What is SSH Port Forwarding and How It Works

SSH stands for Secure SHell and is typically used as an encrypted version of telnet. SSH allows you to access a remote server's shell without compromising security. In a telnet session all communications, including username and password, are transmitted in plain-text, allowing anyone with adequate resources to listen-in on your session and steal passwords and other information. Such sessions are also susceptible to session hijacking, where a malicious user takes over your session once you have authenticated. SSH serves to prevent such vulnerabilities.

When a mysql client communicates with the MySQL server, all communication (with the exception of the user password) is done in plain text. What this means is that if an unscrupulous individual gets between your client and the server, they can have full access to all information transmitted. In order to protect your information you need to encrypt communications between the MySQL server and the GUI client.

SSH can be used to encrypt communications between the client and server. This is known as SSH port forwarding or SSH tunneling. One benefit of SSH port forwarding is that we can connect to a MySQL server from behind a firewall when the MySQL server port is blocked.

SSH will listen on a specified port on the client machine, encrypt the data it receives, and forward it to the remote SSH host on port 22 (the SSH protocol port). The remote SSH host will then decrypt the data and forward it to the MySQL server. The SSH host and the MySQL server do not have to be on separate machines, but separate SSH and MySQL servers are supported.

Requirements for SSH and MySQL

To perform port forwarding between a MySQL client application and the MySQL server, you will need a SSH login account for port forwarding. This account needs to either be located on the server running MySQL, or on a machine that can be accessed remotely via SSH and which in turn has network access to the MySQL server.

How to set up connection to remote MySQL server using SSH port forwarding

1. Double-click the "Add connection" icon on Task panel.

2. Enter the MySQL properties

In this example, we are specifying that port 3306 on your client machine should be forwarded to the remote server. If the port 3306 is already used (i.e. for local MySQL server), change the source port setting to any value > 1024. To check ports availability, start the Windows command line client and enter netstat -a.

When the remote SSH host is on a different machine than the MySQL server, replace with the IP address of the MySQL server (relative to the SSH host). Never use "localhost" for hostname.

Note that the username and password used on this page are the values of your MySQL account and NOT SSH shell access

3. Set up SSH connection

MySQL port is a remote port that will be forwarded to the local port entered on previous page. All other values are your SSH shell access settings.

4. Click OK to Save settings.

5. Double-click the new connection to connect to remote MySQL server.


If you have never used SSH shell with this server before, you will be probably see a PuTTy security alert. Click Yes to update register registry keys. Wait for the timeout (30 s by default) and try again.

If you see the SQL message "Connection lost during query", that means, that TCP networking is not allowed in my.cnf settings and your MySQL server doesn't listen on a TCP/IP port at all. This can be a security enhancement, if all processes that need to connect to mysqld run on the same host. All interaction with mysqld must be made via Unix sockets or named pipes. Your MySQL is very secure, but you can manage it only via SSH terminal command line and never over TCP/IP

However, if you have full access to the server, you can edit my.cnf to allow communication over TCP/IP