[TriLUG] seeking ssh tunnel advice

[Kevin Hunter]

At 11:06p -0500 on 11 Jan 2008, Tom Roche wrote:
> However I *do not* want to forward 3306: I want to tunnel it over ssh,
> and turn off that port-forward. Based on my reading, ISTM I should be
> able to do
> 
> $ ssh -fNL 3306:192.168.0.12:3306 os2 at netgear.dyndns.org &
> $ mysqladmin -h netgear.dyndns.org -u mysql2 version

Close.  If you're trying to tunnel through ssh, you need to use the 
tunnel you set up.  The first command creates a tunnel, accessible via 
the local port 3306 (-L 3306:...).  Once through the tunnel, it is to 
direct the communication to port 3306 on 192...12 
(...:192.168.0.12:3306).  Be careful.  In this case 192.168.0.12 is 
accessing what you want, but is not the general solution that I think 
you want.

Then you decide not to use to the tunnel by telling mysqladmin to go 
directly to netgear.dyndns.org, rather than your tunnel.

What I think you want is to ssh to the box and then connect to MySQL on 
that _same_ box via a secure tunnel.  Is that correct?

If so, then the command sequence I think you're looking for is:

$ ssh -fNL 3306:localhost:3306 os2 at netgear.dyndns.org

This sets up an ssh connection to the box inside your router, and 
connects outside port 3306 to port 3306 on the inside box.  (No 
ampersand needed, btw.)  If you trusted the network inside the router, 
and you wanted to talk to the other inside box, you would change 
localhost in the first command:

$ ssh -fNL 3306:192.168.0.11:3306 os2 at netgear.dyndns.org

Either way, the tunnel starts from the box initiating the ssh 
connection.  Then, the next command is always the same:

$ mysqladmin -h localhost -u mysql2 version

Note that to change to which box you talk, you alter the ssh command, 
not the mysqladmin command.  The mysqladmin command always thinks it's 
talking to localhost.  ssh handles the fibbing part.

HTH,

Kevin