Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to secure communication between two c++ programs over ssh

Tags:

c++

security

ssh

This might be a non-programming question.

Exposition:

1) I am using Linux.

2) I have two C++ programs, "client" and "server"; they run on different machines, they currently talk over tcpip. I have the source code to both programs.

3) Neither program does buffer over flow checking / defense against man in the middle atacks / mac / encryption.

4) I don't want to add this extra layer of complexity to my programs.

5) I want to have the two programs just talk over a ssh channel (but both client & server are running on machines that are multi-user; so if I just open up ports, other uses may access them too).

Question:

What is the least intrusive way to get client&server to talk to each other over a secure channel?

Thanks!

like image 531
anon Avatar asked Jan 16 '10 23:01

anon


2 Answers

As far as programming solutions go, you'd need OpenSSL or GNU TLS. Out of those two the latter is a lot more cleanly written (OpenSSL has many pitfalls).

For a really elegant solution one would use OpenSSL via boost::asio, but that solution is probably suitable only if you're starting a new project.

In terms of user-space solutions, if you could set up both programs to run as a specified user, you could probably setup an SSL tunnel for them, but that highly depends on how you want connections to be established.

like image 157
Kornel Kisielewicz Avatar answered Nov 03 '22 00:11

Kornel Kisielewicz


Well, you can use ssh in tunnel proxy mode. You connect from the one machine to the other and set up the proxy port, and then the client connects to the local port on its machine and ssh proxies the TCP connection to the remote machine.

The option you need to the ssh command is -L.

A comment points out that this is, at least in theory, at risk of some program on the client machine climbing onto the port.

However, SSL requires a lot of mechanism. If I had to do this, and I really didn't want to use -L, I'd dive into the source of ssh and come up with a scheme to do what -L does.

like image 20
bmargulies Avatar answered Nov 03 '22 00:11

bmargulies