feat(connect): add --server-name flag for tunneled connections #678
Conversation
Allows specifying the server name sent in the TDS LOGIN7 packet separately from the dial address. Fixes connections through SSH tunnels or proxies to Azure SQL where the server validates hostname. Refs: microsoft#576
|
@microsoft-github-policy-service agree |
dlevy-msft-sql
added
enhancement
There was a problem hiding this comment.
Pull request overview
Adds support for overriding the server name used during TDS login (and related connection metadata) so sqlcmd can connect through tunnels/proxies (e.g., 127.0.0.1:11433) while authenticating as the real Azure SQL hostname.
Changes:
- Introduces
ConnectSettings.ServerNameOverrideand applies it when building the connection string. - Adds a
proxyDialerto rewrite the actual dial target while keeping the overridden server name for login. - Adds unit tests covering the new connection string behavior and dialer behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/sqlcmd/connect.go | Adds ServerNameOverride and applies it during connection string construction. |
| pkg/sqlcmd/sqlcmd.go | Attempts to attach a custom dialer when ServerNameOverride is set. |
| pkg/sqlcmd/dialer.go | Implements a dialer that rewrites dial host/port while reporting an overridden hostname. |
| pkg/sqlcmd/dialer_test.go | Adds unit tests for proxyDialer. |
| pkg/sqlcmd/sqlcmd_test.go | Extends connection string tests to cover ServerNameOverride. |
| var connector *mssql.Connector | ||
| useAad := !connect.sqlAuthentication() && !connect.integratedAuthentication() | ||
| if connect.RequiresPassword() && !nopw && connect.Password == "" { | ||
| var err error |
There was a problem hiding this comment.
connector is now typed as *mssql.Connector, but the AAD path calls GetTokenBasedConnection(...) which currently returns driver.Connector (see pkg/sqlcmd/azure_auth.go). This will cause a type mismatch/compile error and also makes it hard to support ServerNameOverride for AAD connectors. Consider keeping connector as driver.Connector and only type-asserting to *mssql.Connector when setting Dialer (or update GetTokenBasedConnection to return *mssql.Connector consistently).
| // ServerNameOverride specifies the server name to use in the login packet. | ||
| // When set, the actual dial address comes from ServerName, but this value | ||
| // is sent in the TDS login packet for server validation. | ||
| ServerNameOverride string |
There was a problem hiding this comment.
PR description/title mention adding a --server-name flag, but the repo currently has no CLI flag wiring for this new ConnectSettings.ServerNameOverride field (searching cmd/ shows no references). As-is, the new behavior is not reachable from the shipped sqlcmd commands; please add the flag (and help text) in the Cobra command(s) and map it into ConnectSettings.
2 participants
Problem
When connecting to Azure SQL through an SSH tunnel or proxy (e.g.,
127.0.0.1:11433), connections fail because SQL Server validates the hostname in the TDS LOGIN7 packet. The server receives127.0.0.1as the server name and rejects it with "Cannot open server '127.0.0.1' requested by the login".Current workaround requires adding
/etc/hostsentries mapping the real server name to 127.0.0.1.Fixes #576
Solution
Add a
--server-nameflag that specifies the server name to send in the login packet, separate from the dial address (-S).# Connect via tunnel on localhost:11433, authenticate as the real server sqlcmd -S 127.0.0.1,11433 --server-name myserver.database.windows.net \ -U myuser -P mypass -N -CImplementation
ServerNameOverridefield toConnectSettings-Shost/port