Eric Roby wrote:
Anyone had any experience trying to secure the transactions between ZEO clients and a storage server??? Our shop is already using OpenSSH, I have read some introductory information about OpenSSH. It is just not clear to me the level of effort required to implement this or if implemented, will the additional overhead further exasperate the potential for unresolved conflict errors???
Any thoughts...
Let's say you have a host called "zeoclient" and "zeostorage". On zeostorage, start a ZEO server listening to some port, say 9673, making sure that it listens only on the *local* interface, usually 127.0.0.1. An example: python lib/python/ZEO/start.py -p 9673 -h 127.0.0.1 \ -S 1=/stores/fs:Storage Then on "zeoclient" you set up a tunnel: ssh -f -N -L 9673:zeostorage:9673 zeostorage Then your Zope install on zeoclient should use port 9673 on 127.0.0.1 to connect to the storage. In fact, the only piece of code that should know about the hostname "zeostorage" is the command to set up the SSH tunnel. There are some disadvantages: anybody who has an account on either zeoclient or zeostorage has full read/write access to the database. To avoid that, you'd need to use Unix domain sockets and come up with a way to forward one securely. Also, ssh is not 100% stable as a tunnel; I've seen ssh stop just because a forwarded connection disconnected unexpectedly. You might need to watch the ssh process and restart it if it dies. For zope.org there is a private subnet. The boxes each have two network cards AFAIK. All ZEO communication takes place on the private subnet. A VPN would also work, but you'd still have the local access issue. Shane