Skip to content

Fix DBeaver SSH Tunnel – Authentication Failed

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about Fix DBeaver SSH Tunnel. We cover key concepts, practical examples, and best practices.

You configure an SSH tunnel in DBeaver to reach a private database. DBeaver starts, the connection spinner spins, then fails: "SSH: authentication failed" or "Publickey authentication failed".

Wrong ❌

SSH Settings in DBeaver:
  Host: jump.example.com
  Port: 22
  User: deploy
  Auth: Private Key
  Private Key: ~/.ssh/id_rsa
  Passphrase: ****

The key works fine from the terminal:

ssh deploy@jump.example.com

But DBeaver refuses it. You try pasting the key contents into the dialog — same error. You try password auth — still rejected.

Step 1 — Verify key format:

DBeaver requires the OpenSSH PEM format. Convert if needed:

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa
# Or convert an existing key:
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa -P "" -N ""

Step 2 — Correct DBeaver SSH configuration:

  1. Window → Preferences → Connections → SSH
  2. Set SSH client implementationJSch (the bundled OpenSSH)
  3. In the connection SSH tab:
    • Auth type: Public Key
    • Private Key: Browse to the absolute path (DBeaver expands ~ but not $HOME)
    • Passphrase: leave blank if the key has no passphrase, or enter it each session
  4. Tick Use global SSH preferences → disabled (so per‑connection settings apply)

Step 3 — Test from DBeaver:

Click Test Tunnel (a button at the bottom of the SSH settings panel):

Tunnel test succeeded
Connected to jump.example.com:22

Then Test Connection for the database:

Connected (via SSH tunnel)
Ping: 5 ms

Root Cause

DBeaver uses JSch, a pure‑Java SSH implementation. It is stricter about key formats than OpenSSH. Keys in the new OpenSSH format (-----BEGIN OPENSSH PRIVATE KEY-----) are not supported — they must be PEM (-----BEGIN RSA PRIVATE KEY-----).

Prevention

  • Always store a PEM‑formatted copy of your key in a dedicated ~/.ssh/dbeaver_id_rsa.
  • Use ssh-agent integration in DBeaver if available (Preferences → SSH → Use SSH Agent).
  • Avoid passphrase‑protected keys in DBeaver — use agent forwarding instead.
  • Pre‑test the tunnel with ssh -L 5433:db.internal:5432 jump.example.com -N -v to isolate connectivity from key format issues.

Common Mistakes with ssh tunnel

  1. Misunderstanding that String is [Char] with poor performance for large text operations
  2. Using foldl instead of foldl' causing stack overflow on large lists
  3. Forgetting deriving (Show, Eq) on custom data types needed for debugging

These mistakes appear frequently in real-world DBEAVER code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

**Q: DBeaver says "invalid privatekey" — what does that mean?**

A: The key is not in PEM format. Convert with ssh-keygen -p -m PEM -f keyfile.

**Q: Can DBeaver use `ssh-agent` or Pageant?**

A: Yes — Preferences → SSH → check Use SSH Agent. On Windows it supports Pageant, on macOS/Linux it picks up SSH_AUTH_SOCK.

**Q: Does DBeaver support SSH keys with a passphrase?**

A: Yes, but you must enter it each session unless you use an SSH agent.

**Q: Why does the tunnel work but the database connection fails?**

A: Check the tunnel's local port — DBeaver assigns one automatically. Ensure the database host/port in the Main tab points to localhost:<local_port>.


SSH tunnelling for databases is covered in the DodaTech DBeaver Advanced course.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro