Manage Learn to apply best practices and optimize your operations.

Authenticating Web applications to SQL

Learn how to securely authenticate Web applications to various databases.

Is it possible to securely authenticate Web applications to SQL databases?
Yes, it is possible and I think the best way to securely authenticate Web applications to other resources, including SQL databases is to use Secure Shell (SSH). Secure Shell, sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol that provides strong authentication and secure communication over unsecured channels. The encrypted session is supported by public-key cryptography to protect the session key used by the symmetric encryption algorithm. SSH uses RSA public key cryptography for both connection and authentication and supports Blowfish, DES, IDEA, and other symmetric encryption algorithms.

As long as the connection between the application and the database uses TCP, you can use the SSH channel to authenticate to each other and increase security against different kinds of attacks. To use SSH for a variety of services you should use port redirection.

To enable a Web application to authenticate to your database you will need to put an SSH client on the Web server and an SSH server on the database server. SSH can then encrypt passwords and network traffic between your Web and database servers, thus preventing eavesdropping, IP spoofing, IP source routing, DNS spoofing and other network-level attacks.

You can receive free, open source implementations at http://www.openssh.com or commercial versions including Windows versions at http://www.ssh.com. There are two versions of SSH, SSH Secure Shell Version 1 and Secure Shell Version 2. SSH1 is not as secure as SSH2 and is gradually being withdrawn from use. SSH2 is actually a complete rewrite of the protocol, and it does not use the same networking implementation as SSH1, so make sure you use SSH2. A good SSH "how-to" can be found at http://p25ext.lanl.gov/ssh/ssh-howto.html.

Related Information

  • Find out the differences between SSH1 and SSH2 and why you should upgrade
  • Get the latest news, tips and expert advice on database security in our resource center

  • This was last published in August 2005

    Dig Deeper on Database Security Management-Enterprise Data Protection

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.