Toad & MySql: Como acceder vía ssh a hosts remotos
I was recently reminded of the usefulness of SSH tunnels by one of my colleagues. In our discussion, it also became apparent that the tunnels made possible by shell access to a system can bypass the intentions of the initial security configuration. First, let’s consider why you might need to configure an SSH tunnel to a remote system and how you actually do this using putty (perhaps the most commonly-used SSH client on Windows operating systems), or with a simple ssh command.
Some applications are only needed by the local system and should not provide service to remote clients. For instance, a small application may require a backend database which can easily be hosted on the same box. In such cases, the database server, e.g. MySQL, can be configured to only listen for connections on the local loopback address (127.0.0.1). Other examples can easily be found. A mail transport agent may only need to forward to mail gateway or smart host and therefore does not need to service clients over the network. It too can be configured to only listen for connections on the local host.
Now imagine a database developer who prefers to use tools for Windows to access the database? The answer is, establish an SSH tunnel! First, an SSH terminal session is established, a tunnel is established through which traffic is forwarded. This is illustrated in the following diagram:
The key point to understand is that two endpoints are involved for traffic forwarding. A local port is established on the client which is associated with a host and port on the other end of the tunnel. When traffic arrives on the local port on the client, it is forwarded to the other end of the tunnel where it is passed on to the destination. Responses come back through the tunnel in the same fashion.
Putty is perhaps the most commonly-used SSH client on the Windows platform. It is quite simple to setup profiles to create secure terminal sessions to remote hosts. See theonline documentation for further details. Once you have these sessions, you can also enable port forwarding for the host in question. When you have a putty session loaded, drill down through Connection… SSH… to Tunnels. If you have an active terminal session, you can right-click on the title bar and choose Change settings… to arrive at the configuration screen as well. In the tunnel section, add a new forwarded port. This is done by choosing a local source port (on your client) and the destination specified as host:port tuple. The host is usually localhost. This seems counterintuitive, but this is from the perspective of the remote end of the tunnel, i.e. it is the server on the other end, and not the client computer (with you at the keyboard). For example, if the remote system is running MySQL, this would look like the following:
Click on the Add button, and the new port forward will show up in the section above as:
The capital ‘L’ signifies that this is the local port. When you have applied the settings change, it becomes active for the current session. Either way — whether you’ve set this by loading a session or by changing an active session, be sure the save the changes if you want them to be permanent.
At this point, you can use client software to access to remote service. In our example using MySQL, you could use a tool like Toad to access a remote database. When you configure the connection, you now specify localhost as the target. This may seem a bit confusing, since this time localhost does mean the client! Your Toad connection configuration might look like this:
As an added benefit, the traffic between you and the remote host is encrypted.
What about non-Windows systems, e.g. Linux or Macintosh systems? When you have an SSH client built into the operating system, this can all be accomplished in the ssh command string. For example, to connect to Oracle on a remote system and using the local port of 9999, you would connect to the remote host using the following command:
ssh -L 9999:mydbhost:1521 mydbhost
You could just as easily match the local port number and the remote one, e.g. 1521, but this is not a requirement here, or in Windows.
You can see that SSH tunnels can be convenient, but their power can go far beyond what might have been intended. With a tunnel to an inside host, there is no reason the forwarded traffic has to destined for the host at the other end of the tunnel — it can just as easily go anywhere else that host can go. With this in mind, be very selective about who can have SSH shell access to a system.
If you do not need port forwarding and are concerned about the potential subversive effects on your security policy, disable port forwarding by adding (or setting) the following line to your sshd_config file:
Be sure to restart the sshd daemon following any change to the configuration file.