Does Google Cloud change the server’ ssh keys automatically

google-cloud-platformgoogle-compute-engine

I'm a new Google Cloud user. Today I've realized I can't connect any of my servers with this error message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:******.
Please contact your system administrator.
Add correct host key in /home/roberto/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/roberto/.ssh/known_hosts:9
  remove with:
  ssh-keygen -f "/home/roberto/.ssh/known_hosts" -R 10.10.10.10
ECDSA host key for 10.10.10.10 has changed and you have requested strict checking.
Host key verification failed.

Does Google automatically update/change the ssh keys of their servers?

Best Answer

Yes actually, Google Does change your hostkey in some cases.

For example, hostkey will change during host maintenance migrations if that is enabled.
The key will change if any changes are made requiring recreating the instance are needed: something as dumb as setting a scope, adding a service account, or even the lovely setting a description on an instance will force a replacement of a VM and the host key will change.

Related Solutions

Ssh – How to change SSH key on Google Cloud

Just replace ~/.ssh/google_compute_engine with the new key and use gcloud compute ssh as you normally would to get access to your VM instances; the key will be automatically propagated to the instances that don't already have it.

If you want to remove the previous key(s), remove them from the metadata for all of the instances where it might have been used; the entry attribute/sshKeys has a list of ssh keys. See the docs for Default metadata for more info.

See the docs for Setting custom metadata for how you can use gcloud to script changes to either project-wide or per-VM-instance metadata.

Using JSON keys with google cloud gsutil

The short version is to run the following command and follow instructions:

gsutil config -e

The gsutil tool has built-in help which can be consulted for all kinds of options and modes of operation. When running gsutil help creds, one of the help options recommended when running gsutil alone, we can read the section on "OAuth2 Service Account" to see the instructions for using a service account's json key file:

OAuth2 Service Account:

This is the preferred type of credential to use when authenticating on
behalf of a service or application (as opposed to a user). For example, if
you will run gsutil out of a nightly cron job to upload/download data,
using a service account allows the cron job not to depend on credentials of
an individual employee at your company. This is the type of credential that
will be configured when you run "gsutil config -e".

It is important to note that a service account is considered an Editor by
default for the purposes of API access, rather than an Owner. In particular,
the fact that Editors have OWNER access in the default object and
bucket ACLs, but the canned ACL options remove OWNER access from
Editors, can lead to unexpected results. The solution to this problem is to
ensure the service account is an Owner in the Permissions tab for your
project. To find the email address of your service account, visit the
`Google Developers Console <https://cloud.google.com/console#/project>`_,
click on the project you're using, click "APIs & auth", and click
"Credentials".

To create a service account, visit the Google Developers Console and then:

   - Click "APIs & auth" in the left sidebar.

   - Click "Credentials".

   - Click "Create New Client ID".

   - Select "Service Account" as your application type.

   - Save the JSON private key or the .p12 private key and password
     provided.

For further information about account roles, see:
  https://developers.google.com/console/help/#DifferentRoles

For more details about OAuth2 service accounts, see:
  https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Best Answer

Related Solutions

Ssh – How to change SSH key on Google Cloud

Using JSON keys with google cloud gsutil

Related Topic