Not abe to set a connection from retool to mongodb via ssh tunnel [Urgent]

Hi Team,

  • Goal: We are trying to connect our Mongodb database using ssh tunnel (Ubuntu machine) with retool resource
  • Steps:
  1. I am currently trying with ubuntu machine, earlier I tried with amazon linux as well. This is the document I followed. (Configure SSH tunneling for resources | Retool Docs ) . I kept all the ports open for now.
  2. Right now when I am printing the logs I am getting this error.
  3. I am able to connect through mongo compass via ssh tunnel.
  4. As mentioned earlier I tried everything with Amazon linux as well but their I was getting diff errors. Here I am getting different error.

Urgently looking for a help as I am stuck on this from 3 days and have spent countless hours.

1 Like

@Kabirdas

@retool_team

Hi @Utkarsh_Agarwal! Welcome to the community. :wave: Let's see if we can get you unblocked.

The first thing we're going to do is update the password for the retool user. You can do this by running the command sudo passwd retool. Go ahead and choose a new password at this point - it can be anything, as we're going to disable it for SSH in the next step.

The above should effectively unlock the user. Now we need to edit the file at /etc/ssh/sshd_config. Specifically, we want to set the value of PasswordAuthentication to no. Make the necessary edits, save the file,and then restart the SSH server with the command service ssh restart or service sshd restart.

At this point I think you should be good to go. Try to connect to your MongoDB resource!

Hey @Darren
In the past few days I have made some updates and and these are the current logs

2024-09-19T04:21:26.439912+00:00 ip-172-31-35-133 sshd[1021]: Accepted publickey for retool from 35.90.103.132 port 21441 ssh2: RSA SHA256:B8yPekhr4QEznaDEwtvP15AkR+mb9/iopQ3xdPoz5V8

2024-09-19T04:21:26.443121+00:00 ip-172-31-35-133 sshd[1021]: pam_unix(sshd:session): session opened for user retool(uid=1003) by retool(uid=0)

2024-09-19T04:21:26.456379+00:00 ip-172-31-35-133 systemd-logind[511]: New session 4 of user retool.

2024-09-19T04:21:26.477228+00:00 ip-172-31-35-133 (systemd): pam_unix(systemd-user:session): session opened for user retool(uid=1003) by retool(uid=0)

2024-09-19T04:21:26.949651+00:00 ip-172-31-35-133 sshd[1081]: Received disconnect from 35.90.103.132 port 21441:11:

2024-09-19T04:21:26.949816+00:00 ip-172-31-35-133 sshd[1081]: Disconnected from user retool 35.90.103.132 port 21441

2024-09-19T04:21:26.950219+00:00 ip-172-31-35-133 sshd[1021]: pam_unix(sshd:session): session closed for user retool

2024-09-19T04:21:26.954112+00:00 ip-172-31-35-133 systemd-logind[511]: Session 4 logged out. Waiting for processes to exit.

2024-09-19T04:21:26.955501+00:00 ip-172-31-35-133 systemd-logind[511]: Removed session 4.

I tried everything and nothing is working. Same issue if using Linux machine.

Is this the /var/log/auth.log file that you've shared? If I'm reading this correctly, it looks like Retool is successfully connecting and establishing a new session but then immediately disconnecting. :thinking:

Another question - are the logs you've shared here the result of simply testing the connection or actually attempting to query the Mongo database? Can you also share the contents of /etc/ssh/sshd_config? Feel free to drop it into a DM if it contains sensitive IPs or other information!

Hey @Darren

Yes its the /var/log/auth.log

Its only trying to test a connection.

Here's my sshd_config

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will

# be allowed through the KbdInteractiveAuthentication and

# PasswordAuthentication. Depending on your PAM configuration,

# PAM authentication via KbdInteractiveAuthentication may bypass

# the setting of "PermitRootLogin prohibit-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and KbdInteractiveAuthentication to 'no'.

UsePAM **yes**

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding **yes**

#X11DisplayOffset 10

#X11UseLocalhost yes

#PermitTTY yes

PrintMotd **no**

#PrintLastLog yes

#TCPKeepAlive yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS no

#PidFile /run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# Allow client to pass locale environment variables

AcceptEnv LANG LC_*

# override default of no subsystems

Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# PermitTTY no

# ForceCommand cvs server

Please let me know if you need any other information. I can connect with you directly as well to get this sorted asap.

Thanks for sharing. :+1: I notice a few differences between this and the sshd_config on my own bastion server, but I can't confidently say that they are responsible for the behavior that you're seeing:

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

This is specifically for Ubuntu 24.04 running on an AWS EC2 machine, but I'd try modifying your config so that it resembles this just to see if it works. I'll reach out via DM for more info.

Hey @Darren I DMed you as well. Any updates on this?

Let's continue this conversation in that DM in order to more easily coordinate and share potentially sensitive information. I'll update this thread with details once the issue has been resolved.