Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

Ssh Port Forwarding and “channel 3: open failed: connect failed: Connection refused”

Posted by chantra on October 16th, 2006

In relation to a tutorial I previously made on how-to connect to a remote mysql server by forwarding port with ssh, I found out that some distributions like debian sarge where not using a default configuration that allow you to do that by default.
People who get an error like:

ERROR 2013 (HY000): Lost connection to MySQL server during query

or

channel 3: open failed: connect failed: Connection refused

might find an answer to their problem.

By default and for security reasons, Linux distribution don't let mysqld server accessible from the outside. There is actually 2 ways to achieve this:

  1. binding the service to address 127.0.0.1, this is the default on ubuntu
  2. skipping networking, in that case, only local (non TCP/IP) connections will be allowed, on Unix, connections will be made through a Unix socket. This is the default on debian sarge

In the first solution, you need to add in the [mysqld] section of /etc/mysql/my.cnf the directive:

bind-address = 127.0.0.1

the second solution use:

skip-networking

instead.

While you can connect on a localhost server which skip networking like you could with a server which only listen on 127.0.0.1 address using:

$mysql -u root -p -h localhost

you can not connect to it using an ssh tunnel with port forwarding.
as you will get an error like:

channel 3: open failed: connect failed: Connection refused

on the remote host
and:

ERROR 2013 (HY000): Lost connection to MySQL server during query

on the client host.

So in order to be able to connect to a remote mysql server which is only accessible from localhost, comment the directive:

skip-netwoking

and replace it with

bind-address = 127.0.0.1

This will not make your server less secure (as the service won't be accessible from the outside) and you will be able to access your database server remotely with tools like mysql-query-browser, mysql-administrator using a ssh tunnel.

Hope this helped.

4 Responses to “Ssh Port Forwarding and “channel 3: open failed: connect failed: Connection refused””

  1. I grappled with this issue for several hours yesterday and this post helped a lot-- thank you. I eventually got it working by matching the "remote address" in the SSH command to the bind-address value in the my.cnf file on the remote server. For most people, the bind-address value is 127.0.0.1, but I have my MySQL server bound to a local network address (192.168.0.x). The correct command for me, therefore, was:

    ssh -v -f -N -L 3307:192.168.0.1:3306 user@host.server.com

    It seems that the "remote address" in the SSH command is the value used by MySQL to associate the tunneled user with an IP address. Depending on your configuration, MySQL likely either refuses connections from remote IPs or only allows the user you are logging in as to log in from locahost. Since we can't self-identify as "localhost" (we have to force TCP activity) we need to use an IP address, and that IP address needs to be whatever MySQL identifies as its own. This is the value of bind-address. In many cases, this is going to be 127.0.0.1 (that's why you see this proposed solution everywhere), but that's not always the case. Check your bind-address value!

    In short, if you're getting an error in the the "Channel x open failed: connect failed: Connection refused" universe, make sure that the "remote address" in your ssh command matches the bind-address value on your remote machine.

    Here are my full notes from yesterday: http://themetricsystem.rjmetrics.com/2009/01/06/php-mysql-and-ssh-tunneling-port-forwarding/

    I hope this is helpful to someone.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>