38

I created a VM via Bitnami in Google Compute Engine. Previously, I was able to ssh via the Bitnami web interface. I tried to ssh via terminal on my Mac but kept getting the Permission denied (publickey) error. I then deleted all keys on the server and my Mac and downloaded the pem file form bitnami and used -i option to connect but still the problem persists.

ssh -i bitnami-gce.pem xxx@1xx.1xx.5x.1xx -v

Complete debug info:

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 1xx.1xx.5x.1xx [1xx.1xx.5x.1xx] port 22.
debug1: Connection established.
debug1: identity file bitnami-gce.pem type -1
debug1: identity file bitnami-gce.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Debian-4~bpo70+1
debug1: match: OpenSSH_6.6.1p1 Debian-4~bpo70+1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <RSA KEY>
debug1: Host '1xx.1xx.5x.1xx' is known and matches the RSA host key.
debug1: Found key in /Users/xxx/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: bitnami-gce.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

I am unable to ssh to the host. So can't send any keys to server now. How to resolve this?

Edit: I tried to ssh via Google web console and I could do it. Can anyone tell me the exact steps to ssh from anywhere? I prefer the simple username and password way, how to configure it that way?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
NEO
  • 791
  • 1
  • 7
  • 10

7 Answers7

30

After I was able to ssh via Google web console, I did the following steps to resolve this:

  1. Generate ssh key using

    ssh-keygen

  2. Copy the key.pub file contents

  3. Append the contents to ~/.ssh/authorized_keys file

    sudo nano ~/.ssh/authorized_keys

Misha Brukman
  • 768
  • 8
  • 22
NEO
  • 791
  • 1
  • 7
  • 10
16

I faced the same situation because of the user. On google web shh my user name was showing something first part of my email. So, I was trying ssh like this

ssh <first_part_of_gmail>@google_vm_external_ip

Later, I discover that, google creates a user based on the ssh key that you put on the google vm setting. So, first check the user at the end of the public key, and try following

ssh <user_name_at_the_end_of_public_key>@google_vm_external_ip
maruf571
  • 261
  • 2
  • 3
11

Make sure you don't have OS Login enabled. Docs read:

If you manage your SSH keys by using OS Login on instances, metadata-based SSH key configurations on those instances are disabled

and

Caution: Enabling OS Login on instances disables metadata-based SSH key configurations on those instances. Disabling OS Login restores SSH keys that you have configured in project or instance metadata.

To verify, go to project-level metadata (Compute Engine -> Metadata) and ensure that you have either no enable-oslogin key or that it is set to FALSE

Voy
  • 211
  • 2
  • 3
  • This saved me tons of frustration. Thank you. – Promise Preston Sep 01 '20 at 21:55
  • 3
    Indeed @PromisePreston I wasted 3 days and some 2 hours on live chat to figure this one out. Glad it helps! – Voy Sep 03 '20 at 06:47
  • Thanks @Voy! This saved the day for me too! – Yoni Rabinovitch Oct 27 '21 at 09:37
  • There is also the option to disable oslogin only for a particular instance: 1. On the instance details page, click Edit. 2. Under Custom metadata, add a metadata entry, setting the key to enable-oslogin and the value to TRUE. Alternatively, set the value to FALSE to disable OS Login on the instance. source: https://cloud.google.com/compute/docs/instances/managing-instance-access – nkaenzig Feb 03 '22 at 14:08
5

When your instance is first created, it will not have any SSH keys in it by default, so you have to transfer them there, e.g., by using gcloud to connect to it the first time as described in this SO answer or by manually creating SSH keys and manually adding them to your instance as described in another SO answer.

Misha Brukman
  • 768
  • 8
  • 22
2

I had the same issue, and used gcloud command to login for the first time and added to /etc/ssh/sshd_config.

PubkeyAcceptedKeyTypes  +ssh-dss

After I restarted the service:

systemctl restart sshd
Mark Watney
  • 361
  • 1
  • 10
Maoz Zadok
  • 292
  • 4
  • 9
0

you need to make sure that you file bitnami-gce.pem permission is 600

try chmod 600 bitnami-gce.pem

regards Ahmed

-1

It's an old question, but I had this issue today too and fixed it by following these steps:

  1. generate the ssh public key from your local computer
  2. copy the public key to gcc virtual machine settings

and then connect.

These steps will guide you to connecting to your gcc vm instance on mac os terminal using ssh: https://nabtron.com/gcc-mac-terminal/ and will fix the issue of permission denied (pubilckey) too.

I hope it helps.

Nabeel Khan
  • 131
  • 5