I have a similiar setup, but slightly more complex.
On my home laptop, I have a /etc/xinetd.d/mysqlfwd containing
service mysqlfwd
{
type = UNLISTED
port = 3307 # could be 3306 as well if ther will never be a MySQL server installed here
socket_type = stream
protocol = tcp
wait = no
user = ports
server = /usr/local/bin/ports
server_args = -s mysql@<mydomain>
}
This mysql@<mydomain> denotes the SSH subsystem defined on the server. As mysql is not, and does not have, a defined subsystem name, I chose to define one by myself using (the appropriate Convention for Names)[http://tools.ietf.org/html/rfc4250#section-4.6.1].
The used /usr/local/bin/ports is defined as
#!/usr/bin/env python
def ssh(*args, **opts):
import subprocess
map= { False: 'no', True: 'yes' }
op = [ "-o%s=%s" % (k, map.get(v, v)) for k, v in opts.iteritems()]
args = op + list(args)
sp = subprocess.Popen(['ssh'] + args)
return sp
def ssh_conn(*args, **opts):
args = ['connect@myservernamehere', '-C' ] + list(args)
opts2 = dict(ControlPath='/tmp/ssh-%r@%h:%p')
opts2.update(opts)
return ssh(*args, **opts2)
def master():
sp = ssh_conn('-f', 'sleep', '15h', ControlMaster=True)
sp.wait()
def client(*args):
sp = ssh_conn(*args, **dict(ControlMaster=False))
sp.wait()
def main():
import sys
args = sys.argv[1:]
if not args:
master()
else:
client(*args)
if __name__ == '__main__':
main()
In the said server, there is a user named connect and, as said, a subsystem called mysql@<mydomain> The latter is defined in /etc/ssh/sshd_config with the line
Subsystem mysql@<mydomain> /usr/bin/netcat localhost 3306
The user connect exists just to have a platform to operate on hand has, except accepting my "port forwarding key" via its ~/.ssh/authorized_keys, no special features, properties or such.
This way my server can keep its MySQL port private (not accessible from outside), but I have a way to connect it nevertheless.
localhost?