From owner-freebsd-questions@FreeBSD.ORG Mon Oct 20 19:50:01 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31569106569D for ; Mon, 20 Oct 2008 19:50:01 +0000 (UTC) (envelope-from peter@boosten.org) Received: from smtpq2.tb.mail.iss.as9143.net (smtpq2.tb.mail.iss.as9143.net [212.54.42.165]) by mx1.freebsd.org (Postfix) with ESMTP id B663A8FC17 for ; Mon, 20 Oct 2008 19:50:00 +0000 (UTC) (envelope-from peter@boosten.org) Received: from [212.54.42.134] (port=45728 helo=smtp3.tb.mail.iss.as9143.net) by smtpq2.tb.mail.iss.as9143.net with esmtp (Exim 4.69) (envelope-from ) id 1Ks0lL-0007Jm-6T; Mon, 20 Oct 2008 21:49:59 +0200 Received: from cp268254-a.landg1.lb.home.nl ([84.25.65.88] helo=ra.egypt.nl) by smtp3.tb.mail.iss.as9143.net with esmtp (Exim 4.69) (envelope-from ) id 1Ks0lG-00039z-Tx; Mon, 20 Oct 2008 21:49:55 +0200 Received: from [127.0.0.1] (xp.egypt.nl [192.168.13.35]) by ra.egypt.nl (Postfix) with ESMTP id 36E4639841; Mon, 20 Oct 2008 21:49:53 +0200 (CEST) Message-ID: <48FCE0E0.70103@boosten.org> Date: Mon, 20 Oct 2008 21:49:52 +0200 From: Peter Boosten User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: John Almberg References: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com> <48D8F881.1010000@unsane.co.uk> <912A74FB-0292-4A53-B480-34FE69D9C465@identry.com> In-Reply-To: <912A74FB-0292-4A53-B480-34FE69D9C465@identry.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ZiggoSMTP-MailScanner-Information: Please contact the ISP for more information X-ZiggoSMTP-MailScanner-ID: 1Ks0lG-00039z-Tx X-ZiggoSMTP-MailScanner: Found to be clean X-ZiggoSMTP-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.6, required 5, autolearn=not spam, BAYES_00 -2.60, SPF_PASS -0.00) X-ZiggoSMTP-MailScanner-From: peter@boosten.org X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: mysql connection through ssl tunnel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 19:50:01 -0000 John Almberg wrote: > > On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: > >> John Almberg wrote: >>> I have two FreeBSD machines. One is a application server, the other a >>> database server running mysql. These machines are in two different >>> locations. I'd like to allow the application server to access mysql >>> through an SSH tunnel. >>> >>> Being a newbie admin, I've never set up an SSH tunnel. I've been >>> reading about them all morning and (as always) there seems to be more >>> than one way to skin this cat. >>> >>> I'm looking for ease of set up and maintenance, as well as security >>> (which I assume is a given.) I'd prefer NOT to have to recompile the >>> kernels (pure cowardice... the application server is a production >>> server that I don't want to experiment with.) Both servers have OpenSSL. >>> >>> Any recommendations, much appreciated. >>> >>> Thanks: John >>> >> >> A very basic ssh tunnel is a simple as >> ssh -L3306:127.0.0.1:3306 user@remote.host >> >> This will forward any connections to localhost on port 3306 through the >> ssh connection to remote.host then on to localhost at that end on port >> 3306. if you have mysql running on the app server as well then change >> -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an >> unused tcp port on the application server. If you do use an ssh tunnel >> you may want to use security/autossh which will monitor the tunnel and >> re-establish it if it loses connection for some reason. > > After a few hours of work today, I have all this working perfectly. I'm > using autossh to automatically create and monitor the ssh tunnel, and I > can make mysql connections through the tunnel with no problems. Very cool. > > And that's through PF firewalls on both machines, which added flavor to > the exercise ;-) > > One question... and maybe this is a general, philosophical question... > > If autossh watches over my ssh tunnel, who or what watches over autossh? > > As a related question, how can I make autossh start automatically after > a reboot? At the moment, I start autossh from the command line, like so: > >> autossh -M 20000 -fNg -L 33006:127.0.0.1:3306 admin@dbs.example.com > > There doesn't seem to be an rc.d file for autossh... Do I have to figure > out how to make one? > You can do this all by not using autossh at all: let init watch and re-establish your ssh tunnel: This is in my /etc/ttys (wrapped for readability): ttyv8 "/usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 remote.domain.tld >/dev/null 2>&1" unknown on I let my central machine control the tunnel, not the sending one. Peter -- http://www.boosten.org