Skip to main content
SSH Tunnel Setup
Updated over a week ago

Getting Started

For added security with your database server, you can connect using an SSH tunnel. To use this option, you need an SSH tunnel server that has access to your database port. You’ll need to create an SSH user for Savant and the tunnel server's SSH port needs to be accessible to Savant’s IPs.

You can check that your database is accessible from the proxy machine by trying to connect to the host:port from the proxy machine. Here is an example using netcat on the proxy machine:

nc -w 10 -t -v <server> <port>

You also need to open port 22 of the proxy machine to Savant's IP. The Savant gateway IPs are listed below for each geo.

Worldwide App (non-EU):

  • 35.188.163.165

  • 35.188.99.19

  • 3.20.192.126

  • 3.136.174.242

  • 3.21.111.255

EU App:

  • 34.22.229.169

  • 34.79.28.74

  • 34.251.112.30

  • 54.220.36.32

  • 63.32.243.56

SSH Tunnel Setup

These steps take you through basic database connection setup. You will need to complete setup by choosing one of three SSH tunnel connection methods.

Create SSH User

On your SSH tunnel server, do the following to create an SSH user for Savant:

Create group:

sudo groupadd savant

Create user:

sudo useradd -m -g savant savant

Switch to the Savant user:

sudo su - savant

Create .ssh directory:

mkdir ~/.ssh

Set permissions for the .ssh directory:

chmod 700 ~/.ssh

Switch to the .ssh directory:

cd ~/.ssh

Create an authorized key file:

touch authorized_keys

Set permissions for the authorized key file:

chmod 600 authorized_keys

Verify SSH Tunnel

On your SSH tunnel server, you can use putty or the ssh command line to verify that the savant user can ssh into the tunneling server. If an error message is returned, then there is a configuration issue with your SSH tunnel server.

Verify access to the shell and home directory:

ssh savant@{ssh_tunnel_server}

Create a reverse tunnel:

ssh -R 8080:localhost:11111 user@{ssh_tunnel_server}

Test the reverse tunnel:

nc -v 127.0.0.1 8080

Configure Savant

In your Savant workspace, do the following to connect to your SSH tunnel:

  1. Go to the Systems page and click Add System

  2. Select your data warehouse connector and click Next

  3. Enter your Server for SSH

    1. This is the host name or IP address of the SSH server

  4. Enter the Port for SSH

    1. This is generally 22

  5. Enter the Username for SSH

    1. This is the user created on the SSH server

  6. Click Use SSL

  7. Click SSH Tunnel

  8. Complete one of the credentials methods

  9. Click Authenticate and then Confirm

Authentication Option #1: Password

This method uses a username and password to connect Savant to your SSH tunnel.

  1. Select the Password option

  2. Enter the password of the SSH tunnel user created for Savant

Passwords are encrypted before saving to Savant. The encryption key is not accessible by Savant employees and rotated regularly.

Authentication Option #2: Public Key

This method uses a public key from Savant to authenticate with the SSH tunnel server.

  1. Select the Savant Public Key option

  2. On the SSH tunnel server, go to the home directory for the Savant user

  3. Open file $HOME/.ssh/authorized_keys

    1. Create the text file if it does not exist

  4. Paste the public key copied from Savant UI to the file as a new line

Authentication Option #3: Private Key

This method uses your own private key to authenticate Savant with the SSH tunnel server.

  1. Select the Savant Private Key option

  2. On the SSH tunnel server, use the ssh-keygen command to create a new key pair

    1. A paraphrase is recommended, but not required

  3. Write down the public and private keys

  4. Go to the home directory for the Savant user

  5. Open file $HOME/.ssh/authorized_keys

    1. Create the text file if it does not exist

  6. Paste the generated public key to the file as a new line

  7. Paste the generated private key to Savant

  8. Enter the passphrase, if any, used to generate the new key pair

Private keys are encrypted before saving to Savant. The encryption key is not accessible by Savant employees and rotated regularly.

Did this answer your question?