[Zope-dev] OpenSSH configuration between ZEO clients & storage server

Shane Hathaway shane@zope.com
Mon, 25 Mar 2002 12:19:11 -0500


Eric Roby wrote:
> Anyone had any experience trying to secure the transactions between ZEO
> clients and a storage server???  Our shop is already using OpenSSH, I
> have read some introductory information about OpenSSH.  It is just not
> clear to me the level of effort required to implement this or if
> implemented, will the additional overhead further exasperate the
> potential for unresolved conflict errors???
> 
> Any thoughts...

Let's say you have a host called "zeoclient" and "zeostorage".  On 
zeostorage, start a ZEO server listening to some port, say 9673, making 
sure that it listens only on the *local* interface, usually 127.0.0.1. 
An example:

python lib/python/ZEO/start.py -p 9673 -h 127.0.0.1 \
   -S 1=/stores/fs:Storage

Then on "zeoclient" you set up a tunnel:

ssh -f -N -L 9673:zeostorage:9673 zeostorage

Then your Zope install on zeoclient should use port 9673 on 127.0.0.1 to 
connect to the storage.  In fact, the only piece of code that should 
know about the hostname "zeostorage" is the command to set up the SSH 
tunnel.

There are some disadvantages: anybody who has an account on either 
zeoclient or zeostorage has full read/write access to the database.  To 
avoid that, you'd need to use Unix domain sockets and come up with a way 
to forward one securely.  Also, ssh is not 100% stable as a tunnel; I've 
seen ssh stop just because a forwarded connection disconnected 
unexpectedly.  You might need to watch the ssh process and restart it if 
it dies.

For zope.org there is a private subnet.  The boxes each have two network 
cards AFAIK.  All ZEO communication takes place on the private subnet.

A VPN would also work, but you'd still have the local access issue.

Shane