Note: this does not apply to Google BigQuery Database connection
Connecting via ssh tunnel allows Cluvio to securely access your database without exposing its access to anyone else.
Preconditions:
1. a server (e.g. EC2 instance if you run on AWS) that will act as ssh tunnel ('tunnel server') has access to your database
2. the tunnel server needs to have a public IP and be reachable via ssh
To setup the server to act as a ssh tunnel for Cluvio:
- create a new user that would be used for the tunnel (call it e.g. 'cluvio')
- in the user's home directory create a folder .ssh and make sure it is owned by the user and has permissions restricted to '700'
- in the newly created .ssh folder create a file 'authorized_keys' also owned by the new user and with restricted permissions ('600'), the content of which is the Cluvio public ssh key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com
Here is a full example for linux systems, execute as root or with sudo:
useradd cluvio mkdir -p /home/cluvio/.ssh && chmod 700 /home/cluvio/.ssh && chown cluvio /home/cluvio/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com" > /home/cluvio/.ssh/authorized_keys chmod 600 /home/cluvio/.ssh/authorized_keys && chown cluvio /home/cluvio/.ssh/authorized_keys
As an alternative, you can also simply add the Cluvio public key to any existing user's authorized_keys on the tunnel server
Further security improvements:
- to make sure that the cluvio user cannot do anything else but connect to the database, alter the authorized_keys file and prepend the following before the 'ssh-rsa ......' text, replacing the db_server_host and db_server_port with actual values for your database server
no-pty,no-X11-forwarding,permitopen="<db_server_host>:<db_server_port>",command="/bin/echo do-not-send-commands"