mysqlamazon-web-servicesamazon-rdsssh-tunnelbastion-host

Navicat or MySQL Workbench SSH Tunnel with MFA


Is it even possible to use Navicat or MySQL workbench (or any other tool) to connect to an Amazon RDS via a jump box like a bastion host?

I can do this if I manually open an ssh tunnel in a terminal like so:

ssh -A <my_user>@<bastion_endpoint> -L 3306:<RDS_ENDPOINT>:3306

Then connect to localhost:3306 from the mysql tool, this works. It's important to know that on the bastion MFA is required to login.

I can't even connect to my bastion box from Navicat using the exact same credentials as I used in the terminal/command line. I get the error:

Access denied for 'none'. Authentication that can continue: keyboard-interactive (11)

So I went to the bastion box and removed keyboard-interactive from the authentication methods and it works. However, that obviously breaks the MFA I'm using so that's not an option.

Is there any other configuration I need to do on my bastion box in order to make this work, or is this simply not possible?


Solution

  • Turns out my sshd configuration was fine, however, I did go back and enable auto pushing with MFA.

    Navicat

    If auto push is disabled for MFA you need to select Password and Public Key (even though we're just using a public key here). In the password field it can be blank, if auto push is enabled, otherwise put the number of your selection you want to be notified here (thats right it's not a normal password, dumb I know). Then just use your normal private key and password for the private key and it should connect fine.

    MySQL Workbench / Sequel Pro

    You MUST have autopush or something similar to it in order to work with MFA. If I didn't have auto push enabled it would fail to connect. Again use Password and Public Key. The password to the instance is blank then its just the normal public key and password for you public key.

    IntelliJ

    This is nicer. It will work with prompting with the MFA choice if you don't have auto push enabled. Unlike the others you can select the Public Key option instead of Password and Public Key and it should connect and work fine.


    - - - - - Errors With Rotating IPs - - - - -

    Now unfortunately you will get the annoying "man-in-the-middle" scary error with ssh if you have a constant endpoint with rotating IPs under it (like I did). If that's the case ONLY IntelliJ offers a checkbox for ignore StrictHostSSHKeyChecking.

    So to get around that ONLY for this specific endpoint you can make it be forced to ignore SSH Key Checking. To do that add the following entry to your ~/.ssh/config file:

    # changing IPs
    Host my-custom-host.com
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null
    

    You can use as many wildcards in the Host section which is nice. So customize it to your needs. Now you won't be checking the ssh key but it's better than having to daily (or how often the IP gets rotated) delete the endpoint entry in ~/.ssh/known_hosts.

    Hopefully this helps to save someone a lot of pain.