Skip to content

Fix DataGrip SSH Config – Tunnel Connection Refused

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about Fix DataGrip SSH Config. We cover key concepts, practical examples, and best practices.

You set up an SSH tunnel in DataGrip to reach a database behind a bastion host. The SSH configuration looks right, but DataGrip throws: "Connection to 'jump.example.com:22' failed: Authentication failed" or "Cannot open tunnel: connect timed out".

Wrong ❌

SSH Configuration:
  Host: jump.example.com
  Port: 22
  User: admin
  Authentication: Key pair (OpenSSH)
  Private key: ~/.ssh/id_ed25519
  Passphrase: ****

The same key works from the terminal:

ssh admin@jump.example.com

But DataGrip shows:

Connection to 'jump.example.com:22' failed: key format is invalid

Convert the key to PEM format:

DataGrip (via JSch) requires PEM-formatted RSA or ECDSA keys. Ed25519 keys with the new OpenSSH format are not supported.

# Generate a dedicated key for DataGrip
ssh-keygen -t rsa -b 4096 -m PEM -f ~/.ssh/datagrip_rsa
# No passphrase to avoid repeated prompts

Configure DataGrip:

  1. Database Explorer → data source → SSH/SSL tab
  2. Use SSH tunnel:
  3. SSH configuration: Click +
  4. Fill in:
    • Host: jump.example.com
    • User name: admin
    • Port: 22
    • Authentication type: Key pair (OpenSSH)
    • Private key file: Browse to ~/.ssh/datagrip_rsa
  5. Click Test connection in the SSH dialog:
✅ SSH connection successful

Full tunnel test:

Back in the data source General tab, click Test Connection:

✅ Connected (via SSH tunnel, 4 ms)
Database: MySQL 8.0.33 on db-internal.example.com:3306

Root Cause

DataGrip uses the JSch SSH library internally. JSch does not support Ed25519 keys or the OpenSSH private key format (-----BEGIN OPENSSH PRIVATE KEY-----). Only PEM-formatted RSA, DSA, or ECDSA keys work.

Prevention

  • Maintain a separate RSA PEM key specifically for JetBrains tools.
  • Use ssh-agent for passphrase‑protected keys — DataGrip integrates with the native SSH agent.
  • Set a short Connect timeout (e.g. 10 s) in the SSH config to fail fast on unreachable hosts.
  • Pre‑validate the tunnel with ssh -L 3307:db-internal:3306 jump.example.com -N -v in the terminal.

Common Mistakes with ssh config

  1. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  2. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  3. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks

These mistakes appear frequently in real-world DATAGRIP code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

**Q: Can DataGrip use a config file from `~/.ssh/config`?**

A: Yes — DataGrip reads ~/.ssh/config and lists the hosts in the SSH configuration dropdown.

**Q: What if my key has a passphrase?**

A: Use ssh-agent — add the key with ssh-add ~/.ssh/datagrip_rsa and set DataGrip to use OpenSSH agent as the authentication type.

**Q: The tunnel works but the database connection fails — why?**

A: The SSH tunnel forwards to localhost:3306 on the jump host. Ensure your target database is listening on localhost on the jump host, or use a different forwarded port.

**Q: Does DataGrip support jump hosts (ProxyJump)?**

A: Yes — add the intermediate host in SSH configuration → Proxy (jump host) field.


Advanced SSH tunnelling for databases is covered in the DodaTech DataGrip Advanced course.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro