Postgres with SSH Tunnel

Queries and Resources
1

Did anyone get it to work? I always run into this error message
Could not establish a connection. Try checking your database firewall configuration and whitelisting Retool's IP Address

2

Hi Shaohua! debugging these resource connections can be a pain :frowning:
Here’s some info you might find helpful:

Possible error messages with SSH Tunnel:

  • All configured authentication methods failed
  • it means retool can reach the ssh host, but can’t authenticate (the retool pub key isn’t in there? or there’s no retool user?)
  • Channel open failure: Connection refused
  • the ssh tunneling config was good, but the host/port you tried to connect to refused the connection
  • Could not establish a connection. Try checking your database firewall configuration and whitelisting Retool's IP Address
  • you usually get this when you run into a firewall, or when other wonky things happen (e.g. trying to connect postgres to an http port)
  • this can happen if your ssh tunnel configs are wrong, OR if your db host/port are wrong. no way to tell right now unfortunately :frowning:
    here are some things I’d try:
  • just to double check: did you create a retool user on your ssh host, and add the pub key?
  • if you have access to the ssh host, try connecting retool while monitoring the auth logs (tail -f /var/log/auth.log). if you’re not seeing any connection attempts, then you probably didn’t whitelist retool’s IP
  • while debugging, use the proper ssh tunnel configs, but set the db configs to something bogus, e.g. localhost:5555. if the ssh tunnel is fine, you should see the “Connection refused” error, and you’ll know that your db configs are the problem, not the ssh tunnel configs
    does that make sense?
3

To get the ssh user working on Debian I had to do the following:
chmod 700 /home/retool/.ssh
chmod 600 /home/retool/.ssh/authorized_keys
chown -R retool:retool /home/retool

3 Likes
4

Just sharing a quirk of a brand new bastion host on AWS using ubuntu - I had to add

PubkeyAcceptedAlgorithms=+ssh-rsa

to /etc/ssh/sshd_config in order to get retool's pubkey to be accepted. This was the case even though ssh -Q PubkeyAcceptedAlgorithms | grep rsa

showed that ssh-rsa was in the allowed list.

If you see userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] in your ssh logs, the above might be the fix.

5