Connect to MySQL through SSH Using the Built-In Client



When you want to expose access to your MySQL database through an insecure network, there are two main choices: an SSL connection or through an SSH tunnel. While the CData MySQL driver supports both options, with our built-in support for tunneling, SSH Tunneling is typically easier to implement and more secure. In addition to supporting encryption through SSH security protocols, which have a terrific record agaist attacks, with an SSH Tunnel MySQL can be configured to only accept traffic from 'localhost', blocking all connections except for the configured tunnel.

Using an SSH tunnel requires an SSH server to be running in the same environment as the MySQL instance, but once the server is running, setting up a tunnel is a straight-forward process. SSH uses strong encryption and, through the tunnel, makes it look like the client connections are coming from the SSH server (and not from a remote client). With an SSH tunnel you do not have to configure your MySQL server to accept remote connections, which means that your MySQL instance has fewer security risks.

Generally, creating an SSH tunnel requires a separate SSH client. The CData Connectors for MySQL contain a built-in SSH client that allows you to easily connect to a MySQL instance through an SSH tunnel.

Configuring the SSH Client

Each CData MySQL connector has connection properties that allow you to connect to a MySQL instance through an SSH server. In order to connect, you will need to set Use SSH to "true" and set the following properties:

  • SSH Client Cert: The name of the certificate store, path to the client certificate file, or the contents of the client certificate.
  • SSH Client Cert Subject: The subject used to search for the certificate in the specified store (default "*").
  • SSH Client Cert Type: The type of key store containing the SSH client certificate.
  • SSH Client Cert Password: The password for the SSH client certificate (if required).
  • SSH User: The username for the SSH server.
  • SSH Password: The password for the SSH user.
  • SSH Server: The location of the SSH server.
  • SSH Server Fingerprint: The fingerprint of the SSH server.
  • SSH Port: The port of the SSH server (default: 22).

Below, you can see an example of a configured SSH client in our ODBC Driver, but the connection is just as easily configured in any of our connectors.

Depending on the connector, you may need to configure a connection string, similar to the following:

Sample Connection String

User=myUser; Password=myPassword; Database=NorthWind; Server=myServer; Port=3306; UseSSH=TRUE; SSHClientCert="/home/ssh.pem"; SSHClientCertSubject=*; SSHClientCertType=PEMKEY_FILE; SSHClientCertPassword=""; SSHUser=root; SSHPassword=""; SSHServer=123.456.789.012; SSHServerFingerprint=""; SSHPort=1022

Because the SSH client is built directly into the connectors, the setup and usage is exactly the same, regardless of the operating system. Set the connection properties and start working with remote MySQL data from your local system, all through a secure SSH tunnel.

For more information and to download a free trial, visit the MySQL Driver page. As always, our world-class Support Team is available to answer any questions you might have.