Note: This document does not apply to Google BigQuery or CloudSpanner.
Connecting through an SSH tunnel allows Cluvio to securely access your database. The prerequisites are:
1. A unix/linux-based server (e.g. a Linux EC2 instance if you run on AWS) that will act as the SSH tunnel ('tunnel server') and has access to your database.
2. The tunnel server needs to have a public IP and be reachable through SSH.
Note: These instructions apply to unix-based systems. If you need to use an SSH server on a Windows machine, the setup will differ and you will need to refer to the documentation of your OS or hosting provider on how to set up an SSH tunnel.
The following steps performed on the tunnel server set up an SSH tunnel for Cluvio:
- Create a new user that would be used for the tunnel (call it e.g. 'cluvio').
- In the user's home directory create the folder .ssh and make sure it is owned by the user and has permissions restricted to '700'.
- In the newly created .ssh folder create the file 'authorized_keys' also owned by the new user and with restricted permissions ('600'). Add Cluvio's public key to the file:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com
Here is a full example for a Linux system, with the steps performed as root or with sudo:
useradd cluvio mkdir -p /home/cluvio/.ssh && chmod 700 /home/cluvio/.ssh && chown cluvio /home/cluvio/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com" > /home/cluvio/.ssh/authorized_keys chmod 600 /home/cluvio/.ssh/authorized_keys && chown cluvio /home/cluvio/.ssh/authorized_keys
As an alternative to creating a new user, you can also simply add the Cluvio public key to any existing user's authorized_keys on the tunnel server.
For added security, to make sure that the cluvio user cannot do anything else but connect to the database, alter the authorized_keys file by prepending the following to the 'ssh-rsa ......' line of Cluvio's public key, thereby replacing the db_server_host and db_server_port with actual values for your database server:
no-pty,no-X11-forwarding,permitopen="<db_server_host>:<db_server_port>",command="/bin/echo do-not-send-commands"