0

For security concerns, needed to set GCP Compute Engine instance to not have External IP (external ip = None). In that case, it defaults to Identity Aware Proxy. IAP - to the same targets - does succeed from other machines, but not some in my data center.

Even after fully configuring gcloud logging in/authenticating and:

gcloud config set project $PROJECTNAME
gcloud config set compute/zone us-central1-c

then running: gcloud compute ssh $INSTANCENAME --tunnel-through-iap

Returns:

command-line: line 0: Bad configuration option: ProxyUseFdpass
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

Unclear whether this points to a ssh_config issue or something else, but this is not my area, so am a bit lost and not seeing other related things to this error. Any thoughts? The desired behavior is to not get the error on ProxyUseFdpass. And, for ssh to connect successfully.

I also ran gcloud compute ssh $INSTANCENAME --tunnel-through-iap --dry-run, and what gets returned match the results from successful places that connect.

bruce
  • 209
  • 2
  • 8
  • 1
    Run these commands specifying the region and zone that your instance is in `gcloud config set compute/region REGION` and `gcloud config set compute/zone ZONE`. Then try again. https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-region – John Hanley Mar 22 '20 at 23:25
  • Thanks @JohnHanley, agreed setting the zone would remove the first line error. Ultimately, that gets figured out by the gcloud interface (as does not including --tunnel-through-iap, it figures that out. For testing I now include both, to rule out cause). I'm most concerned with command-line: line 0: Bad configuration option: ProxyUseFdpass, which I'm not finding any good info on. Thanks again for lookingand trying to help! – bruce Mar 23 '20 at 17:10
  • Do you still receive the error after configuring the CLI correctly? Edit your question to show what you have done and what error you are now seeing. – John Hanley Mar 23 '20 at 17:21
  • Edited, thanks again, @JohnHanley. Happy for advice on how to properly format/ask questions. Same results. `command-line: line 0: Bad configuration option: ProxyUseFdpass`, Also, any idea why this question was closed as off-topic? – bruce Mar 23 '20 at 17:40
  • Have you modified `~/.ssh/config`? SInce your question is now closed, create a new question that follows StackOverflow guidelines. – John Hanley Mar 23 '20 at 18:06
  • @JohnHanley, thanks. Still haven't gotten confirmation from GCP on this one. But, all signs point to it being an older and unsupported version of OpenSSH (there is no actual documentation that there is a specific version dependency for gcloud/iap). I'm not able to use a more recent version (due to policy); am using the most updated version officially supported by the OS. – bruce Mar 26 '20 at 02:59
  • Seems a version issue; haven't pinned down the minimum required or what the fix will be. Asked GCP Support to update this thread once they've sorted out. Everything so far suggests too old of OpenSSH version (but minimum version for use with IAP compatibility documented). – bruce Apr 04 '20 at 05:20

1 Answers1

0

Also, check if the "Private Google access" is turned-on for the subnet. This will allow the Google services to reach your VM. I had the same problem and turning on "Private Google access" solved the issue for me.

snamburi3
  • 23
  • 4
  • That's a great check, @snamburi3 and imagine that'll help many others. It has been awhile, I actually found out the problem was being on very old machines and OS, with an older version of ssh (that doesn't use some parameters, which I don't recall off head now). Since so old, it shouldn't be too relevant to many people. Which is also why I suspect that incompatibility isn't well documented by GCP. – bruce Nov 18 '20 at 19:25