Google Cloud Instances Firewall Unable to Login SSH - google-cloud-platform

I logged to my ssh in google cloud Linux Machine by mistake i changed firewall rule and i lost ssh connection. now i am not able login to ssh(22), Is there any way to recover that ?
I know I can take shanpshots of my machine and create new instances using that snapshot. but is there anyway to get again ssh login in same machine or i have to delete it.

Try connecting to the instance via the serial console: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console. From there you should be able to repair the firewall rules.

pjhsea I tried your steps and it is connecting to serial port but it asks passphrase. I was not sure where I have given this passphrase. If you try to access serial port on gcloud console then it always asks for passphrase.
So I tried below steps and I was able to connect to serial port to change firewall setting on my ubuntu VM.
Goto Compute Engine -> VM Instances fro left side menu.
Click on name of the VM you are facing issue connecting using SSH.
It will open VM Instance details page.
On details tab under VM name there will be two dropdown for remote access.
SSH and Connect to serial console.
Click on serial console and select serial port 1(console)
This connect to serial console without any passphrase and I was able to change my firewall rules using below command.
ufw allow 22
Now you should be able to connect using SSH.

Related

Can't SSH into Google Cloud VM

I was able to successfully SSH into the Google Cloud VM I had set up yesterday, but today for some reason I can't, and I didn't mess with any of the settings, especially not the Firewall settings. It keeps giving me these errors now:
Connection via Cloud Identity-Aware Proxy Failed
Code: 4003
Reason: failed to connect to backend
You may be able to connect without using the Cloud Identity-Aware Proxy.
Then when I click on "Connect without Identity-Aware Proxy" I get the following error:
Connection Failed
We are unable to connect to the VM on port 22. Learn more about possible causes of this issue.
I don't know what happened. Yesterday it was working fine and now it's not.
At first, try to disable Cloud Identity-Aware Proxy and connect to the VM instance via web Console.
After that, check logs:
Go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM -> at the VM instance details find section Logs and click on Serial port 1 (console)
Reboot your VM instance.
Check full boot log for any errors or/and warnings.
If your VM instance doesn't start up verify that your disk has a valid file system and a valid master boot record (MBR) by following the documentation General troubleshooting.
If you found errors/warning related to disk space you can try to resize it accordingly to the documentation Resizing a zonal persistent disk, also accordingly to the article Recovering an inaccessible instance or a full boot disk:
If an instance is completely out of disk space or if it is not running
a Linux guest environment, then automatically resizing your root
filesystem isn't possible, even after you've increased the size of the
persistent disk that backs it. If you can't connect to your instance,
or your boot disk is full and you can't resize it, you must create a
new instance and recreate the boot disk from a snapshot to resize it.
Otherwise try get access to your VM instance via serial console :
Enable serial console connection with gcloud command:
gcloud compute instances add-metadata NAME_OF_YOUR_VM_INSTANCE \
--metadata serial-port-enable=TRUE
or go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM_INSTANCE -> click on EDIT -> go to section Remote access and check Enable connecting to serial ports
Create temporary user and password to login: shutdown your VM and set a startup script by adding at the section Custom metadata key startup-script and value:
useradd --groups google_sudoers tempuser
echo "tempuser:password" | chpasswd
and then start your VM.
Connect to your VM via serial port with gcloud command:
gcloud compute connect-to-serial-port NAME_OF_YOUR_VM_INSTANCE
or go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM_INSTANCE -> and click on Connect to serial console
Check what went wrong.
Disable access via serial port with gcloud command:
gcloud compute instances add-metadata NAME_OF_YOUR_VM_INSTANCE \
--metadata serial-port-enable=FALSE
or go to Compute Engine -> VM instances -> click on NAME_OF_YOUR_VM_INSTANCE -> click on EDIT -> go to section Remote access and uncheck Enable connecting to serial ports. Keep in mind that accordingly to the documentation Interacting with the serial console:
Caution: The interactive serial console does not support IP-based access
restrictions such as IP whitelists. If you enable the interactive
serial console on an instance, clients can attempt to connect to that
instance from any IP address. Anybody can connect to that instance if
they know the correct SSH key, username, project ID, zone, and
instance name. Use firewall rules to control access to your network
and specific ports.
If you weren't able to connect via serial console, try follow the documentation Troubleshooting SSH section Inspect the VM instance without shutting it down and inspect the disk of your VM on another VM. Same way you can transfer your data to another working VM instance.
I had had the same issue while running composer update.
In my case an rebooting of the VM-Instance has solved it.
Beased on these error messages, I guess that your project has Identity-Aware Proxy (IAP) enabled, which sometimes may affect the ability to SSH into an instance, depending on the configuration.
In order to rule out this, you may try the following:
Create the firewall rules for allowing IAP to connect to your instances
Grant the necessary permissions to use IAP
Tunnel the SSH connection through IAP

Cannot connect o google cloud VM

When trying to connect to my google cloud RDP i receive an error saying that my RDP is offline when it is not. At first I thought the error was on my side, but after trying with another RDP it worked fine, any ideas?
You should first check that port 3389 is open on the GCE firewall. If not, run a command like this to create the rule $ gcloud compute firewall-rules create rdp --allow tcp:3389 --source-ranges 0.0.0.0/0 . More info is available here.
Here is a document to troubleshoot RDP issues, you can try these steps. Also you can connect to the instance using a serial console.

SSH browser doesn't work in Compute Engine GCP

When i click the SSH button in the Complete Engine page, the shell window pops up and it shows that the ssh keys are being migrated. After that dialog disappears, nothing happens. I get a blank page without any prompt.
If you're using Firefox (same as me). This seems to be the problem as chrome works fine. Apparently Firefox has a bug. Idk if it's an actual bug or it's done on purpose because sometimes (less times) this works on Firefox and then sometimes doesn't unless I keep and keep reopening an closing the SSH.
Instead of opening and closing every time hoping for a chance to work and or using chrome, If you have linux or in my case I have Windows subsystem for Linux on my windows computer, so I can just SSH to it.
For windows, you could use the subsystem, or use Putty (Here's a putty tutorial https://www.youtube.com/watch?v=fmh94mNQHQc on how to connect to GCC) That putty tutorial is also similar to how you can do it on the subsystem so you can still watch it for that too
It's a bug in a Chromium library that affects Firefox. Use Chrome as a workaround.
To use the browser to SSH to a GCE instance, you need to be a compute instance admin. Also, if you run that instance with a Service Account, your account need to be a Service Account user. Check this link for more information: https://cloud.google.com/compute/docs/ssh-in-browser
In addition, did you check that your firewall allows connections to SSH port (22) from Google IP ranges ?
You can find them by using these commands (see https://support.google.com/a/answer/60764)
nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8
You can try different methods of connecting an instance to see if the issue is underlying at SSH or somewhere else.
There are several ways to connect a Linux instance via the SSH. You can connect to an instance via the terminal. You can connect via the Cloud Console Web UI which is in general the most convenient way to connect to an instance. Also, you can use Google Cloud SDK and run below command to connect to an instance via SSH:
$ gcloud compute ssh [INSTANCE_NAME]
You can also use Cloud Shell to connect your instance from the Cloud Console web UI by using the same command as above. You can connect via the serial console using the Google Cloud Platform Console, the gcloud command-line tool, or a third-party SSH client. The serial console authenticates users with SSH keys. Specifically, you must add your public SSH key to the project or instance metadata, and store your private key on the local machine from which you want to connect. There are other advanced methods to connect to an instance.
I would also recommend to check if you have firewall rule for port 22 which is required for SSH. You can go to the VPC Network from Cloud Console and then Firewall Rules tab, check if you have firewall rule for port 22 and that rule applied to affected instance or not. If there no firewall rule for port 22, create firewall rule and apply to the affected instance.
You can also follow this SSH troubleshooting steps mentioned at this link.
I have the same problem and after recreating 4 instances and going thru every possible ssh key scenario I decided to try chrome and it worked fine whereas in firefox i get the blank black screen after the key handshake. I watched thru the serial port and the sys log showed all of the same entries for my broken web ssh session in firefox as it did for the working chrome web ssh session which means it has to be a problem with firefox.
Same issue. Ad blocker was to blame. Try whitelisting, disabling or use a private window.

Cannot access google cloud VM via SSH client through browser after VM restart

I created GCP VM for one month and connect VM instance through GCP console via browser.It worked fine for past one month until VM restart. I did not create ssh key/edit metadata and very thing so far is used default setting. I cannot establish connection after VM restart. The browser kept prompt me cannot establish the connection. I can ping this VM from another VM through VPC. any advise on it. Thank in advance.
There are several ways to connect a Linux instance via the SSH. You can connect to an instance via the terminal. You can connect via the Cloud Console Web UI which is in general the most convenient way to connect to an instance. Also, you can use Google Cloud SDK and run below command to connect to an instance via SSH:
$ gcloud compute ssh [INSTANCE_NAME]
You can also use Cloud Shell to connect your instance from the Cloud Console web UI by using the same command as above. You can connect via the serial console using the Google Cloud Platform Console, the gcloud command-line tool, or a third-party SSH client.
The serial console authenticates users with SSH keys. Specifically, you must add your public SSH key to the project or instance metadata, and store your private key on the local machine from which you want to connect. There are other advanced methods to connect to an instance which you can find at this link.
By default, the gcloud compute command-line tool uses the $USER variable to add users to the /etc/passwd file for connecting to virtual machine instances using SSH. You can specify a different user using the --ssh-key-file PRIVATE_KEY_FILE flag when running the gcloud compute ssh command. Depending on your use case and convenience, you can use any method consistently.
If you fail to connect to your instance upon following these methods then I would suggest to check this troubleshooting page for SSH and follow the instruction that matches your use case.

Access console of new VM without requiring RDP access through firewall?

I don't have outbound RDP access, and want to connect to a new VM created on google cloud.
Is there a built in console for controlling them?
You can access the VM serial console.
To access the VM serial console, you have to go to: https://console.cloud.google.com/compute/instances?project=[your-project-id] then click on the name of your virtual instance, then check the option "Enable connecting to serial ports". After that click on "Connect to serial port"