46

After creating the instance, I can login using gcutil or ssh. I tried copy/paste from the ssh link listed at the bottom of the instance and get the same error message.

user2416533
  • 461
  • 1
  • 4
  • 3
  • Have you tried installing gcutil and running `gcutil ssh `? – Benson May 24 '13 at 12:28
  • yes, I'm using gcutil to create the instance. the copy/paste from the ssh link at the bottom of the instance uses gcutil as well. – user2416533 May 24 '13 at 16:07
  • ./gcutil --service_version="v1beta15" --project="splunk-01" ssh --zone="us-central1-a" "ob-e1" – user2416533 May 24 '13 at 16:09
  • 1
    google compute engine sdk is just full of bugs(I guess it's still in the never-ending beta). I get the same error when I try to connect to Readhat/centos instances. Debian works. Solution: Migrate to a different provider before is too late(my case). – Anthony Hunt Aug 10 '15 at 12:00
  • Windows, Mac or what's on the client? – pyfork Aug 13 '17 at 15:10

11 Answers11

46

The permission denied error probably indicates that SSH private key authentication has failed. Assuming that you're using an image derived from the Debian or Centos images recommended by gcutil, it's likely one of the following:

  1. You don't have any ssh keys loaded into your ssh keychain, and you haven't specified a private ssh key with the -i option.
  2. None of your ssh keys match the entries in .ssh/authorized_keys for the account you're attempting to log in to.
  3. You're attempting to log into an account that doesn't exist on the machine, or attempting to log in as root. (The default images disable direct root login – most ssh brute-force attacks are against root or other well-known accounts with weak passwords.)

How to determine what accounts and keys are on the instance:

There's a script that runs every minute on the standard Compute Engine Centos and Debian images which fetches the 'sshKeys' metadata entry from the metadata server, and creates accounts (with sudoers access) as necessary. This script expects entries of the form "account:\n" in the sshKeys metadata, and can put several entries into authorized_keys for a single account. (or create multiple accounts if desired)

In recent versions of the image, this script sends its output to the serial port via syslog, as well as to the local logs on the machine. You can read the last 1MB of serial port output via gcutil getserialportoutput, which can be handy when the machine isn't responding via SSH.

How gcutil ssh works:

gcutil ssh does the following:

  1. Looks for a key in $HOME/.ssh/google_compute_engine, and calls ssh-keygen to create one if not present.
  2. Checks the current contents of the project metadata entry for sshKeys for an entry that looks like ${USER}:$(cat $HOME/.ssh/google_compute_engine.pub)
  3. If no such entry exists, adds that entry to the project metadata, and waits for up to 5 minutes for the metadata change to propagate and for the script inside the VM to notice the new entry and create the new account.
  4. Once the new entry is in place, (or immediately, if the user:key was already present) gcutil ssh invokes ssh with a few command-line arguments to connect to the VM.

A few ways this could break down, and what you might be able to do to fix them:

  1. If you've removed or modified the scripts that read sshKeys, the console and command line tool won't realize that modifying sshKeys doesn't work, and a lot of the automatic magic above can get broken.
  2. If you're trying to use raw ssh, it may not find your .ssh/google_compute_engine key. You can fix this by using gcutil ssh, or by copying your ssh public key (ends in .pub) and adding to the sshKeys entry for the project or instance in the console. (You'll also need to put in a username, probably the same as your local-machine account name.)
  3. If you've never used gcutil ssh, you probably don't have a .ssh/google_compute_engine.pub file. You can either use ssh-keygen to create a new SSH public/private keypair and add it to sshKeys, as above, or use gcutil ssh to create them and manage sshKeys.
  4. If you're mostly using the console, it's possible that the account name in the sshKeys entry doesn't match your local username, you may need to supply the -l argument to SSH.
E. Anderson
  • 3,405
  • 1
  • 16
  • 19
  • 3
    Got it working. In the first section, #3 applied. gcutil was attempting to login as root which of course is denied. The reason it was attempting to login as root was I had installed gcutil on a linux server which only had the root user created. running gcutil from this linux server as root defaulted to attempting to login to the GCE server as root. The fix was to create a new user on the linux server where gcutil is installed and run using this user rather than root. – user2416533 May 26 '13 at 06:47
  • 2
    Ouch, that's a bad one. We should probably make a suggestion in the `gcutil ssh` command that you'll want to set a user other than root if you're using our standard images. Added a feature request to track updating gcutil. – E. Anderson May 28 '13 at 19:09
  • 2
    @user2416533 please accept the answer since it solved your problem (besides giving credit where it's due, it also helps keep track of which questions have been answered and which are still unanswered). – Misha Brukman May 16 '14 at 20:00
  • I have python3 installed in my machine, and gcutil failed directly...syntax fail.. – Han.Oliver May 19 '20 at 07:56
3

Ensure that the permissions on your home directory and on the home directory of the user on the host you're connecting to are set to 700 ( owning user rwx only to prevent others seeing the .ssh subdirectory ).

Then ensure that the ~/.ssh directory is also 700 ( user rwx ) and that the authorized_keys is 600 ( user rw ) .

Private keys in your ~/.ssh directory should be 600 or 400 ( user rw or user r )

zephya
  • 31
  • 1
3

I was facing this issue for long time. Finally it was issue of ssh-add. Git ssh credentials were not taken into consideration.

Check following command might work for you:

ssh-add
Somnath Muluk
  • 55,015
  • 38
  • 216
  • 226
2

I had the same problem and for some reason The sshKeys was not syncing up with my user on the instance.

I created another user by adding --ssh_user=anotheruser to gcutil command.

The gcutil looked like this

gcutil --service_version="v1" --project="project"  --ssh_user=anotheruser ssh  --zone="us-central1-a" "inst1"
Reza Shahbazi
  • 431
  • 2
  • 5
  • 13
1

I just experienced a similar message [ mine was "Permission denied (publickey)"] after connecting to a compute engine VM which I just created. After reading this post, I decided to try it again.

That time it worked. So i see 3 possible reasons for it working the second time,

  • connecting the second time resolves the problem (after the ssh key was created the first time), or
  • perhaps trying to connect to a compute engine immediately after it was created could also cause a problem which resolves itself after a while, or
  • merely reading this post resolves the problem

I suspect the last is unlikely :)

erickCo
  • 212
  • 2
  • 11
1

I found this error while connecting ec2 instance with ssh. and it comes if i write wrong user name.

eg. for ubuntu I need to use ubuntu as user name and for others I need to use ec2-user.

dinesh rajput
  • 104
  • 1
  • 6
0

You haven't accepted an answer, so here's what worked for me in PuTTY:

enter image description here

Without allowing username changes, i got this question's subject as error on the gateway machine.

Cees Timmerman
  • 17,623
  • 11
  • 91
  • 124
0

You need to follow this instructions https://cloud.google.com/compute/docs/instances/connecting-to-instance#generatesshkeypair

If get "Permission denied (publickey)." with the follow command ssh -i ~/.ssh/my-ssh-key [USERNAME]@[IP_ADDRESS] you need to modify the /etc/ssh/sshd_config file and add the line AllowUsers [USERNAME]

Then restart the ssh service with

service ssh restart

if you get the message "Could not load host key: /etc/ssh/ssh_host_ed25519_key" execute: ssh-keygen -A

and finally restart the ssh service again.

service ssh restart

Pablishe
  • 71
  • 1
  • 5
0

I followed everything from here: https://cloud.google.com/compute/docs/instances/connecting-to-instance#generatesshkeypair

But still there was an error and SSH keys in my instance metadata wasn't getting recognized.

Solution: Check if your ssh key has any new-line. When I copied my public key using cat, it added into-lines into the key, thus breaking the key. Had to manually check any line-breaks and correct it.

janot
  • 13,578
  • 1
  • 27
  • 57
Skandy
  • 151
  • 1
  • 4
  • 8
0

The trick here is to use the -C (comment) parameter to specify your GCE userid. It looks like Google introduced this change last in 2018.

If the Google user who owns the GCE instance is myname@gmail.com (which you will use as your login userid), then generate the key pair with (for example)

ssh-keygen -b521 -t ecdsa -C myname -f mykeypair

When you paste mykeypair.pub into the instance's public key list, you should see "myname" appear as the userid of the key.

Setting this up will let you use ssh, scp, etc from your command line.

Jonathan
  • 76
  • 1
  • 5
0
  1. Add ssh public key to Google cloud
  • cat ~/.ssh/id_rsa.pub
  • go and click your VM instances
  • edit VM instances
  • add ssh public key(from id_rsa.pub) in SSH keys area toptruyenfull.com enter image description here enter image description here enter image description here enter image description hereenter image description here

  1. ssh login from Git bash on your computer

    ssh -i ~/.ssh/id_rsa tiennt@x.y.z.120

Đọc truyện hay
  • 1,913
  • 21
  • 17