Re: mysql connection through ssl tunnel
Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I hope you guys will bear with me just a little more... I have spent the day trying to figure out how to create an rc script for autossh. Very cool, and not as hard as I'd anticipated. It is attached below. The script works perfectly *iff* I run it from the command line as a non-root user, like so: /usr/local/etc/rc.d/autossh start However, it does NOT work when executed by root. Instead, I get the following error message in /var/log/messages messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely with status 255; autossh exiting So (my understanding), autossh is starting, and tries to create the tunnel, but the tunnel creation fails with the unhelpful 255 error message. But only when executed by root. That's the puzzling part. I don't allow root logins on this server, but don't see how that could cause this problem I'm stumped. Any hints, much appreciated. -- John -- #!/bin/sh # PROVIDE: autossh # REQUIRE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name=autossh rcvar=`set_rcvar` start_cmd=${name}_start stop_cmd=: load_rc_config $name eval ${rcvar}=\${${rcvar}:='NO'} command=/usr/local/bin/autossh command_args=-M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] #pidfile=/var/run/autossh.pid #AUTOSSH_PIDFILE=$pidfile; export AUTOSSH_PIDFILE autossh_start() { ${command} ${command_args} echo started autossh } run_rc_command $1 Answering my own question (probably the best way)... I solved this problem by figuring out how to execute the command inside the rc script as a non-root user. Like so: autossh_start() { echo ${command} ${command_args} su admin -c ${command} ${command_args} echo started autossh } This works beautifully, so I almost hesitate to ask, but is there anything wrong with this approach? -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I hope you guys will bear with me just a little more... I have spent the day trying to figure out how to create an rc script for autossh. Very cool, and not as hard as I'd anticipated. It is attached below. The script works perfectly *iff* I run it from the command line as a non-root user, like so: /usr/local/etc/rc.d/autossh start However, it does NOT work when executed by root. Instead, I get the following error message in /var/log/messages messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely with status 255; autossh exiting So (my understanding), autossh is starting, and tries to create the tunnel, but the tunnel creation fails with the unhelpful 255 error message. But only when executed by root. That's the puzzling part. I don't allow root logins on this server, but don't see how that could cause this problem I'm stumped. Any hints, much appreciated. -- John -- #!/bin/sh # PROVIDE: autossh # REQUIRE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name=autossh rcvar=`set_rcvar` start_cmd=${name}_start stop_cmd=: load_rc_config $name eval ${rcvar}=\${${rcvar}:='NO'} command=/usr/local/bin/autossh command_args=-M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] #pidfile=/var/run/autossh.pid #AUTOSSH_PIDFILE=$pidfile; export AUTOSSH_PIDFILE autossh_start() { ${command} ${command_args} echo started autossh } run_rc_command $1 Answering my own question (probably the best way)... I solved this problem by figuring out how to execute the command inside the rc script as a non-root user. Like so: autossh_start() { echo ${command} ${command_args} su admin -c ${command} ${command_args} echo started autossh } This works beautifully, so I almost hesitate to ask, but is there anything wrong with this approach? Nothing, except you're re-inventing the wheel. rc.subr already has a mechanism for running commands as another user. Instead of defining a new start() function, simply add something like: : ${autossh_user:='admin'} towards the top of the script. (This also means you can override the setting by defining 'autossh_user=someoneelse' in /etc/rc.conf in the usual way) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: mysql connection through ssl tunnel
Answering my own question (probably the best way)... I solved this problem by figuring out how to execute the command inside the rc script as a non-root user. Like so: autossh_start() { echo ${command} ${command_args} su admin -c ${command} ${command_args} echo started autossh } This works beautifully, so I almost hesitate to ask, but is there anything wrong with this approach? Nothing, except you're re-inventing the wheel. rc.subr already has a mechanism for running commands as another user. Instead of defining a new start() function, simply add something like: : ${autossh_user:='admin'} towards the top of the script. (This also means you can override the setting by defining 'autossh_user=someoneelse' in /etc/rc.conf in the usual way) Ah, fascinating. Now that I know what I'm looking for, I can see that in the rc.subr man page. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: I do know that Mysql supports SSL... somehow this got discounted early in the discussion, perhaps mistakenly? I believe the thinking was that although MySQL claims to support SSL, it does in fact make a pretty bodge of it, and a more effective approach is to pipe MySQL traffic through an encrypted tunnel. Personally I just use IPSec for this, but people might also like to consider stunnel (http://www.stunnel.org/) or OpenVPN (http://openvpn.net/) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: mysql connection through ssl tunnel
On Oct 20, 2008, at 11:09 PM, Peter Boosten wrote: John Almberg wrote: I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Maybe some mixup in the keys? In my example ssh tries to read the private key of root on the connecting server, so the server where the database is located, because init is run as root. If you need another key, then you need to specify this with the -i parameter. Ah... that makes sense. I had set up the keys for 'admin', but of course init is run by root. Duh. That raises another issue... I don't allow root logins on either server, for security reasons... Peter, I appreciate your ideas and help, but I think I will stick with autossh, probably by finally learning how to create an rc.d script (not sure the actual name for these, but you know what I mean.) I've actually got autossh working, and think it's a simpler solution for me. Thanks. Brgds: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Oct 21, 2008, at 3:44 AM, Matthew Seaman wrote: John Almberg wrote: I do know that Mysql supports SSL... somehow this got discounted early in the discussion, perhaps mistakenly? I believe the thinking was that although MySQL claims to support SSL, it does in fact make a pretty bodge of it, and a more effective approach is to pipe MySQL traffic through an encrypted tunnel. Personally I just use IPSec for this, but people might also like to consider stunnel (http://www.stunnel.org/) or OpenVPN (http:// openvpn.net/) Stunnel and OpenVPN are on my list, in case autossh has unexpected problems, but I figured I'd try the simplest approach first. Other than figuring out what holes to poke in the firewalls, autossh was pretty simple to set up. Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I appreciate your help. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
Now I just need to figure out how to start it on reboot, but that is something I've been meaning to learn, anyway, so I don't mind. I hope you guys will bear with me just a little more... I have spent the day trying to figure out how to create an rc script for autossh. Very cool, and not as hard as I'd anticipated. It is attached below. The script works perfectly *iff* I run it from the command line as a non-root user, like so: /usr/local/etc/rc.d/autossh start However, it does NOT work when executed by root. Instead, I get the following error message in /var/log/messages messages:Oct 21 19:01:38 on autossh[89267]: ssh exited prematurely with status 255; autossh exiting So (my understanding), autossh is starting, and tries to create the tunnel, but the tunnel creation fails with the unhelpful 255 error message. But only when executed by root. That's the puzzling part. I don't allow root logins on this server, but don't see how that could cause this problem I'm stumped. Any hints, much appreciated. -- John -- #!/bin/sh # PROVIDE: autossh # REQUIRE: LOGIN # KEYWORD: shutdown . /etc/rc.subr name=autossh rcvar=`set_rcvar` start_cmd=${name}_start stop_cmd=: load_rc_config $name eval ${rcvar}=\${${rcvar}:='NO'} command=/usr/local/bin/autossh command_args=-M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] #pidfile=/var/run/autossh.pid #AUTOSSH_PIDFILE=$pidfile; export AUTOSSH_PIDFILE autossh_start() { ${command} ${command_args} echo started autossh } run_rc_command $1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg said the following on 2008-09-23 15:54: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Maybe this can bee of interest. http://www.stunnel.org/examples/mysql.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John A very basic ssh tunnel is a simple as ssh -L3306:127.0.0.1:3306 [EMAIL PROTECTED] This will forward any connections to localhost on port 3306 through the ssh connection to remote.host then on to localhost at that end on port 3306. if you have mysql running on the app server as well then change -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an unused tcp port on the application server. If you do use an ssh tunnel you may want to use security/autossh which will monitor the tunnel and re-establish it if it loses connection for some reason. After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? Not that this machine gets rebooted more than once a year, but so far, everything running on this machine start automatically, and I'd like to keep it that way. Any tips much appreciated. Thanks: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John A very basic ssh tunnel is a simple as ssh -L3306:127.0.0.1:3306 [EMAIL PROTECTED] This will forward any connections to localhost on port 3306 through the ssh connection to remote.host then on to localhost at that end on port 3306. if you have mysql running on the app server as well then change -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an unused tcp port on the application server. If you do use an ssh tunnel you may want to use security/autossh which will monitor the tunnel and re-establish it if it loses connection for some reason. After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? You can do this all by not using autossh at all: let init watch and re-establish your ssh tunnel: This is in my /etc/ttys (wrapped for readability): ttyv8 /usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on I let my central machine control the tunnel, not the sending one. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fwd: mysql connection through ssl tunnel
After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? You can do this all by not using autossh at all: let init watch and re-establish your ssh tunnel: This is in my /etc/ttys (wrapped for readability): ttyv8 /usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on I let my central machine control the tunnel, not the sending one. H'mmm... This is new territory for me. I've just read some of the man pages and a few pages in Absolute BSD, and I guess I sort of understand what this does. I'm trying to grasp the connection between virtual terminals and this SSH tunnel... I guess my main question is, if I start the tunnel with this method, will I be able to access mysql in 'the usual way'? The following works with my autossh tunnel: mysql -h127.0.0.1 -P33006 -uuser -ppassword db So, if using the /etc/ttys file is equivalent, and I make the connection on the database server, rather than the client server, then I guess my ttys file should look like this (my ttyv8 is already used... I am guessing I should use the next one down): ttyv7 /usr/bin/ssh -l admin -nNTx -R 3306:127.0.0.1:33006 example.com /dev/null 21unknown on Where 'admin' is the user I am logging into on the remote machine, and 'example.com' is the hostname of the remote machine. I guess equivalent to the following? ttyv7 /usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006 [EMAIL PROTECTED] /dev/null 21unknown on Port 33006 is not a typo. There are databases running on both machines, so I need to use a different port for the tunnel. And as far as I can tell, I reload /etc/ttys with 'kill -1 1'. This looks dangerous... -- John Websites and Marketing for On-line Collectible Dealers Identry, LLC John Almberg (631) 546-5079 [EMAIL PROTECTED] www.identry.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Oct 20, 2008, at 4:50 PM, John Almberg wrote: After a few hours of work today, I have all this working perfectly. I'm using autossh to automatically create and monitor the ssh tunnel, and I can make mysql connections through the tunnel with no problems. Very cool. And that's through PF firewalls on both machines, which added flavor to the exercise ;-) One question... and maybe this is a general, philosophical question... If autossh watches over my ssh tunnel, who or what watches over autossh? As a related question, how can I make autossh start automatically after a reboot? At the moment, I start autossh from the command line, like so: autossh -M 2 -fNg -L 33006:127.0.0.1:3306 [EMAIL PROTECTED] There doesn't seem to be an rc.d file for autossh... Do I have to figure out how to make one? You can do this all by not using autossh at all: let init watch and re-establish your ssh tunnel: This is in my /etc/ttys (wrapped for readability): ttyv8 /usr/bin/ssh -l syslogng -nNTx -R 3306:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on I let my central machine control the tunnel, not the sending one. H'mmm... This is new territory for me. I've just read some of the man pages and a few pages in Absolute BSD, and I guess I sort of understand what this does. I'm trying to grasp the connection between virtual terminals and this SSH tunnel... I guess my main question is, if I start the tunnel with this method, will I be able to access mysql in 'the usual way'? The following works with my autossh tunnel: mysql -h127.0.0.1 -P33006 -uuser -ppassword db So, if using the /etc/ttys file is equivalent, and I make the connection on the database server, rather than the client server, then I guess my ttys file should look like this (my ttyv8 is already used... I am guessing I should use the next one down): ttyv7 /usr/bin/ssh -l admin -nNTx -R 3306:127.0.0.1:33006 example.com /dev/null 21unknown on Where 'admin' is the user I am logging into on the remote machine, and 'example.com' is the hostname of the remote machine. I guess equivalent to the following? ttyv7 /usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006 [EMAIL PROTECTED] /dev/null 21unknown on Port 33006 is not a typo. There are databases running on both machines, so I need to use a different port for the tunnel. And as far as I can tell, I reload /etc/ttys with 'kill -1 1'. This looks dangerous... -- John I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Question... if I want to ssh from the database server to the application server (in the direction show -R), I need to use port 48444 (not the actual port, but something high). In other words, I need to do something like: ssh [EMAIL PROTECTED] -p 48444 Does this ssh port have anything to do with trying to start this ssh tunnel? In other words, do I need to add a '-p 48420' to the ttyv7 command? -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Mon, Oct 20, 2008 at 03:25:23PM -0400, John Almberg wrote: On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. I'm somewhat amazed at the fact that everyone so far has gone completely wild with SSH to solve this problem. Has anyone made the OP aware that MySQL *does* in fact support SSL natively, and that it can be used between client and server, as well as between master and slave (for replication)? The SSH tunnelling idea is fine if you want to access a MySQL server behind a firewall or on a private network, but I'm a bit confused as to why everyone's going to great lengths to use SSH to accomplish something MySQL has support for natively. Please clue me in. :-) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Oct 20, 2008, at 5:21 PM, Jeremy Chadwick wrote: On Mon, Oct 20, 2008 at 03:25:23PM -0400, John Almberg wrote: On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. I'm somewhat amazed at the fact that everyone so far has gone completely wild with SSH to solve this problem. Has anyone made the OP aware that MySQL *does* in fact support SSL natively, and that it can be used between client and server, as well as between master and slave (for replication)? The SSH tunnelling idea is fine if you want to access a MySQL server behind a firewall or on a private network, but I'm a bit confused as to why everyone's going to great lengths to use SSH to accomplish something MySQL has support for natively. Please clue me in. :-) Hi Jeremy, There are two PF firewalls in the mix, one at each end. The two machines are in different data centers. Actually, that is motivation behind this exercise. The client wants the database in his own data center, since it contains information he needs to have physical control over. I do know that Mysql supports SSL... somehow this got discounted early in the discussion, perhaps mistakenly? Anyway, the autossh option works perfectly, so I think I will stick with that unless there's a good reason not to. I have Monit running on the remote server, so I can probably monitor/restart autossh with that (with another few hours reading, of course :-) -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Maybe some mixup in the keys? In my example ssh tries to read the private key of root on the connecting server, so the server where the database is located, because init is run as root. If you need another key, then you need to specify this with the -i parameter. Question... if I want to ssh from the database server to the application server (in the direction show -R), I need to use port 48444 (not the actual port, but something high). In other words, I need to do something like: ssh [EMAIL PROTECTED] -p 48444 Does this ssh port have anything to do with trying to start this ssh tunnel? In other words, do I need to add a '-p 48420' to the ttyv7 command? The command given shows a connection between the two ports (in my case 3306). One of them would then be 48420 (the first one). thus: ttyv7 /usr/bin/ssh -l admin -nNTx -R 48420:local.domain.tld:3306 remote.domain.tld /dev/null 21unknown on This works by allocating a socket to listen to 48420 on the remote side, and whenever a connection is made to this port, the connec tion is forwarded over the secure channel, and a connection is made to local.domain.tld port 3306 from the local machine. Obviously you would have to change local.domain.tld and remote.domain.tld with actual FQDN or IP addresses. Furthermore, since this connection is been made by root (which normally isn't) you need to verify the host key of the remote server (by either putting it in known_hosts of root by hand, or make the connection once from the prompt and answer 'y', or putting the key in /etc/ssh/ssh_known_hosts. The connection on the remote host indeed is made with mysql -h 127.0.0.1 -P 48420 -u user -p password db regards Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
Peter Boosten wrote: John Almberg wrote: I tried this, and not surprisingly, it didn't work. Now I'm trying to debug it... Maybe some mixup in the keys? In my example ssh tries to read the private key of root on the connecting server, so the server where the database is located, because init is run as root. If you need another key, then you need to specify this with the -i parameter. Question... if I want to ssh from the database server to the application server (in the direction show -R), I need to use port 48444 (not the actual port, but something high). In other words, I need to do something like: ssh [EMAIL PROTECTED] -p 48444 Does this ssh port have anything to do with trying to start this ssh tunnel? In other words, do I need to add a '-p 48420' to the ttyv7 command? I now see where you're going: you would have in case you ran sshd on another port than 22. regards Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fwd: mysql connection through ssl tunnel
John Almberg wrote: Where 'admin' is the user I am logging into on the remote machine, and 'example.com' is the hostname of the remote machine. I guess equivalent to the following? ttyv7 /usr/bin/ssh -nNTx -R 3306:127.0.0.1:33006 [EMAIL PROTECTED] /dev/null 21unknown on Port 33006 is not a typo. There are databases running on both machines, so I need to use a different port for the tunnel. I don't think this will work because of 127.0.0.1 not being a FQDN, but I could be mistaken. And as far as I can tell, I reload /etc/ttys with 'kill -1 1'. This looks dangerous... You can safely HUP it... Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Sep 23, 2008, at 1:16 PM, Mel wrote: On Tuesday 23 September 2008 15:54:10 John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Any recommendations, much appreciated. You can use Vince's suggestion, or simply use SSL connections to the mysql server. Each have their own pros and cons. Thanks Vince Mel for your responses. I guess I will try the simple SSL approach first and see if that does the trick. I appreciate the advice! Brgds: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
mysql connection through ssl tunnel
I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Being a newbie admin, I've never set up an SSH tunnel. I've been reading about them all morning and (as always) there seems to be more than one way to skin this cat. I'm looking for ease of set up and maintenance, as well as security (which I assume is a given.) I'd prefer NOT to have to recompile the kernels (pure cowardice... the application server is a production server that I don't want to experiment with.) Both servers have OpenSSL. Any recommendations, much appreciated. Thanks: John A very basic ssh tunnel is a simple as ssh -L3306:127.0.0.1:3306 [EMAIL PROTECTED] This will forward any connections to localhost on port 3306 through the ssh connection to remote.host then on to localhost at that end on port 3306. if you have mysql running on the app server as well then change -L3306:127.0.0.1:3306 to -L33006:127.0.0.1:3306 where 33006 is an unused tcp port on the application server. If you do use an ssh tunnel you may want to use security/autossh which will monitor the tunnel and re-establish it if it loses connection for some reason. You could also look at using stunnel to use a ssl tunnel rather than an ssh tunnel (see http://www.stunnel.org/examples/mysql.html for a basic example) I havent used this on FreeBSD (never needed it) so the port may install an easier way of setting up persistant tunnels. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mysql connection through ssl tunnel
On Tuesday 23 September 2008 15:54:10 John Almberg wrote: I have two FreeBSD machines. One is a application server, the other a database server running mysql. These machines are in two different locations. I'd like to allow the application server to access mysql through an SSH tunnel. Any recommendations, much appreciated. You can use Vince's suggestion, or simply use SSL connections to the mysql server. Each have their own pros and cons. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]