Skip site navigation (1) Skip section navigation (2)

Re: SSH Tunneling implementation

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Dave Page <dpage(at)pgadmin(dot)org>
Cc: Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com>, Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>, pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org>
Subject: Re: SSH Tunneling implementation
Date: 2012-07-10 12:36:12
Message-ID: CABUevEx0gTM5eq3_rS7-DCHbvtZkvQDRqsNbKsGf63n8pBpFHw@mail.gmail.com (view raw or flat)
Thread:
Lists: pgadmin-hackers
On Tue, Jul 10, 2012 at 2:34 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:

>
>
> On Tue, Jul 10, 2012 at 1:31 PM, Magnus Hagander <magnus(at)hagander(dot)net>wrote:
>
>> On Tue, Jul 10, 2012 at 2:30 PM, Ashesh Vashi <
>> ashesh(dot)vashi(at)enterprisedb(dot)com> wrote:
>>
>>>  On Tue, Jul 10, 2012 at 5:56 PM, Magnus Hagander <magnus(at)hagander(dot)net>wrote:
>>>
>>>> On Tue, Jul 10, 2012 at 2:19 PM, Akshay Joshi
>>>> <akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>>>> >
>>>> >
>>>> > On Tue, Jul 10, 2012 at 5:16 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Tue, Jul 10, 2012 at 12:35 PM, Ashesh Vashi
>>>> >> <ashesh(dot)vashi(at)enterprisedb(dot)com> wrote:
>>>> >>>>
>>>> >>>>
>>>> >>> Why are we talking about using the external application here?
>>>> >>
>>>> >>
>>>> >> Because I suggested giving it some thought in case it turns out we
>>>> have no
>>>> >> other option.
>>>> >>
>>>> >>>
>>>> >>> The only problem with the current implementation - is that it does
>>>> use
>>>> >>> new APIs for tunneling.
>>>> >>> We can change the implementation based on the current supplied
>>>> libssh2 on
>>>> >>> most linux flavours.
>>>> >>> i.e. libssh2 - 1.2.7 or later
>>>> >>>
>>>> >>> I have asked Akshay to check - if we can modify the current
>>>> >>> implementation to use the older version of libssh2. (feasibility)
>>>> >>
>>>> >>
>>>> >> I've already asked him to investigate whether there is another API
>>>> that
>>>> >> may be used that he may have missed. Only supporting old versions of
>>>> libssh2
>>>> >> is unacceptable though - we need to support current versions, and
>>>> ideally
>>>> >> older ones as well for compatibility with Ubuntu/Debian/RHEL etc.
>>>> >
>>>> >
>>>> >    I have investigated, there are two functions
>>>> libssh2_session_handshake
>>>> > and libssh2_exit() which is not available in the older versions.
>>>> >    libssh2_session_handshake() is replacement function to
>>>> > libssh2_session_startup()(deprecated) which was added in the version
>>>> 1.2.8
>>>> > and
>>>> >    libssh2_exist() was added in the version 1.2.5. So to provide
>>>> backward
>>>> > compatibility we can perform the function check instead of configure
>>>> >    check and will add appropriate macros to build it properly.
>>>> >
>>>> >    Thought??Comments?
>>>>
>>>> Uh, I'm not sure what you mean with "function check instead of
>>>> configure check". You mean trying to load the function at runtime,
>>>> with dlopen() and friends? I guess we could, but I don't think pgadmin
>>>> has any functionality for that today, so it's going to bring in a fair
>>>> amount of platform specific code, isn't it? But if it's not too
>>>> complicated, it seems like a good choice.
>>>>
>>> He means to say - check function check at configuration.
>>> i.e.
>>> A lot of system does not have snprintf supported so a lot of packages
>>> check existence of it at configuration and define  HAVE_SNPRINTF  macros.
>>>
>>
>>
>> Oh, that's what I would've called a configure check :) In that case, +1
>> for that since it's clearly the simplest way of getting it done.
>>
>>
> Yeah. Well, that should solve the version compatibility issue, but we
> still want to find out if there's a different API to use to avoid the need
> for a public key. Probably best to try to answer that first, in case it
> means approaching things differently.
>
> BTW; according to the libssh2 website I just read, it supports OpenSSL and
> gcrypt, so I guess there won't be builds out there using libnss or gnutls.
>

You'd think so, but there is. My libssh2 package depends on libgcrypt11,
which is from GnuTLS.

But I guess they must be using just the "openssl compatibility layer" in
gnutls. Which isn't very good for SSL, but probably enough for the pure
crypto functions which is what they use.

-- 
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

In response to

pgadmin-hackers by date

Next:From: Dave PageDate: 2012-07-10 12:36:24
Subject: Re: SSH Tunneling implementation
Previous:From: Dave PageDate: 2012-07-10 12:34:35
Subject: Re: SSH Tunneling implementation

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group