Can't SSH tunnel into RDS instance in private subnet

  • Goal: I want to ssh tunnel into a mysql db hosted in RDS in a private subnet via an EC2 instance that has access to that private subnet.

  • Steps:
    I followed the steps outlined in the docs [here](https://docs.retool.com/data-sources/guides/connections/ssh-tunnels#debug-common-connection-errors)

When that failed, I found [this thread](https://community.retool.com/t/issues-with-connecting-retool-app-to-my-rds-instance-in-private-subnet-aws/35065), and edited my sshd_config file to remove the Include line and to make the PubKey line the first line of my sshd_config file per the "solution" in the thread. I'm still getting "All configured authentication methods failed" when I test the connection in Retool.

I can tunnel in successfully via dbeaver and access my db in RDS via my application server on the EC2 instance, so i've ruled out network configuration/security group issues.

The only difference between my dbeaver tunnel and this one is the key-pair. The one issued by AWS works and this one is giving me problems.

Sorry, this is the thread I actually referred to where it talked about editing the sshd_config file: Unable to connect AWS Postgres database using ssh tunnel - #12 by Mafuj_Jia

Can anyone weigh in here? I'm still unable to get the SSH tunneling to work...going to have to abandon retool if I can't get this to work

@jmann Any ideas here?

All configured authentication methods failed errors should result in more information in your SSH logs since that's just the server saying no. Can you include those for a window where you test the connection? Also can you confirm the retool user setup on your server in terms of their .ssh/authorized_keys file permissions?

Thanks for getting back to me so quickly @jmann! Please see my SSH logs below:

And here are the permissions for the retool user's .ssh/authorized_keys file:

No prob! Hmm those look fine. Assuming you're on Amazon Linux based on the user, it's most likely just another discrepancy with the accepted key types from its default SSH configuration like I've seen in several other instances. You can try enabling more verbose logging or continue tweaking the SSH config, but I'd just use an Ubuntu bastion. Its defaults have always worked fine for me from any Retool instance I've tried, including running a quick test from yours (just need to add PubkeyAcceptedKeyTypes +ssh-rsa to the config and restart the service).

Spinning up a new EC2 instance just to serve as my bastion host is not an option. I've figured out that Amazon Linux no longer supports SSH-RSA keys (see here Security updates and features - Amazon Linux 2023).

As long as I can't bring my own key pair (or if Retool doesn't update their algorithm), nobody will be able to SSH tunnel into amazon linux EC2 instances. This should be a super high priority for Retool's dev team...

Is the article you linked to just noting that it now doesn't accept ssh-rsa by default? Spinning up a new Amazon Linux 2023 instance, I expectedly see the connection rejected before adding the key type to the SSH config. However it works fine after adding and restarting the service.

It's on our roadmap to support other key types for resources using SSH tunnels, but hasn't been tackled yet with other development priorities.

I'm just perplexed because I've verified that the key type is added to my sshd config, but I still can't get my tunnel to work.

Is there a way I can download the private key somewhere to test the SSH connection using the retool keypair outside of the resource configuration page/in my terminal?

Here's the more verbose logs from my failed SSH attempt using retool.

The private key is encrypted in the DB and we don't have access, but the key pair works fine testing it against my example server. And should work the same if you generated your own to test with.

I'm not having issues just using the defaults below, even removing whatever additional configurations that come through Include statements.