I can no longer SSH to a VM on GCP after a reboot

google-cloud-platformgoogle-compute-engine

I have an UBUNTU 14.04 LTS VM that I was able to ssh into using normal SSH user with a password. After I rebooted the password is not being accepted. This is the only plain user account on the system.

I have tried using GCP SSH, both from the command line and using the GCP web as well as the serial console with no luck.

This VM was migrated from an Azure platform and does not have the GCP daemon on it (or it doesn't work) but it has always had plain SSH login just fine until now.

This is the tail of the ssh -v for the method that has always worked before.

debug1: Next authentication method: password
mi2@mii21.mi-squared.com's password: 
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.

I added my public key directly to the GCP VM instance hoping that would get me in using my google user account (like on most of the the other VMs I created via GCP) but that does not work either.

-- The VM serial console output may provide details to aid in troubleshooting connection problems.

Serial console ONLY shows activity from the last plain login attempt, so I suspect GCP daemon is not running on the instance at all.

Is there some method to create a alternative login or some other options anyone can suggest?

Best Answer

(I cannot comment to your question due to insufficient reputation.)

Is there some method to create a alternative login or some other options anyone can suggest?

I'm not sure whether that my understanding is correct or this answer will satisfy your question or not. I did a trick with ssh with pem file to GCE. The instance is required to have non-ephemeral IP address, let's say static IP address. As I can share this private key to my colleague (do it with your own risk of the leaking key).

Here's the steps to setup ssh with key file :

To create a new key in server ssh-keygen -t rsa -b 2048 -v
Follow the instruction including key location and key passphrase.
Append new key to authorized_keys cat /your/key/path/key.pub >> ~/.ssh/authorized_keys
Rename privatekey into .pem extension (optional)
Copy private key file to remote machine and set permission to 400 chmod 400 [KEY]
Test ssh connection with key file ssh -i [KEY(.pem)] [USER]@[HOST IP]

Edit: As @faizan indicated in comment if do not have serial console access to the VM, try adding the ssh keys to the ~/.ssh/authorized_keys using startup script.

That's it.

PS. Google compute engine create user per session if you not identified username. It depends on Google cloud SDK credential that you use. But log in with private key should work fine for ssh for any machine.

Related Solutions

Ssh – Can’t ssh to GCP server

First we have to make sure that OpenSSH daemon is running and that it is able to respond to connections. That is to say that a local firewall on the instance does not deny SSH connections, or that the SSH daemon is not controlled by TCP Wrapper or SSH Guard.

You can test the response from SSH daemon with net cat (nc command), telnet or nmap on port 22 from the Cloud Shell. You might have to install the packages in the Cloud Shell session. this an example of install for NetCat tool:

sudo apt-get install -y netcat
nc <instance IP> 22

If OpenSSH is running and not blocked you should have a response showing OpenSSH version of the daemon.

In order to check local firewalling it would be interesting to stop iptables in your startup script with the command:

Service iptables stop

In the case that SSH would be controlled by TCP Wrapper, entries would be added in /etc/hosts.allow and /etc/hosts.deny files. You could flush those files in your startup script after keeping them as backup:

cp -p /etc/hosts.allow /etc/hosts.allow.bak`date +%Y%m%d_%H%M`
cp -p /etc/hosts.deny /etc/hosts.deny.bak`date +%Y%m%d_%H%M`
> /etc/hosts.allow
> /etc/hosts.deny

You tried to start SSh daemon on the startup script, which is fine but please note that sudo command must not be used in the startup script as it runs with root credentials. In the startup script all commands issued with sudo are rejected.

You can then set the following startup script and reboot the instance:

#! /bin/bash 
apt-get remove --auto-remove sshguard 
apt-get purge --auto-remove sshguard
service iptables stop
cp -p /etc/hosts.allow /etc/hosts.allow.bak`date +%Y%m%d_%H%M`
cp -p /etc/hosts.deny /etc/hosts.deny.bak`date +%Y%m%d_%H%M`
> /etc/hosts.allow
> /etc/hosts.deny

Ssh – GCP metadata Transferring to SSH Keys – Permission Denied

There are a couple of things to check why the SSH is failing, for example:

If the instance has OS Login enable then connecting with metadata-based SSH keys is not allowed.

If you are using a third party tool to access by SSH please ensure that you are using the private key correctly and the public is added to the instance metadata.

To troubleshoot this please refer to this documentation [1].

To verify your keys and connecting using advance methods, please follow this documentation [2].

[1] https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-ssh

[2] https://cloud.google.com/compute/docs/instances/connecting-advanced

Best Answer

Related Solutions

Ssh – Can’t ssh to GCP server

Ssh – GCP metadata Transferring to SSH Keys – Permission Denied

Related Topic