How I can proxy my connection in order to translate the host that I need to connect upon db?

Question

I need to connect into a mysql via ssh tunnel:

ssh -N -L 33308:localhost:3306 myserver

And via terminal I try to connect into the mysql server using these commands:

mysql -u testusr -p -h 127.0.0.1 -P 33308 testdb
mysql -u testusr -p -h localhost -P 33308 testdb

The first attempt fails with message:

ERROR 1045 (28000): Access denied for user 'testusr'@'127.0.0.1' (using password: YES)

The latter one returns error:

ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)

But if I get a terminal session upon the server I can connect with:

mysql -u testusr -p -h localhost testdb

But this command fails:

mysql -u testusr -p -h 127.0.0.1 testdb

with error:

ERROR 1045 (28000): Access denied for user 'testusr'@'127.0.0.1' (using password: YES)

The reason why is because the mysql authentication scheme uses both host and user for authenticating the user. I do no have administrative privilidges upon server in order to define the 'testusr'@'127.0.0.1'.

Is there a way to proxy the connection and alter the connected user? If not how I can somehow connect via ssh to the server and execute the mysql command but have a gui tool that displays better the query results.

Answer 1

It won't help even if you could mask the user's origin host.

What's happening is that your MySQL user is defined as testuser@localhost. Localhost is special to the MySQL Server. It does not mean 127.0.0.1. To MySQL, localhost means that user connects via a UNIX domain socket, but not by TCP. UNIX domain sockets work for local clients, not clients connecting via TCP, and that includes not via ssh tunnel.

You got an error when you tried to connect with -h 127.0.0.1, even when you run a client on the database server. This means that user is not authorized to use TCP at all.

You can't connect that user via an ssh tunnel.

You'll have to contact the administrator of the database server and ask if you can be granted a different user that can connect via TCP.

But I expect that their answer might be "no." They might have a policy that deliberately does not allow remote clients, to help block infiltration by remote attackers.

I did work at a company a few years ago that had strict security policies, and they did not allow remote clients to connect to database instances. Developers were required to ssh into the server and connect using the command-line client. But this meant that GUI clients running on a developer's computer could not connect, even using an ssh tunnel. I was a DBA, and I regularly had to deny developer requests when they wanted to use GUI clients.