4

I've got two VMs set up on Google Cloud Platform. server1 uses an Ubuntu 16.04 image [g1-small (1 vCPU, 1.7 GB memory)]; and the newly created VM, called server2, uses a CoreOS Stable image [f1-micro (1 vCPU, 0.6 GB memory)].

The main problem is I can't connect to server2 even though I'm using the same SSH Key and user.

I'll be using this link to compare two output results from ssh -v.


To make sure I tested this right I erased the files google_compute_engine, google_compute_engine.pub, google_compute_known_hosts and the contents from known_hosts in the folder /Users/userz/.ssh.

Then executed the command gcloud initand then gcloud compute config-ssh, which detected that there's no SSH Keys and guided me through the creation of a new one while asking for a passphrase, not a password. That new SSH Key is the one being used in this test.

If you see the first link for server1, ssh ends up asking for the passphrase. But for server2 ssh ends up asking for a password, where it does not matter what I enter, it just comes as a wrong input every time.

The passwords I tried were: the same passphrase, my login password for the google account, the admin password of the local machine, and every other password I can remember using. And yet wrong input.

Why is there this difference when I'm using the same method to connect to the VMs? What can I do to solve this, since I do not know nor did setup any password on server2 (newly created)?

I may add as a note that connecting through Cloud Shell asks for the passphrase and connects easily.


server1 output:

ssh -v server1
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/userz/.ssh/config
debug1: /Users/userz/.ssh/config line 51: Applying options for server1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to XXX.XXX.XX.XX [XXX.XXX.XX.XX] port 22.
debug1: Connection established.
debug1: identity file /Users/userz/.ssh/google_compute_engine type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/userz/.ssh/google_compute_engine-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to XXX.XXX.XX.XX:22 as 'userz'
debug1: using hostkeyalias: compute.hostkeyaliasX
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug1: using hostkeyalias: compute.hostkeyaliasX
debug1: Host 'compute.hostkeyaliasX' is known and matches the ECDSA host key.
debug1: Found key in /Users/userz/.ssh/google_compute_known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/userz/.ssh/google_compute_engine
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
Enter passphrase for key '/Users/userz/.ssh/google_compute_engine':

server2 output:

ssh -v server2
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/userz/.ssh/config
debug1: /Users/userz/.ssh/config line 43: Applying options for server2
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to YY.YYY.YYY.YYY [YY.YYY.YYY.YYY] port 22.
debug1: Connection established.
debug1: identity file /Users/userz/.ssh/google_compute_engine type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/userz/.ssh/google_compute_engine-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to YY.YYY.YYY.YYY:22 as 'userz'
debug1: using hostkeyalias: compute.hostkeyaliasY
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
debug1: using hostkeyalias: compute.hostkeyaliasY
debug1: Host 'compute.hostkeyaliasY' is known and matches the ECDSA host key.
debug1: Found key in /Users/userz/.ssh/google_compute_known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/userz/.ssh/google_compute_engine
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
fillipvt
  • 181
  • 1
  • 1
  • 9
  • Can you use `gcloud compute ssh `? – Craig Watson Sep 28 '17 at 17:12
  • @CraigWatson it is the same result, keeps asking for the same "wrong" password – fillipvt Sep 28 '17 at 17:20
  • Maybe `server1:.ssh/authorized-keys` has your client's public key, and `server2:.ssh/authorized-keys` does not? – axus Sep 28 '17 at 19:50
  • @axus Just checked `server2:.ssh/authorized-keys` via `Cloud Shell` (through another user, not `userz`) and in `server2` the user `userz` hasn't been created yet. Shouldn't `gcloud` have taken care of that already? – fillipvt Sep 28 '17 at 20:18

3 Answers3

4

Before doing the following please backup you ~/.ssh/config file. You may have a bad time if not.

This was solved by deleting the configuration done by gcloud with

gcloud compute config-ssh --remove

After that reinstalling the configuration running the same command as stated in the question:

gcloud compute config-ssh

This adds an alias for the instance to the user SSH configuration (~/.ssh/config) file and update the project SSH metadata.

N Singh
  • 438
  • 3
  • 10
fillipvt
  • 181
  • 1
  • 1
  • 9
  • actually i did not need to do this. Just adding the **Service Account User** role (`roles/iam.serviceAccountUser`) to my UserAccount (or ServiceAccount if i am using ServiceAccount to login) solved the whole issue for me – Rakib Oct 28 '20 at 09:41
0

Adding the Service Account User role (roles/iam.serviceAccountUser) to my UserAccount (or to my ServiceAccount if i am using a ServiceAccount to login) solved the whole issue for me.

See Step 4 Point 2 in https://cloud.google.com/compute/docs/instances/managing-instance-access#configure_users

No need to write/remove/re-write ~/.ssh values or anything

Rakib
  • 121
  • 1
  • 9
0

After going through this, I fixed it with:

export PROB_INSTANCE='your-instance-name'
gcloud compute ssh another-user@$PROB_INSTANCE

because the permissions on the ~/.ssh/authorized_keys file was not set correctly for the user I was trying to SSH into as previously.

However, YMMV, and this is just what worked for me.

Matias
  • 101