Paul Rubin wrote: > Reid Priedhorsky <[EMAIL PROTECTED]> writes: > > B) Work machine. Run by others, many users. I'd like to also run my > > database client (Python) here. > > Well, just how much do you distrust that machine? If you think it's > totally pwned by attackers who will stop at nothing to subvert your > client, you shouldn't run the client there.
I got the impression that he didn't trust other normal users on the box but that root wasn't hostile. > > What I'd like is functionality similar to what Subversion does with > > "svn+ssh://" URLs: an SSH tunnel that accepts only one connection and > > doesn't have race conditions. [SNIP] > And even if you have an SSH mode that accepts just one connection, > since your db app is separate and has to connect to the > forwarding port after you use a separate program open the port, > how do you stop someone else from grabbing it first? (I think that's what he meant by "doesn't have race conditions".) > That seems to mean one of: > > 2) authentication through SCM_CREDENTIALS on a PF_UNIX socket That looks like the best option of those you list. > Actually, looking at the doc for ssh-agent(1), it looks like it might > do something like #2 above. If I understand it, you would run your db > client as something like > > ssh-agent your-client & That's cool, I'm looking for something similar, thanks! -- http://mail.python.org/mailman/listinfo/python-list
