Sometimes corporate firewalls can be a real headache for developers. We had a situation today in which we needed to provide read-only access to a MySQL database, but had only ssh to the machine. We have a very strict user policy, so weren't prepared to provide a shell account.

One quick and cunning way to provide MySQL monitor access without
opening up the firewall, or creating shell accounts is to create a user
with /usr/bin/mysql as their shell.

  • Create a user with /usr/bin/mysql as the shell:
# useradd -m -s /usr/bin/mysql dev
# grep dev /etc/passwd
  • Drop a .my.cnf into the new user's home directory


  • Create a user and grants in the mysql database
mysql> CREATE USER 'dev'@'localhost' IDENTIFIED BY 'm3g4s3cr3t';

mysql> GRANT SELECT ON \*.\* TO 'dev'@'localhost';

Now when a user connects to the machine as the dev user, over ssh, they drop straight into a mysql monitor, with restricted privileges.

Many thanks to James Sheridan for this tip.