Let's say i have two machines, one running mysql and the other just a remote server. The remote server can only access the mysql server via ssh. No problem, i can set up an ssh tunnel to the mysql server so i can still make mysql connections. But if i do that then anyone on the remote server can try to connect to the mysql server. Assuming i do not have root on the remote machine (else i could use firewall to restrict username/port), is there a way i can only allow my user to use the ssh tunnel?

why not have mysql skip networking and use a UNIX sock file and nfs export that across the network..

If you're using pf, use the syntax below at the end of the rule:

user your-username
group your-group

I believe you can use GIDs and UIDs too..

ie:

[code:1:751e423010]pass in log proto tcp from any to ($ext_if) port $ftp_local keep state (max 10) group wheel[/code:1:751e423010]

why not have mysql skip networking and use a UNIX sock file and nfs export that across the network..

b/c i want a mechanism that would work for any protocol, and i like the network security in ssh.

EDIT:
one other problem is this may require root access on the remote machine as well, in order to mount the nfs partition. plus requires nfs running on the mysql server, but i may only have ssh open on that machine.

If you're using pf, use the syntax below at the end of the rule:

Yes, i know but as i mentioned i don't want to assume root access on the machine.

If you're using pf, use the syntax below at the end of the rule:

user your-username
group your-group

I believe you can use GIDs and UIDs too..

ie:

[code:1:ceab71fc63]pass in log proto tcp from any to ($ext_if) port $ftp_local keep state (max 10) group wheel[/code:1:ceab71fc63]

thats pretty cool i didnt know you could do that..

oh ok I was wrong, sorry.

Umm neither did I untill I read Absolute OpenBSD, though some things seem incorrect (loginterface for example!)

Forgive me for being...ugh... new

You're creating an ssh tunnel to access the mysql server, do you have root on the mysql server?

If so you can set up rules to only allow connections from localhost (based on the assumption that you can access the mysql server on the localhost..) then why not set up sshd, and use that current connection to gain access

Am I anywhere close... if not I'll quit shooting in the dark :/ Apologies for the thread posion