Re: Using ssh tunnel and mysql

Mon, 10 Mar 2003 09:32:20 -0800

At 11:24 -0600 3/10/03, Pete Harlan wrote:
On Fri, Mar 07, 2003 at 05:43:29PM -0800, Jeremy Zawodny wrote: 
 On Fri, Mar 07, 2003 at 05:37:38PM -0800, LZ Orders wrote:
 > Hi. I wanted to connect from a client machine to a MySQL server using
 > ssh. I execute the following on the local machine (the server is
 > foo.bar.com):
 >
 > % ssh -n -N -L 3307:foo.bar.com:3306 foo.bar.com
 >
 > I then try to connect from the local machine with:
 >
 > % mysql -h localhost -p 3307 --user=me --password
 >
 > But after prompting me for my password, MySQL denies me access.

What if you use 127.0.0.1 instead of "localhost"?

Jeremy 

And what he's referring to is that the mysql client library will
connect using the local socket if you say "-h localhost", even though
you specified a port.  The port argument will be silently ignored.
For some reason the developers consider this a feature.


Whether it's a feature or not, it's not always so easy to figure out
what to do.  If you specify -h localhost, it can be argued that you
really want the socket even if you specify the port.  It can be
argued conversely that if you specify the port, you should use TCP/IP
even if you specify -h localhost.

That is, if the user specifies both, it's ambiguous what the user really
wants.


If you want to connect to localhost via TCP/IP, you have to specify
the host by IP address (127.0.0.1), not as "localhost".

The developers pointed out to me (two years ago, when I submitted a
patch to fix this bug) that what you'd really want to do is tunnel the
*socket* from one machine to the other, not the port.  If you tunnel
the port, you have to be sure to block access to that port from the
outside, because outside connections to that port (on the tunneling
client) will be tunneled too (under Linux anyway; I didn't try it
elsewhere).

That's potentially dangerous and not completely obvious side-effect of
tunneling SSH ports.

SSH doesn't allow tunneling sockets unfortunately.

--Pete

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php



---------------------------------------------------------------------
Before posting, please check:
  http://www.mysql.com/manual.php   (the manual)
  http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to