Authentication by public key failed when using Flatpak

[flaki]

Trying to connect to a Postgres db via an SSH tunnel from Sequeler without success. Sequeler is installed from Flathub (version 0.8.2) on Ubuntu 24.

I used flatpak run --env=G_MESSAGES_DEBUG=all com.github.alecaddd.sequeler to get debug messages:

** (Sequeler:2): DEBUG: 19:52:55.311: ConnectionManager.vala:156: Opening tunnel 0x5e7f4b86c240
** (Sequeler:2): DEBUG: 19:52:55.311: ConnectionManager.vala:196: Socket params: <IP_ADDRESS_REDACTED>
** (Sequeler:2): DEBUG: 19:52:56.271: ConnectionManager.vala:229: Authentication methods: publickey
** (Sequeler:2): DEBUG: 19:52:56.272: ConnectionManager.vala:250: Authentication by public key failed!
** (Sequeler:2): DEBUG: 19:52:56.272: ConnectionManager.vala:408: closing ssh tunnel from: ConnectionManager.vala:251 0x5e7f4b86c240
** (Sequeler:2): DEBUG: 19:52:56.272: ConnectionManager.vala:150: Authentication by public key failed!

After looking at the ConnectionManager, it turns out the issue is that Sequeler tries to access the public key by tacking .pub onto the end of the private key file, but that file is not accessible inside Flatpak. The file picker mounts the singular selected key into an isolated runtime folder. This can be confirmed by dumping the config and looking at the ssh_identity_file field:

ssh_identity_file=/run/user/1000/doc/ec705995/id_rsa

Using flatpak enter I confirmed that this is indeed the case:

ec705995:
total 4
drwx------ 2 flaki flaki   0 Jan  1  1970 .
dr-x------ 2 flaki flaki   0 Jan  1  1970 ..
-rw-rw-rw- 1 flaki flaki 419 Jul 15 18:05 id_rsa

No matter what I did, the file picker always used this method of isolation for the key file. The only workaround I found was running the Flatpak app with --filesystem=home:ro to make sure my home folder shows up in the container, then dumping the config into a file and manually editing the ssh_identity_file path to something like /home/me/.ssh/id_rsa (where "me" is my username in the host), then re-importing.

This gets me past the SSH tunnel creation but still fails with more errors, not sure what to make of these (the config is set correctly):

** (Sequeler:2): DEBUG: 20:43:39.172: ConnectionManager.vala:156: Opening tunnel 0x567a1911b4c0
** (Sequeler:2): DEBUG: 20:43:39.172: ConnectionManager.vala:196: Socket params: <IP_ADDRESS_REDACTED> 22
** (Sequeler:2): DEBUG: 20:43:40.125: ConnectionManager.vala:229: Authentication methods: publickey
** (Sequeler:2): DEBUG: 20:43:40.387: ConnectionManager.vala:255: Authentication by public key succeeded.
** (Sequeler:2): DEBUG: 20:43:40.387: ConnectionManager.vala:269: listensock 18
** (Sequeler:2): DEBUG: 20:43:40.387: ConnectionManager.vala:279: Failed to bind!
** (Sequeler:2): DEBUG: 20:43:40.387: ConnectionManager.vala:408: closing ssh tunnel from: ConnectionManager.vala:280 0x567a1911b4c0
** (Sequeler:2): DEBUG: 20:43:40.387: ConnectionManager.vala:150: Failed to bind. Your Database Port may be wrong!

I am trying to tunnel into an EC2 instance to access an RDS database that is not exposed to the public internet. If I manually do the tunneling, then connect with Sequeler locally, it works fine:

ssh -i /home/me/.ssh/id_rsa -L 55432:<POSTGRES_INSTANCE>.rds.amazonaws.com:5432 <IP_ADDRESS_REDACTED>