Safe SSH tunnel based Mysql comms

Server:
Setup user with key based authentication:

useradd -s /bin/false myuser
mkdir /home/myuser/.ssh
touch /home/myuser/.ssh/authorized_keys
chown -R myuser:myuser /home/myuser/.ssh
chmod 755 /home/myuser/.ssh
chmod 600 /home/myuser/.ssh/authorized_keys

Client side:
Install rpmforge repo and autossh.

rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
rpm -K rpmforge-release-0.5.2-2.el5.rf.*.rpm
rpm -i rpmforge-release-0.5.2-2.el5.rf.*.rpm
sed -i "s/enabled = 1/enabled = 0/" /etc/yum.repos.d/rpmforge.repo
yum -y install --enablerepo=rpmforge autossh
ssh-keygen -t rsa

Set up an RSA key pair as root on each client, leaving all questions blank:

ssh-keygen -t rsa
root@local# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/root/.ssh/id_rsa.
Your public key has been saved in /var/root/.ssh/id_rsa.pub.
The key fingerprint is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX root@myhost.local

Now scp this to your server:

scp -P 22 /root/.ssh/id_rsa.pub root@myserver.com:/tmp/myuser.local_rsa.pub

On Server: Add to your authorized_keys.

cat /tmp/myuser.local_rsa.pub >> /home/myuser/.ssh/authorized_keys

Client side:
create /etc/init.d/startautossh on client with contents below. //This example nables connection to server MySQL port 3306 on localhost port 3307.


# pidfile: /var/run/autossh.pid
# @since 2012-02-22 15:31:47
# @author Roderick Derks
# Source function library
. /etc/init.d/functions

prog="autossh"
autossh="/usr/bin/autossh"
RETVAL=0
AUTOSSH_PIDFILE=/var/run/autossh.pid

# Tunnel configuration
LOCAL_PORT_LISTEN=3307
REMOTE_DESTINATION_PORT=3306
USER=myuser
REMOTE_DESTINATION_IP=yourserver.com
REMOTE_SSH_SERVER_PORT=22

start() {
echo -n $"Starting $prog: "
if [ ! -e $AUTOSSH_PIDFILE ]; then
AUTOSSH_PIDFILE=$AUTOSSH_PIDFILE;export AUTOSSH_PIDFILE
autossh -M 0 -q -f -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -L $LOCAL_PORT_LISTEN:localhost:$REMOTE_DESTINATION_PORT -p $REMOTE_SSH_SERVER_PORT  $USER@$REMOTE_DESTINATION_IP

RETVAL=$?
else
RETVAL=1
echo_failure
echo pid file still exists $AUTOSSH_PIDFILE
fi
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}

stop() {
echo -n $"Stopping $prog: "
killproc $autossh
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog && rm -f $AUTOSSH_PIDFILE
return $RETVAL
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status $autossh
RETVAL=$?
;;
*)

echo $"Usage: $0 {start|stop|restart|status}"
esac
RETVAL=1

Client side: (make script executeable):

chmod +x /etc/init.d/startautossh

References:
http://www.r71.nl/kb/technical/348-autossh-init-script
http://tychoish.com/rhizome/persistent-ssh-tunels-with-autossh/
http://www.jbmurphy.com/2011/04/29/autossh-on-centos/
http://chxo.com/be2/20040511_5667.html