mysql connection through ssl tunnel

John Almberg jalmberg at identry.com
Mon Oct 20 14:16:47 PDT 2008 

On Oct 20, 2008, at 4:50 PM, John Almberg wrote:

>>>
>>> After a few hours of work today, I have all this working  
>>> perfectly. I'm
>>> using autossh to automatically create and monitor the ssh tunnel,  
>>> and I
>>> can make mysql connections through the tunnel with no problems.  
>>> Very cool.
>>>
>>> And that's through PF firewalls on both machines, which added  
>>> flavor to
>>> the exercise ;-)
>>>
>>> One question... and maybe this is a general, philosophical  
>>> question...
>>>
>>> If autossh watches over my ssh tunnel, who or what watches over  
>>> autossh?
>>>
>>> As a related question, how can I make autossh start automatically  
>>> after
>>> a reboot? At the moment, I start autossh from the command line,  
>>> like so:
>>>
>>>> autossh -M 20000 -fNg -L 33006:127.0.0.1:3306 admin at dbs.example.com
>>>
>>> There doesn't seem to be an rc.d file for autossh... Do I have to  
>>> figure
>>> out how to make one?
>>>
>>
>> You can do this all by not using autossh at all: let init watch and
>> re-establish your ssh tunnel:
>>
>> This is in my /etc/ttys (wrapped for readability):
>>
>> ttyv8   "/usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306
>> remote.domain.tld >/dev/null 2>&1"    unknown on
>>
>> I let my central machine control the tunnel, not the sending one.
>
> H'mmm... This is new territory for me. I've just read some of the  
> man pages and a few pages in Absolute BSD, and I guess I sort of  
> understand what this does. I'm trying to grasp the connection  
> between virtual terminals and this SSH tunnel...
>
> I guess my main question is, if I start the tunnel with this  
> method, will I be able to access mysql in 'the usual way'? The  
> following works with my autossh tunnel:
>
> mysql -h127.0.0.1 -P33006 -uuser -ppassword db
>
> So, if using the /etc/ttys file is equivalent, and I make the  
> connection on the database server, rather than the client server,  
> then I guess my ttys file should look like this (my ttyv8 is  
> already used... I am guessing I should use the next one down):
>
> ttyv7   "/usr/bin/ssh -l admin -nNTx -R 3306:127.0.0.1:33006  
> example.com >/dev/null 2>&1"    unknown on
>
> Where 'admin' is the user I am logging into on the remote machine,  
> and 'example.com' is the hostname of the remote machine. I guess  
> equivalent to the following?
>
> ttyv7   "/usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006  
> admin at example.com >/dev/null 2>&1"    unknown on
>
> Port 33006 is not a typo. There are databases running on both  
> machines, so I need to use a different port for the tunnel.
>
> And as far as I can tell, I reload /etc/ttys with 'kill -1 1'.
>
> This looks dangerous...
>
> -- John

I tried this, and not surprisingly, it didn't work. Now I'm trying to  
debug it...

Question... if I want to ssh from the database server to the  
application server (in the direction show -R), I need to use port  
48444 (not the actual port, but something high). In other words, I  
need to do something like:

	ssh admin at example.com -p 48444

Does this ssh port have anything to do with trying to start this ssh  
tunnel? In other words, do I need to add a '-p 48420' to the ttyv7  
command?

-- John

More information about the freebsd-questions mailing list