A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about Connect SSH Tunnel with the Java Desktop program (.jar) to remote server was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, mysql, java, ssh-tunnel, .
I developed a JavaFx Desktop program the employees of the company. Now, they want to use the program in their houses with their own personal computers. The program has MySQL and FTP services.
I need to use SSH Tunnel or VPN so that the program can connect from outside to the remote server in the office(port forwarding for FTP and MySQL).
If I want to use SSH Tunnel I have to install(or copy/paste) the certificates in the own employees’ computers and I think that this option is dangerous because of the certificates can be engaged to attacks of their computers.
Sometimes I have thought to create one certificate for each employee (100 people) to control better who is connected in each time, but it’s too much laborious to maintain.
I would like to use SSH Tunnel but I don’t know if the best option in this situation.
What other options can I use to connect my program to remote server securely?
There aren’t a lot of protocol choices – whatever you choose needs to be:
- Auditable – no sharing of credentials
- Secured – to limit risk of traffic interception/MitM
- Manageable – if you’ve 100+ employees.
You could use SSH, but setting up a VPN is what most business do (in my experience). You can then only allow VPN connections through the firewall and nothing else needs to change.
Your best bet is to look into a small business VPN device. A quick search here brings up lots of (off-topic) posts asking for recommendations.
Long story short, whatever you use you’re going to have to create and issue a cert or key to every employee. The only sensible way to do this is using script or management tool.
As you mentioned I would authorize the employees with the private key from the generated public/private rsa key pair for ssh connection to the office server. You can store the public key in ~/.ssh/authorized_keys and secure the private key with passphrase so that the employee can connect to server. But you must open the ssh port in the firewall for outside.