Note: this does not apply to Google BigQuery Database connection
Connecting via an ssh tunnel allows Cluvio to securely access your database without exposing its access to anyone else.
Preconditions:
1. a unix/linux-based server (e.g. linux EC2 instance if you run on AWS) that will act as ssh tunnel ('tunnel server') has access to your database
2. the tunnel server needs to have a public IP and be reachable via ssh
Note: The instructions apply to unix-based systems. In you need to use ssh server on a Windows machine, the setup will differ and you will need to refer to the vendor of your ssh server for instructions on how to set up the remote access
To set up the server to act as an ssh tunnel for Cluvio:
- create a new user that would be used for the tunnel (call it e.g. 'cluvio')
- in the user's home directory create a folder .ssh and make sure it is owned by the user and has permissions restricted to '700'
- in the newly created .ssh folder create a file 'authorized_keys' also owned by the new user and with restricted permissions ('600'), the content of which is the Cluvio public ssh key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com
Here is a full example for Linux systems, execute as root or with sudo:
useradd cluvio mkdir -p /home/cluvio/.ssh && chmod 700 /home/cluvio/.ssh && chown cluvio /home/cluvio/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBnwmewDUcrAToaHV2CBY64WOl1YxO09pWdyQ63ixX8rRpSNbCFsz+pDLJSuIZNuzJVqxitKY2Q1mov4BFENpZqd6258DlCfJxCRgsytCZtgA+hgZjMzmwEaudhkDppv72FoP4cIZimOFYE7lSOQhW9PsSIkE7OhFpS07ixOWnIcYTo0XqxfmQyvXH2gjD/EChh69W+sYDXQz0kLlwIFTZM1lwO1gG8kj5QXNrOxyveI3blZzonvGNEONIXW2i3lgLWTw7uWAsTqbtQ5CQ76AWft+usSV1PDSXf1eNF4tkbTnfzNzFTuuwFpZ4VkwJ0NtX1XJ6YuFEyUGCF/iXrzT9KfryO1dFvHDN/lqQX1Zqg1GiRnX1X4zKINa2Da0qJZfCpKzQEQHLXgZiGK/2y7CVAOrwNF1CKUVIMYibV/EA9KgaIZKICz5fi+pPf3BKV5YbViTa4vKCKZzEq/OUCU8gQ6x9iYXIogRJSz2+xlBgHNZgGB8viUyP3Rb9pGHgVglDyConvNeqaHf953p0rBMT7YVFJ3OINJoXg3qjxPEBcYvpjijBsNheyWXUA6RknE/XOkdgIDH1aRrXuy8SWHEGgSQ+PUgukR9Zt8BRnkBB7mfxlIocexyq8AItKyb39b2U3RhilhbJF6BqZ+PHGpnjB1dPMCNJhGsSDIyaZEuaww== connect@cluvio.com" > /home/cluvio/.ssh/authorized_keys chmod 600 /home/cluvio/.ssh/authorized_keys && chown cluvio /home/cluvio/.ssh/authorized_keys
As an alternative, you can also simply add the Cluvio public key to any existing user's authorized_keys on the tunnel server
Further security improvements:
- to make sure that the cluvio user cannot do anything else but connect to the database, alter the authorized_keys file and prepend the following before the 'ssh-rsa ......' text, replacing the db_server_host and db_server_port with actual values for your database server
no-pty,no-X11-forwarding,permitopen="<db_server_host>:<db_server_port>",command="/bin/echo do-not-send-commands"