Mysql -user=USER -password=PASSWORD -host=127.0.0.1 -port=13306 DATABASE Keep it like this, open another terminal window, and assuming the MySQL server is running on host B, you can provoke it to respond by the following:
CREATE SSH TUNNEL BSD CLIENT PASSWORD
It should neither ask for a password nor give other responses. This command should not return immediately. Test the tunnel by issuing the following command on host A: Under SELinux don’t use mv, but always use the cp/rm combo. Scp ~/.ssh/id_rsa.pub when copying stuff onto an object confined by SELinux, the substitute will inherit all the rights and attributes from the replaced object. Ssh-keygen -C "SSH Tunnel from host A to host B"
Set up the ssh directory within the tunnels home:Ĭhmod 0600 /var/tunnel/.ssh/authorized_keysĬhcon -v -u system_u -r object_r -t user_home_t /var/tunnelĬhcon -v -u system_u -r object_r -t ssh_home_t /var/tunnel/.sshĬhcon -v -u system_u -r object_r -t ssh_home_t /var/tunnel/.ssh/authorized_keysĪllow ssh connections for the users root and tunnel only:Įcho "AllowUsers root tunnel" > /etc/ssh/sshd_configĪt the peer machine (say host A) create the ssh RSA key pair, and copy the public key to the pre-generated but still empty authorized_keys on the target host B: home /var/tunnel -m -r -u 201 -s /sbin/nologin -Z unconfined_u tunnel Useradd -c 'SSH Tunnel User' -d /var/tunnel \ Once you got the knowledge you can do the Development:Ĭreate the Tunnel User and its home directory: SELinux is used to not allow users to reside in anything else than the standard home directory, the documentation does not tell this to you, you need to find it out the hard way, i.e. I am used to setup a non-privileged tunnel user at the destination machine outside of the standard home directory. And here, I will disclose my findings and how I managed to satisfy the SELinux way of MAC. IMHO, SELinux and its interactions with the various levels of a *nix-system is very poorly documented, and you need R&D strategies to get your stuff working with it. When setting up the ssh tunnels, SELinux came into my way at several stages, and I was close to switching it off several times, but eventually, I managed to keep it running, and so my client cannot blame me, to leaving his system unsecured.
CREATE SSH TUNNEL BSD CLIENT WINDOWS
I was contracted to migrate a Web Application (Apache/PHP/MySQL) to RHEL 6.5 systems, serving Windows Clients, huh, and huhhh… Anyway, there is a distributed data store system which is either synchronized or replicated over ssh tunnels. I like FreeBSD, and if I got a choice, then I deploy servers with FreeBSD and suggest Apple Mac’s as clients. SSH Tunnel Maintenance and SELinux on RHEL/CentOS 6
0 kommentar(er)
