I'm creating a new VM instance. I've clean all the meta data. Then I'm running the following command in the cloud shell:
gcloud beta compute ssh --zone "europe-west2-c" "vmname" --project "myprojectname"
then I've been asking to enter a passphrase (which I don't know). I press enter until I get the following error Permission denied (publickey) error
I've delete and recreated my instance multiple time but I always have the same error. What should I do?
Troubleshooting Steps:
Logon using UI ssh. This creates an ephemeral ssh key, Google Agent also executes the codepath to refresh .ssh/authorized_keys and address any invalid dir/file permissions for both .ssh/ and .ssh/authorized_keys. This approach will address common gcloud compute ssh issues that relates to corrupted keys, missing dir/file or invalid dir/file permission. Try the gcloud again after performing the UI ssh.
Make sure that account has authenticated to gcloud as an IAM user with the compute instance admin role; for example, run gcloud auth revoke --all, gcloud auth login [IAM-USER] then try gcloud compute ssh again.
Verify that persistent SSH Keys metadata for gcloud is set for either the project or instance. Look in Compute Engine > Metadata, then click SSH Keys. Persistent keys do not have the expireOn attribute.
It's possible the account has lost the private key, mismatched a keypair, etc. You can force gcloud to generate a new SSH keypair by doing the following:
Move ~/.ssh/google_compute_engine and ~/.ssh/google_compute_engine.pub if present.
For example:
mv ~/.ssh/google_compute_engine.pub ~/.ssh/google_compute_engine.pub.old
mv ~/.ssh/google_compute_engine ~/.ssh/google_compute_engine.old
Try gcloud compute ssh [INSTANCE-NAME] again. A new keypair will be created and the public key will be added to the SSH keys metadata.
Verify that the Linux Google Agent scripts are installed, up-to-date, and running. See Determining Google Agent Status. If the Linux Google Agent is not installed, re-install it. See guest-environment.
Verify account home owner/permission is correct. Make sure that account home directory has the correct ownership and is not globally writable. If not using os-login (which is default), your's .ssh folder must have mode 0700, .ssh/authorized_keys file must have mode 0600. Review /var/log/auth.log for any errors.
Commands:
sudo chmod 700 /home/[user-id]/.ssh
sudo chmod 600 /home/[user-id]/.ssh/authorized_keys
If os-login is enabled and the Virtual Machine instance is using a service account (default). Add the following roles to the account.
roles/compute.osLogin
roles/iam.serviceAccountUser
For more information troubleshooting SSH.
The possible causes for a Permission denied (publickey) error are:
Your key expired and Compute Engine deleted your
~/.ssh/authorized_keys file.
You used an SSH key stored in metadata to connect to a VM that has
OS Login enabled.
You used an SSH key stored in an OS Login profile to connect to a VM
that doesn't have OS Login enabled.
You connected using a third-party tool and your SSH command is
misconfigured.
The sshd daemon isn't running or isn't configured properly.
You can find more information on how to troubleshoot SSH key errors in this link
I have the same issue sometimes . Cause and solution according to GCP troubleshooting link is:
Your key expired and Compute Engine deleted your
~/.ssh/authorized_keys file. If you manually added SSH keys to your VM
and then connected to your VM using the Google Cloud Console, Compute
Engine created a new key pair for your connection. After the new key
pair expired, Compute Engine deleted your ~/.ssh/authorized_keys file
in the VM, which included your manually added SSH key.
To resolve this issue, try one of the following:
Connect to your VM using the Google Cloud Console or the gcloud
command-line tool. Re-add your SSH key to metadata. For more information, see Add SSH keys to VMs that use metadata-based SSH keys.
I use terraform so in this case I instructed the workflow to destroy the VM and rebuild it.
To fix this issue when you cannot start ssh:
Edit VM and enable Serial port
Start serial console
Edit ~/.ssh/authorized_keys
On your desktop/client,
edit /Users/[yourdesktopuser]/.ssh/id_rsa.pub
copy contents to clipboard
Paste this content to the end of authorized_keys file in the VM serial console
Save and close
This will then recognize the public key from your desktop
Related
I'm trying to set up remote access (with VSCode) to the GCP VM that's setup with Notebooks AI. However, when I ssh into the VM I don't have write permissions for /home/jupyter so cannot edit any of the notebook files.
I have tried both gcloud compute ssh and setting up local aliases with gcloud compute config-ssh.
My best guess is that the users are different. It looks like the terminal on JupyterLab is logged in as jupyter#[instance...] while when I ssh in its myname#[instance...]. Checking permissions of /home/jupyter/, it's owned by user jupyter of group jupyter. I also tried adding users to the jupyter group with sudo usermod -a -G but that didn't do the trick. When I try to ssh in as jupyter#[instance...] from anywhere else I get permission denied (public key).
I can edit files once logged in if I use sudo vim ..., but that won't help for VS code.
EDIT: a partial solution is to open up permissions using sudo chmod 777 /home/jupyter/*. However, that's probably a hackish, unsafe way to do it. Moreover, it only works on existing files -- new files will still only be writable by whichever user created them.
To SSH into the notebook instance as the “jupyter” user, an SSH key should be generated for that user and be added to the notebook VM instance. Also, please make sure that the notebook instance VM has the appropriate firewall rule to allow the SSH connection. The following are the steps that would create an SSH connection to the “jupyter” user which has the write permissions.
Run the following commands on the local machine to generate the required SSH key:
ssh-keygen -t rsa -f ~/.ssh/jupyter-ssh-key -C jupyter
“jupyter-ssh-key” → Name of the pair of public and private keys (Public key: jupyter-ssh-key.pub, Private key: jupyter-ssh-key)
“jupyter” → User in the VM that we are trying to connect to
chmod 400 ~/.ssh/jupyter-ssh-key
In the Compute Engine console, edit the VM settings to add the contents of the generated SSH public key. Detailed instructions can be found here.
Initiate the SSH connection from the local machine to the notebook VM:
ssh -i ~/.ssh/jupyter-ssh-key jupyter#<external-ip-of-notebook-vm-instance>
If the SSH connection succeeds, the same can be followed in VSCode.
In VSCode, select the “Remote-SSH: Connect to Host” option from the command palette. Enter the above ssh -i command to add the notebook VM instance as a recognized host. A new VSCode window will appear where we have been logged in as the “jupyter” user.
I created a sudo user in a newly created google cloud compute machine (debian) and added a new system user using the below commands
ssh into the instance using this command: gcloud compute ssh instance-name --zone=us-central1-a
created a sudouser by running running this command sudo adduser admin_user
I can see the new user gets added by running the below command less /etc/passwd admin_user:x:1002:1003::/home/admin_user:/bin/sh
The user group also I verified by running groups admin_user . this is the output admin_user : admin_user sudo google-sudoers
But when I try to ssh to that instance from my local machine
gcloud compute ssh --project project_name --zone us-central1-a admin_user#instance-name
its giving the following error.
admin_user#32.29.134.441: Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
Could anyone please help how to solve this
The possible causes for a Permission denied (publickey) error are:
Your key expired and Compute Engine deleted your ~/.ssh/authorized_keys file.
You used an SSH key stored in metadata to connect to a VM that has OS Login enabled.
You used an SSH key stored in an OS Login profile to connect to a VM that doesn't have OS Login enabled.
You connected using a third-party tool and your SSH command is misconfigured.
The sshd daemon isn't running or isn't configured properly.
It looks like the first one fits the best for you. To solve this error add the SSH keys as it is explained in this link
I have created a linux VM in Google cloud, and right now I am trying to access the VM through SSH.
I am able to SSH to the server, if I am loged-in to the console via the interface, However I am trying to generate a portable private key file (pem) which I can use it to remote to the server from anywhere.
I can achieve this easily on AWS, or Azure during the VM creation, but this doesn't seem to be the case on GC.
This is not how gcloud works.
Google Cloud Platform actually takes public key beforehand when you create VM instance in compute service. You can generate the key on your machine by using ssh-keygen and add it by following methods to your instance.
You have 2 options. Either you can add the ssh key instance-wide(screenshot 1) by editing your instance setting or you add ssh key project wise in the meta data section of compute service(screenshot 2).
Screenshot1
Screenshot 2
I understand what you mean, but google do it in a bit more automatically.
In any local computer, first get a service-account json with right access.
Authorized the gcloud by,
gcloud auth activate-service-account --key-file=KEY_FILE.json
Then,
gcloud compute config-ssh [--ssh-config-file=SSH_CONFIG_FILE] [--ssh-key-file=SSH_KEY_FILE]
You may already have ssh file, but that's fine if you simply let gcloud to generate it.
Finally you can ssh into any compute engine from this computer by,
gcloud compute ssh [USER#]INSTANCE
While, for next time in the same computer, you just need to use gcloud compute ssh to access it again.
Open a terminal on your workstation and use the ssh-keygen command to generate a new key. Specify the -C flag to add a comment with your username.
ssh-keygen -t rsa -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]
where:
[KEY_FILENAME] is the name that you want to use for your SSH key files. For example, a filename of my-ssh-key generates a private key file named my-ssh-key and a public key file named my-ssh-key.pub.
[USERNAME] is the user for whom you will apply this SSH key.
Restrict access to your private key so that only you can read it and nobody can write to it.
chmod 400 ~/.ssh/[KEY_FILENAME]
where [KEY_FILENAME] is the name that you used for your SSH key files.
Repeat this process for every user who needs a new key.
If you created a key on a Linux workstation by using the ssh-keygen tool, the keys are saved under the following locations:
Public key file: ~/.ssh/[KEY_FILENAME].pub
Private key file: ~/.ssh/[KEY_FILENAME]
where [KEY_FILENAME] is the filename of the SSH key, which was set when the key was created.
To add or remove project-wide public SSH keys from the GCP Console:
In the Google Cloud Platform Console, go to the metadata page for your project. It can be found under the GCE menu.
Under SSH Keys, click Edit.
Modify the project-wide public SSH keys: To add a public SSH key, click Add item at the bottom of the page. This will produce a text box. Copy the contents of your public SSH key file and paste them into the text box. Repeat this process for each public SSH key that you want to add.
When you are done, click Save at the bottom of the page.
To connect to an instance using ssh
In a terminal, use the ssh command and your private SSH key file to connect to your instance. Specify your username and the external IP address of the instance that you want to connect to.
ssh -i [PATH_TO_PRIVATE_KEY] [USERNAME]#[EXTERNAL_IP_ADDRESS]
where:
[PATH_TO_PRIVATE_KEY] is the path to your private SSH key file.
[USERNAME] is the name of the user connecting to the instance. The username for your public SSH key was specified when the SSH key was created. You can connect to the instance as that user if the instance has a valid public SSH key for that user and if you have the matching private SSH key.
[EXTERNAL_IP_ADDRESS] is the external IP address for your instance.
If the connection is successful, you can use the terminal to run commands on your instance. When you are done, use the exit command to disconnect from the instance.
I found this answer and just wanted to update on what works for me
With gcloud client installed on your machine (whichever machine you wish to connect to the VM with).
Authenticate your service using your project JSON key
gcloud auth activate-service-account --key-file=[keyfile_for_project].json
Create ssh key pairs on the local machine
$(which ssh-keygen) -t rsa -C "your#email.com"
Add the public key you just created in id_rsa.pub to your VM's metadata (great screenshots of this included by Mohit Kumar's answer)
cat $PWD/id_rsa.pub (paste this output into the SSH key metadata)
ssh to the VM instance using the private key you just created in id_rsa
ssh -v -i id_rsa [user]#[external_ip]
If you want to make this portable, simply carry that private key (id_rsa) public key (id_rsa.pub) pair around with you
For SSH access, you wouldn't use a pem key. On your client machine, you should run (if in a unix/linux system) ssh-keygen which will walk you through creating your ssh key (default is RSA). You then need to add the public key (~/.ssh/id_rsa.pub or the file specified during creation) to ~/.ssh/authorized_keys on the server.
I wanted to Transferring files with gcloud compute scp (https://cloud.google.com/community/tutorials/setting-up-lamp), after running VM, connect SSH key, I input( gcloud compute scp [local file path] root#lamp-2:/home/ )on cloud shell , the system prompt me to inter root#compute.194334494129028111's password, what does that mean?
The correct command from the tutorial is:
gcloud compute copy-files [LOCAL_FILE_PATH] lamp-tutorial:/somepath
Why are you specifying a different user (root) for the target? You can always scp the files to a different users, then ssh into the machine and copy the files to another user's directory (assuming you have permission for the other user).
Generally, when scp asks for a password, it didn't find a matching ssh key. Different users on the target machine would have different ssh keys. What do you mean by "connect SSH key"? Did you connect to the vm as described in the tutorial or did you set up ssh access with ssh-keygen from Cloud Shell to the VM?
I have been using the GCP console to connect to a cloud instance and want to switch to using SSH through powershell as that seems to maintain a longer persistence. Transferring my public key through cloud shell into authorized_key file seems to be temporary since once cloud shell disconnects, the file doesn't persist. I've tried using os-login but that generates a completely different user from what I've been using through cloud shell (Cloud shell creates a user: myname while gcloud creates a user: myname_domain_com. Is there a way to continue using the same profile created by cloud shell when logging in through gcloud. I am using the same email and account in both the console and gcloud myname#domain.com. The alternative is to start all over from gcloud and that would be a pain.
If you want to SSH to different instances of a google cloud project (from a mac or Linux), do the following:
Step 1. Install SSH keys without password
Use the following command to generate the keys on your mac
ssh-keygen -t rsa -f ~/.ssh/ -C
For example private-key-name can be bpa-ssh-key. It will create two files with the following names in the ~/.ssh directory
bpa-ssh-key
bpa-ssh-key.pub
Step 2. Update the public key on your GCP project
Goto Google Cloud Console, choose your project, then
VMInstances->Metadata->SSH Keys->Edit->Add Item
Cut and paste the contents of the bpa-ssh-key.pub (from your mac) here and then save
Reset the VM Instance if it is running
Step 3. Edit config file under ~/.ssh on your mac Edit the ~/.ssh/config to add the following lines if not present already
Host *
PubKeyAuthentication yes
IdentityFile ~/.ssh/bpa-ssh-key
Step 4. SSHing to GCP Instance
ssh username#gcloud-externalip
It should create a SSH shell without asking for the password (since you have created the RSA/SSH keys without a password) on the gcloud instance.
Since Metadata is common across all instances under the same project, you can seam-lessly SSH into any of the instances by choosing the respective External IP of the gcloud instance.