SSH tunnel and Python 3.3

Question

i need to create an application (python 3.3 strictly) where users will save/load their settings online to a remote hosted database. I do not wish to change the database from listening to any other thing than localhost for security reasons, so i assume the best solution for me would be to make the program create some ssh tunnels before the saving/loading happens.

Would this policy make my database unsecure?

How could i make this work? I tried installing paramiko but it is not python 3+ ready. I also thought maybe i could include into the application's installation, putty tray too and some proper scripting so that i can create that tunnel, but im looking for something clever and efficient here. Ofcourse i would really really really prefer avoiding any extra tray icons or shells from appearing every time a tunnel would activate.

Im asking here so that i can hear an opinion from someone with expirience. As im lacking of that :) . What would be your suggestion?

thx in advance

Answer 1

I am dealing with similar problems at the moment (trying to use Docker's remote API which at the moment doesn't offer authentication). I am currently using bgtunnel, though I'm getting some errors now and then (usually resolved by a webpage refresh) - at first glance due to trying to establish a connection when one already exists. This can probably be solved using some thread.isAlive() stuff, but all in all it is kind of messy managing the connection - is it already alive? Should I check before any request or try and establish it and redo the API call on an exception. It's a bit tricky. I'm also starting to explore Paramiko, hoping it might be a bit easier to handle from Python - the process of porting to Python 3 seems is almost finished at the moment.

That said, I'd expect any decent database to have good-enough baked-in authentication and encryption that I shouldn't be afraid to use it remotely without any ssh tunnelling. It appears from this SO answer that Postrges for example can be configured this way. This means you can kick out ssh and that's one thing in the stack less to think of. They are working on implementing remote auth in Docker's remote API too, at which point I'll gladly do the same :)