Fix DBeaver SSH Tunnel – Authentication Failed
In this tutorial, you'll learn about Fix DBeaver SSH Tunnel. We cover key concepts, practical examples, and best practices.
You configure an SSH tunnel in DBeaver to reach a private database. DBeaver starts, the connection spinner spins, then fails: "SSH: authentication failed" or "Publickey authentication failed".
Wrong ❌
SSH Settings in DBeaver:
Host: jump.example.com
Port: 22
User: deploy
Auth: Private Key
Private Key: ~/.ssh/id_rsa
Passphrase: ****
The key works fine from the terminal:
ssh deploy@jump.example.com
But DBeaver refuses it. You try pasting the key contents into the dialog — same error. You try password auth — still rejected.
Right ✅
Step 1 — Verify key format:
DBeaver requires the OpenSSH PEM format. Convert if needed:
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
# Or convert an existing key:
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa -P "" -N ""
Step 2 — Correct DBeaver SSH configuration:
- Window → Preferences → Connections → SSH
- Set SSH client implementation →
JSch(the bundled OpenSSH) - In the connection SSH tab:
- Auth type:
Public Key - Private Key: Browse to the absolute path (DBeaver expands
~but not$HOME) - Passphrase: leave blank if the key has no passphrase, or enter it each session
- Auth type:
- Tick Use global SSH preferences → disabled (so per‑connection settings apply)
Step 3 — Test from DBeaver:
Click Test Tunnel (a button at the bottom of the SSH settings panel):
Tunnel test succeeded
Connected to jump.example.com:22
Then Test Connection for the database:
Connected (via SSH tunnel)
Ping: 5 ms
Root Cause
DBeaver uses JSch, a pure‑Java SSH implementation. It is stricter about key formats than OpenSSH. Keys in the new OpenSSH format (-----BEGIN OPENSSH PRIVATE KEY-----) are not supported — they must be PEM (-----BEGIN RSA PRIVATE KEY-----).
Prevention
- Always store a PEM‑formatted copy of your key in a dedicated
~/.ssh/dbeaver_id_rsa. - Use
ssh-agentintegration in DBeaver if available (Preferences → SSH → Use SSH Agent). - Avoid passphrase‑protected keys in DBeaver — use agent forwarding instead.
- Pre‑test the tunnel with
ssh -L 5433:db.internal:5432 jump.example.com -N -vto isolate connectivity from key format issues.
Common Mistakes with ssh tunnel
- Misunderstanding that
Stringis[Char]with poor performance for large text operations - Using
foldlinstead offoldl'causing stack overflow on large lists - Forgetting
deriving (Show, Eq)on custom data types needed for debugging
These mistakes appear frequently in real-world DBEAVER code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
SSH tunnelling for databases is covered in the DodaTech DBeaver Advanced course.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro