and can have certain limitations.

If you have a linux server (MySQL suggests that you do), then it has OpenSSH as an SSH server, and OpenSSH has built-in SFTP server. If you run MySQL on windows, you will have hard time using OpenSSH ports on Windows, and Bitvise SSH server would be a better option (we use it ourselves on our internal server).

In case of SFTP authentication and encryption is performed on SSH level and you don't need to bother further securing password used for authentication -- it's already secured with SSH. What you need to care about though is verify the SSH key, presented by the server to the client. You can do this by storing a copy of the server key in the client module (remember that you might need to replace the server key from time to time, so don't hard-code it in the client module).

If you decide to go FTP-over-SSH route (though I don't see why you'd need this), you still don't need to secure FTP password as you will be running FTP over secure SSH tunnel.

Answer 2

TIdFTP in Indy 10 DOES support encryption, both at the connection level (SSL/TLS) and the login credential level (SASL).