Hi,
>> 1. Create a user account on MySQL host that has no shell (to be as secure as
>> possible, as no remote commands need executing).
>
> Agreed, I would recommend that.
I had a feeling that might be the best way. Now to look up how....
>> 2. Tell SSH somehow to keep forwarding open on the webserver host,
>> regardless of whether there is any traffic going over it.
>
> Not perfekt, but simply use "sleep" with a very high number of seconds
> (86400 is one day, so use 31536000 for about a year, or higher).
>
> Of course, you can also set the sleep command as default shell, so
> that it is executed automatically, but this is a matter of taste,
> IMHO.
Hmm, I thought of that, but it seemed silly - so I delved deep into the
documentation and after much frustration (as it's not clear from the SSH
docs) I found out how to do it.
You need to specifically tell the ssh client to use protocol v2 (it uses v1
by default) along with the option to not run a remote command (i.e. only
forward ports), as v2 does not terminate inactive connections.
So, this is how I'm doing it now:
ssh -q -2 -N -f -l username -L 3306:the.mysql.server:3306 the.mysql.server
Anyway, thanks for the ideas.
Regards,
------------------------------------------------
Basil Hussain (basil.hussain@stripped)
