>Description:
Text that may or may not be added to the MySQL manual
>How-To-Repeat:
>Fix:
Hello,
As there is a description about using an SSH tunnel with Windows
in the MySQL doc, I thought a text about using an SSH tunnel with
UNIX might be in order. If you think the text below might warrant
inclusion in the MySQL manual, please feel free to modify it and
include it.
Note also that the manual says:
"MySQL supports internal SSL connections as of Version 3.23.9."
but
"Secure connections (with SSL)."
is still in "things that should be in 4.0".
So...does it support SSL or not?
Best regards,
-- David
===============
Port forwarding of mysql connections over SSH in UNIX:
Suppose you want to connect to a mysql server running on a remote machine
called 'foo' as user 'fred', but you do not want to use an unencrypted
connection from your local machine 'bar' to the mysqld port (i.e. you do not
want to just do 'mysql -h foo -u fred -p' and risk somebody eavesdropping
on the data stream between machines 'foo' and 'bar')
You can use SSH to transparently encrypt the connection:
1) Make sure that the mysqld server lets user 'fred' connect from
machine 'localhost.localdomain' (NOT from 'localhost') using password
'mypassword'.
Check the mysql manual on how to do this, you have to set up the
mysql.user table accordingly.
Note that your mileage may vary; I only got it to work with
host = 'localhost.localdomain' in the user table.
2) Make sure that the SSH-daemon is running on machine 'foo' (some
tuning may be required)
3) Make sure you have the SSH client on machine 'bar'.
4) Make sure user 'fred' has an account on machine 'foo'. Unfortunately
this must be an account with a shell :-(
Now do the following:
Start the SSH client on your local machine 'bar' so that:
1) It listens on a given port on your local machine (to which you will
connect afterwards). Let's use port 4000 (say). If you want to use
a port below 1024, you will have to be root.
2) It connects to the SSH-daemon on machine 'foo' using the SSH protocol,
thus ensuring an encrypted connection (you can select the encryption
algorithm etc. using config files and the command line of ssh).
3) The SSH-daemon on machine 'foo' decrypts and locally forwards data
to the mysql daemon which (by default) listens on port 3306.
4) Go for it:
cmd> ssh -L 4000:foo:3306 foo -l fred
You are now ready to connect to the mysqld through the SSH tunnel:
1) Start mysql with some additional options:
cmd> mysql --host==localhost.localdomain --port=4000 -p --user=fred
mysql will ask for fred's database password and connect to the
locally running SSH client listening on port 4000.
If you give --host==localhost this will not work because mysql will
attempt to connect using the local-only UNIX domain socket.
If you give --host==bar this will not work either; the mysqld on the
remote machine will just give an ERROR 2003, i.e. the connect()
call on 'foo' failed, but can't imagine why. As said, your mileage may
vary.
2) see ssh running with ps, and listening on port 4000 using netstat -a
3) interestingly, nmap does *not* show port 4000 as open from outside
===============
>Submitter-Id: David Tonhofer
>Originator: root
>Organization: m-plify S.A.
>MySQL support: none
>Synopsis: Text that may or may not be added to the MySQL manual
>Severity: non-critical
>Priority: low
>Category: mysql
>Class: doc-bug
>Release: mysql-3.23.41 (Official MySQL RPM)
>Server: /usr/bin/mysqladmin Ver 8.21 Distrib 3.23.41, for pc-linux-gnu on
i686
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
