An SSH Tunnel lets you connect Gravity to your database or file server through a bastion host or a tunnel server. This connection type is used if you are unable to add an inbound firewall rule to your data warehouse, or your data warehouse IP address is on an internal network (no outside network access)

Gravity supports both SSH Tunnel and Reverse SSH Tunnel.

SSH Tunnel

Preparing the user and tunnel

You will need to prepare your host (either bastion host or tunnel server) by creating an gravity user and adding your account’s public key to the gravity ~/.ssh/authorized_keys file. Here’s how:

1. Create group gravity

2. Create user gravity and its home directory:

3. Switch to the gravity user

4. Create the .ssh directory and change permission

5. Create the authorization_keys file and change permission

   Using your favorite text editor, add your account’s public key to the authorized_keys.

6. Allow access to your server's host and port from

Tunnel Security Notes

By default, opening SSH access also allows forwarding of any ports, circumventing any firewalls between Grand the database host that is terminating the SSH tunnel. For better security, limit port forwarding and the ability to log in to your tunnel server. This can be controlled by properly configuring the ~/.ssh/authorized_keys entry for your account's public key.

For example, the following text could be prepended to your SSH key in your authorized_keys file. Please note that this text MUST be customized for your environment.

See the man ssh and man authorized_keys pages for examples and full details.

Reverse SSH Tunnel

Step 1: Contact GravityData with your SSH public key

To set up a reverse SSH tunnel, you’ll need to provide GravityData with the following:

• The public key corresponding to the SSH keypair you plan to use to establish the tunnel

• The SSH user you plan to use to establish the tunnerl

• The IP address(es) that you’ll connect to the Gravity SSH server from

• GravityData user's SSH public key

  • Goto Sources -> New Connection -> Select Source -> Check Connect via SSH -> Copy Public Key

Once our team receives this information, we’ll set up a secure SSH server for you to connect to. We’ll provide you with the SSH_HOST and TUNNEL_PORT info needed to establish the SSH connection.

Step 2: Establish the reverse SSH tunnel

After you receive the SSH connection information from us, you can establish the SSH tunnel. There are two methods you can use to accomplish this:

• With autossh (recommended)

• Without autossh

With autossh (recommended)

The following command will establish the tunnel using autossh. When you run this, replace the items in brackets:

The <DATABASE_HOST_OR_IP> and <DATABASE_PORT> values are the host/endpoint and port of the database you’re connecting from, respectively. For <TUNNEL_PORT> and <SSH_HOST>, use the values you received from our team.

For example: Here’s the same command, but with all the values inserted:

Without autossh

To establish the tunnel without using autossh, run the following command, replacing the items in brackets:

The <DATABASE_HOST_OR_IP> and <DATABASE_PORT> values are the host/endpoint and port of the database you’re connecting from, respectively. For <TUNNEL_PORT> and <SSH_HOST>, use the values you received from our team.

Here’s the same command, but with all the values inserted:

Step 3: Create Source in Gravity App

After establishing a successful Reverse SSH connection, enter the following into the GravityData setup form for your database: