Goal: I want to ssh tunnel into a mysql db hosted in RDS in a private subnet via an EC2 instance that has access to that private subnet.
Steps:
I followed the steps outlined in the docs [here](https://docs.retool.com/data-sources/guides/connections/ssh-tunnels#debug-common-connection-errors)
When that failed, I found [this thread](https://community.retool.com/t/issues-with-connecting-retool-app-to-my-rds-instance-in-private-subnet-aws/35065), and edited my sshd_config file to remove the Include line and to make the PubKey line the first line of my sshd_config file per the "solution" in the thread. I'm still getting "All configured authentication methods failed" when I test the connection in Retool.
I can tunnel in successfully via dbeaver and access my db in RDS via my application server on the EC2 instance, so i've ruled out network configuration/security group issues.
The only difference between my dbeaver tunnel and this one is the key-pair. The one issued by AWS works and this one is giving me problems.
All configured authentication methods failed errors should result in more information in your SSH logs since that's just the server saying no. Can you include those for a window where you test the connection? Also can you confirm the retool user setup on your server in terms of their .ssh/authorized_keys file permissions?
No prob! Hmm those look fine. Assuming you're on Amazon Linux based on the user, it's most likely just another discrepancy with the accepted key types from its default SSH configuration like I've seen in several other instances. You can try enabling more verbose logging or continue tweaking the SSH config, but I'd just use an Ubuntu bastion. Its defaults have always worked fine for me from any Retool instance I've tried, including running a quick test from yours (just need to add PubkeyAcceptedKeyTypes +ssh-rsa to the config and restart the service).
Spinning up a new EC2 instance just to serve as my bastion host is not an option. I've figured out that Amazon Linux no longer supports SSH-RSA keys (see here Security updates and features - Amazon Linux 2023).
As long as I can't bring my own key pair (or if Retool doesn't update their algorithm), nobody will be able to SSH tunnel into amazon linux EC2 instances. This should be a super high priority for Retool's dev team...
Is the article you linked to just noting that it now doesn't accept ssh-rsa by default? Spinning up a new Amazon Linux 2023 instance, I expectedly see the connection rejected before adding the key type to the SSH config. However it works fine after adding and restarting the service.
Is there a way I can download the private key somewhere to test the SSH connection using the retool keypair outside of the resource configuration page/in my terminal?
The private key is encrypted in the DB and we don't have access, but the key pair works fine testing it against my example server. And should work the same if you generated your own to test with.
I'm not having issues just using the defaults below, even removing whatever additional configurations that come through Include statements.