Fix DataGrip SSH Config – Tunnel Connection Refused
In this tutorial, you'll learn about Fix DataGrip SSH Config. We cover key concepts, practical examples, and best practices.
You set up an SSH tunnel in DataGrip to reach a database behind a bastion host. The SSH configuration looks right, but DataGrip throws: "Connection to 'jump.example.com:22' failed: Authentication failed" or "Cannot open tunnel: connect timed out".
Wrong ❌
SSH Configuration:
Host: jump.example.com
Port: 22
User: admin
Authentication: Key pair (OpenSSH)
Private key: ~/.ssh/id_ed25519
Passphrase: ****
The same key works from the terminal:
ssh admin@jump.example.com
But DataGrip shows:
Connection to 'jump.example.com:22' failed: key format is invalid
Right ✅
Convert the key to PEM format:
DataGrip (via JSch) requires PEM-formatted RSA or ECDSA keys. Ed25519 keys with the new OpenSSH format are not supported.
# Generate a dedicated key for DataGrip
ssh-keygen -t rsa -b 4096 -m PEM -f ~/.ssh/datagrip_rsa
# No passphrase to avoid repeated prompts
Configure DataGrip:
- Database Explorer → data source → SSH/SSL tab
- Use SSH tunnel: ☑
- SSH configuration: Click
…→ + - Fill in:
- Host:
jump.example.com - User name:
admin - Port:
22 - Authentication type:
Key pair (OpenSSH) - Private key file: Browse to
~/.ssh/datagrip_rsa
- Host:
- Click Test connection in the SSH dialog:
✅ SSH connection successful
Full tunnel test:
Back in the data source General tab, click Test Connection:
✅ Connected (via SSH tunnel, 4 ms)
Database: MySQL 8.0.33 on db-internal.example.com:3306
Root Cause
DataGrip uses the JSch SSH library internally. JSch does not support Ed25519 keys or the OpenSSH private key format (-----BEGIN OPENSSH PRIVATE KEY-----). Only PEM-formatted RSA, DSA, or ECDSA keys work.
Prevention
- Maintain a separate RSA PEM key specifically for JetBrains tools.
- Use
ssh-agentfor passphrase‑protected keys — DataGrip integrates with the native SSH agent. - Set a short
Connect timeout(e.g. 10 s) in the SSH config to fail fast on unreachable hosts. - Pre‑validate the tunnel with
ssh -L 3307:db-internal:3306 jump.example.com -N -vin the terminal.
Common Mistakes with ssh config
- Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
- Using
headandtailinstead of pattern matching, causing runtime errors on empty lists - Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
These mistakes appear frequently in real-world DATAGRIP code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Advanced SSH tunnelling for databases is covered in the DodaTech DataGrip Advanced course.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro