SSH issues on GCP VM migrated from AWS - google-cloud-platform

I have migrated an EC2 instance (amazon linux) to Google cloud (ubuntu 18.04) using cloud endure.
But I am not able to ssh into google cloud VM. I dont have EC2 instance anymore. How can I access the Google cloud VM ? Error message:
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255]

using gcloud command you can config your SSH
gcloud compute config-ssh
for more details on config-ssh ref :
Link

If the gcloud compute config-ssh doesn't work check the firewall rules for your machine; find the VPC it's in and make sure port 22 is open - it may happen it's blocked.
If you're not sure if SSH can come through create a rule for it.
Very similar issue was also discussed in this topic on StackOverflow which might help you.
You can (to be absolutely sure SSH traffic is allowed to your VM) set up a startup script for it: edit the VM in question and find "Custom Metadata" section and click "Add Item", next type startup-script as a key and the command sudo ufw allow ssh in the "value" field.
Having the SSH traffic enabled in the GCP firewall and the VM itself you should be able to log in.

Related

Unable to connect to a compute engine instance though SSH/SFTP using an external account

I am unable to connect to the VM of a compute engine instance.
My account is out of the organization, considering "a.man#company.com" as user, "wordpress-1-vm" as instance and "project-1" as project for example.
My SSH key is already existing, this is the same key for other servers.
At organization level, we added the roles/compute.osLoginExternalUser to my account and enable-oslogin was set to TRUE.
Now connecting with gcloud is ok.
gcloud compute ssh --zone "us-central1-c" "wordpress-1-vm" --tunnel-through-iap --project "project-1"
From the docs, I ran the command:
gcloud compute os-login ssh-keys add --key-file="D:\Path\to\key.pub" --project=project-1 --ttl=730d
According to gcloud command, my user should be "ext_a_man_company_com".
This should work but connecting to ext_a_man_company_com#instance-ip:22 using ppk on PuTTY is returning
"Server refused our key"
Disconnected: No supported authentication methods available (server sent: publickey)
How should I connect to this server ?
NB: I also tried by adding ssh key to metadata with no success.
You can try troubleshooting OS Login configuration using these instructions.
If you are trying to add the key directly via VM's metadata then you need to remember to turn off OS Login for this particular VM to make it work.
Assuming both options don't work then I recommend checking your putty configuration and making sure you're using the correct user. You should be able to see what is happening in sshd logs directly on your instance (logging via console or gcloud to gain access).

GCP TPU ssh isssue

I am working on a TPU created on Google cloud. Today evening when I tried ssh into my TPU machine and I got the following error
XXX#ip-address: Permission denied (publickey).
Retrying: SSH command error: [/usr/bin/ssh] exited with return code [255]
I deleted keys from ~/.ssh/ folders and reran the SSH command. It generates public, private key in .ssh folder and I copied public key in the GCP => VM => Metadata.
I have replicated your issue in my test environment. I could create the TPU VM using the Cloud TPU VM and successfully logged into SSH using the gcloud command in Cloud Shell.
This error can occur for several reasons. The following are couple of the most common causes of this error:
If You use an SSH key stored in metadata to connect to a VM that has OS Login enabled.
If OS Login is enabled on your project, your VM doesn't accept SSH keys that are stored in metadata. To resolve this issue, you can try one of the following:
Connect to your VM using the Google Cloud Console or the gcloud command-line tool.
Add your SSH keys to OS Login. For more information, see Adding SSH keys to a user account.
Disable OS Login. For more information, see Disabling OS Login.
The firewall rule allowing SSH is missing or misconfigured.
By default, Compute Engine VMs allow SSH access on port 22. If the default-allow-ssh rule is missing or misconfigured, you won't be able to connect to VMs.
To resolve this issue, Check your firewall rules and re-add or reconfigure default-allow-ssh.
Refer to this link for more information on troubleshooting SSH.

Can't SSH into Google Cloud VM

I was able to successfully SSH into the Google Cloud VM I had set up yesterday, but today for some reason I can't, and I didn't mess with any of the settings, especially not the Firewall settings. It keeps giving me these errors now:
Connection via Cloud Identity-Aware Proxy Failed
Code: 4003
Reason: failed to connect to backend
You may be able to connect without using the Cloud Identity-Aware Proxy.
Then when I click on "Connect without Identity-Aware Proxy" I get the following error:
Connection Failed
We are unable to connect to the VM on port 22. Learn more about possible causes of this issue.
I don't know what happened. Yesterday it was working fine and now it's not.
At first, try to disable Cloud Identity-Aware Proxy and connect to the VM instance via web Console.
After that, check logs:
Go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM -> at the VM instance details find section Logs and click on Serial port 1 (console)
Reboot your VM instance.
Check full boot log for any errors or/and warnings.
If your VM instance doesn't start up verify that your disk has a valid file system and a valid master boot record (MBR) by following the documentation General troubleshooting.
If you found errors/warning related to disk space you can try to resize it accordingly to the documentation Resizing a zonal persistent disk, also accordingly to the article Recovering an inaccessible instance or a full boot disk:
If an instance is completely out of disk space or if it is not running
a Linux guest environment, then automatically resizing your root
filesystem isn't possible, even after you've increased the size of the
persistent disk that backs it. If you can't connect to your instance,
or your boot disk is full and you can't resize it, you must create a
new instance and recreate the boot disk from a snapshot to resize it.
Otherwise try get access to your VM instance via serial console :
Enable serial console connection with gcloud command:
gcloud compute instances add-metadata NAME_OF_YOUR_VM_INSTANCE \
--metadata serial-port-enable=TRUE
or go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM_INSTANCE -> click on EDIT -> go to section Remote access and check Enable connecting to serial ports
Create temporary user and password to login: shutdown your VM and set a startup script by adding at the section Custom metadata key startup-script and value:
useradd --groups google_sudoers tempuser
echo "tempuser:password" | chpasswd
and then start your VM.
Connect to your VM via serial port with gcloud command:
gcloud compute connect-to-serial-port NAME_OF_YOUR_VM_INSTANCE
or go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM_INSTANCE -> and click on Connect to serial console
Check what went wrong.
Disable access via serial port with gcloud command:
gcloud compute instances add-metadata NAME_OF_YOUR_VM_INSTANCE \
--metadata serial-port-enable=FALSE
or go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM_INSTANCE -> click on EDIT -> go to section Remote access and uncheck Enable connecting to serial ports. Keep in mind that accordingly to the documentation Interacting with the serial console:
Caution: The interactive serial console does not support IP-based access
restrictions such as IP whitelists. If you enable the interactive
serial console on an instance, clients can attempt to connect to that
instance from any IP address. Anybody can connect to that instance if
they know the correct SSH key, username, project ID, zone, and
instance name. Use firewall rules to control access to your network
and specific ports.
If you weren't able to connect via serial console, try follow the documentation Troubleshooting SSH section Inspect the VM instance without shutting it down and inspect the disk of your VM on another VM. Same way you can transfer your data to another working VM instance.
I had had the same issue while running composer update.
In my case an rebooting of the VM-Instance has solved it.
Beased on these error messages, I guess that your project has Identity-Aware Proxy (IAP) enabled, which sometimes may affect the ability to SSH into an instance, depending on the configuration.
In order to rule out this, you may try the following:
Create the firewall rules for allowing IAP to connect to your instances
Grant the necessary permissions to use IAP
Tunnel the SSH connection through IAP

Cannot access google cloud VM via SSH client through browser after VM restart

I created GCP VM for one month and connect VM instance through GCP console via browser.It worked fine for past one month until VM restart. I did not create ssh key/edit metadata and very thing so far is used default setting. I cannot establish connection after VM restart. The browser kept prompt me cannot establish the connection. I can ping this VM from another VM through VPC. any advise on it. Thank in advance.
There are several ways to connect a Linux instance via the SSH. You can connect to an instance via the terminal. You can connect via the Cloud Console Web UI which is in general the most convenient way to connect to an instance. Also, you can use Google Cloud SDK and run below command to connect to an instance via SSH:
$ gcloud compute ssh [INSTANCE_NAME]
You can also use Cloud Shell to connect your instance from the Cloud Console web UI by using the same command as above. You can connect via the serial console using the Google Cloud Platform Console, the gcloud command-line tool, or a third-party SSH client.
The serial console authenticates users with SSH keys. Specifically, you must add your public SSH key to the project or instance metadata, and store your private key on the local machine from which you want to connect. There are other advanced methods to connect to an instance which you can find at this link.
By default, the gcloud compute command-line tool uses the $USER variable to add users to the /etc/passwd file for connecting to virtual machine instances using SSH. You can specify a different user using the --ssh-key-file PRIVATE_KEY_FILE flag when running the gcloud compute ssh command. Depending on your use case and convenience, you can use any method consistently.
If you fail to connect to your instance upon following these methods then I would suggest to check this troubleshooting page for SSH and follow the instruction that matches your use case.

Unable to connect to AWS EC2 instance (Permission denied publickey)

I am trying to connect to an EC2 instance which I recently spun up via the following SSH command from my Mac OS:
ssh -v -i ~/.ssh/mykey.pem ec2-***.us-east-2.compute.amazonaws.com
I have removed the exact DNS name as it is probably not relevant here. Before I attempted to connect, I took the following steps:
Added a rule for inbound SSH traffic (using my IP)
Created an SSH key in AWS before spinning up the instance
Placed the private key mykey.pem file in my user .ssh folder
I have read many SO questions and other documentation, which is why I was even able to put the above steps together. I am at a loss as to why I can't connect to my EC2 instance, but I am hoping someone will see a flaw in what I am doing here.
You are missing the user name:
ssh -i ~/.ssh/key.pem ec2-user#host-or-ip
Depending on the type of instance, that user name may be ec2-user (amazon linux) or ubuntu (ubuntu). Other versions may have different requirements (some older redhat instances still use root, for example), but that should cover most cases.