Standardised MySQL Access via SSH Tunnel for Workbench in Non-Production Environments

calendar Jun 21, 2025 · 2 min read · MySQL Workbench SSH  ·
Share on: linkedin copy

Current Issue & Security Risk

In the current UAT setup, a shared system account vmadmin is used for both SSH login to the VM and SSH tunneling for MySQL Workbench. Each trusted internal user (e.g., DevOps and Software Engineers, Support Team) uses a dedicated private SSH key with this account.

This account is configured with passwordless sudo privileges:

1vmadmin ALL=(ALL) NOPASSWD: ALL

This effectively grants full root-level access to the system.

Extending this model to external users (e.g., third-party vendors) introduces a serious security risk. Even if access is intended only for MySQL tunneling, using vmadmin would allow full VM login and administrative privileges — violating the principle of least privilege (POLP) and increasing the risk of accidental or malicious misuse.

Secure Approach & Standardisation

To mitigate this, a dedicated, non-interactive SSH user (workbench-user) has been introduced, designed specifically for MySQL access via SSH tunneling. This user:

  • Has no interactive shell (/bin/false)
  • Does not use SSH keys
  • Is restricted to password-authenticated tunneling only
  • Cannot log into the VM interactively

This setup, already implemented in pre-production, is now being standardised across all non-production environments (DEV, QA, UAT).

Each user is also provided with a dedicated MySQL account tied to an access profile (basic, standard, or maintenance), ensuring a clear separation between VM access and database access.

Therefore, this approach cleanly separates SSH login to the VM itself from MySQL Workbench access, ensuring consistent and secure practices across all non-production environments.

Implementation Steps

  1. Create a non-interactive user for MySQL SSH tunneling only
1sudo useradd -m -s /bin/false workbench-user   # no shell access
2sudo passwd workbench-user                     # enter a strong password
  1. Verify user creation:
1grep workbench-user /etc/passwd
2# Expected output: workbench-user:x:1005:1005::/home/workbench-user:/bin/false

Note: /bin/false means no interactive shell session, i.e., the user cannot log in to the VM via a terminal session.

  1. Restrict SSH access: Edit /etc/ssh/sshd_config and add:
1# Restrict workbench-user access to trusted VPN IP only
2AllowUsers workbench-user@<VPN_IP_address>
3
4## BEGIN WORKBENCH CONFIGURATION ###
5# Exclusive use of Workbench for 3rd-party users - add [date]
6Match User workbench-user
7  PasswordAuthentication yes
8  AuthenticationMethods password
9## END WORKBENCH CONFIGURATION ###

Note: In this setup, the MySQL database server is only reachable from a specific VPN IP address. This directive enforces IP whitelisting, ensuring that workbench-user can only authenticate from that trusted source.

  1. Restart SSH securely:
1sudo sshd -t  # Test config
2sudo systemctl restart sshd
3sudo systemctl status sshd