How to resolve Permission denied (publickey,gssapi-keyex,gssapi-with-mic)? - ssh

This question may have been asked before but I don't understand the concept. Can you please help me here?
Weird issue from this morning .. see i just push my file to google cloud computing then showing below error.. I don't know where to look that error.
ri#ri-desktop:~$ gcloud compute --project "project" ssh --zone "europe-west1-b" "instance"
Warning: Permanently added '192.xx.xx.xx' (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

This occurs when your compute instance has PermitRootLogin no in it's SSHD config and you try to login as root. You can change the login user by adding username# before the instance name. Here is a complete example:
gcloud compute instances create my-demo-compute \
--zone us-central1-f \
--machine-type f1-micro \
--image-project debian-cloud \
--image-family debian-8 \
--boot-disk-size=10GB
gcloud --quiet compute ssh user#hostname --zone us-central1-f
In the example above, gcloud will set the correct credentials and will make sure you login. You can add the --quiet to ignore the ssh-password question.

One possible cause is that someone else in your project set the per-instance metadata for sshKeys (which overrides the project-wide metadata). When you run gcloud compute instances describe your-instance-name do you see a key called sshKeys in the metadata items?
It would also be helpful to see the contents of the latest log in ~/.config/gcloud/logs/. However, please make sure to scrub it of sensitive information.

I have a MacBook after facing with same problem, I re-created my SSH key in this format and works fine.
Generate your key with:
ssh-keygen -t rsa -C your_username
Copy the key and paste the ssh key under compute Engine metadata:
cat ~/.ssh/id_rsa.pub
It should work fine

Related

Unable to ssh to master node of Google Cloud Dataproc, but can ssh to Compute Engine VM

I am having no trouble sshing into a Google Cloud compute engine VM, but am unable to ssh into the master node of a Google Cloud Dataproc cluster.
Specifically,
gcloud compute ssh my-vm
works just fine, while
gcloud compute ssh mycluster-m
fails with error message:
admin#IP.ADDRESS: Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
The compute engine VM and the Dataproc cluster are in the same project. I understand from the error message it is something related to the ssh keys, but I am not sure how to fix it - I checked the ssh keys in the project via cloud console, and it is correct, and tried the usual gcloud auth login to reset gcloud project login details.
Any hints on how to fix this?
Edits: I am trying to ssh from my machine, not the cloud console- that's a good point, I will try that and see if that is possible. But in the end I want to use this to connect to a Jupyter notebook from my local computer, so that does not solve the issue of being unable to SSH from my machine to the VM.
Concerning the command to create the Dataproc cluster, I use tools from the hail dataproc python library, but these are basically just convenience shells for the gcloud compute commands, and this is what is failing. But the command I used to create the Dataproc cluster was:
gcloud beta dataproc clusters create \
test \
--image-version=1.4-debian9 \
--properties=^|||^spark:spark.task.maxFailures=20|||spark:spark.driver.extraJavaOptions=-Xss4M|||spark:spark.executor.extraJavaOptions=-Xss4M|||spark:spark.speculation=true|||hdfs:dfs.replication=1|||dataproc:dataproc.logging.stackdriver.enable=false|||dataproc:dataproc.monitoring.stackdriver.enable=false|||spark:spark.driver.memory=41g \
--initialization-actions=gs://hail-common/hailctl/dataproc/0.2.53/init_notebook.py \
--metadata=^|||^WHEEL=gs://hail-common/hailctl/dataproc/0.2.53/hail-0.2.53-py3-none-any.whl|||PKGS=aiohttp>=3.6,<3.7|aiohttp_session>=2.7,<2.8|asyncinit>=0.2.4,<0.3|bokeh>1.1,<1.3|decorator<5|dill>=0.3.1.1,<0.4|gcsfs==0.2.1|humanize==1.0.0|hurry.filesize==0.9|nest_asyncio|numpy<2|pandas>0.24,<0.26|parsimonious<0.9|PyJWT|python-json-logger==0.1.11|requests>=2.21.0,<2.21.1|scipy>1.2,<1.4|tabulate==0.8.3|tqdm==4.42.1|google-cloud-storage==1.25.* \
--master-machine-type=n1-highmem-8 \
--master-boot-disk-size=100GB \
--num-master-local-ssds=0 \
--num-preemptible-workers=0 \
--num-worker-local-ssds=0 \
--num-workers=2 \
--preemptible-worker-boot-disk-size=40GB \
--worker-boot-disk-size=40GB \
--worker-machine-type=n1-standard-8 \
--initialization-action-timeout=20m \
--labels=creator=my_name \
--max-idle=10m
Turns out the problem is that the cluster creates a new account called my_username on the cluster master VM, but I am logged into my laptop as a user called 'admin'. So there is a mismatch between account name and key at the destination, so the login fails.
Can be fixed by adding username to the gcloud command:
gcloud compute ssh my_username#mycluster-m
Though I still don't really understand why the ssh keys are different for the dataproc VM and a compute engine VM, I'd be happy if someone can enlighten me.

How do I SSH into gcloud compute instance as ubuntu user?

We have a VM Instance in Google Cloud that is being used by two user. We want to create another user the can be accessible by both. We chose the user ubuntu for that like in AWS. But the problem is we can login when running the following command.
gcloud compute --project "project" ssh --zone "us-east1-b" "gpunew3"
It's showing the following error.
ubuntu#35.196.254.72: Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
What can be the possible way to achieve this.
I suspect a key pair mismatch. Please run the follow command to remove the private key file:
rm .ssh/google_compute_engine
Then run your command to ssh again, which will recreate a new key pair.
I had the same problem before,and i fixed it by adding my public key in VM Instance and then connect to VM Instance by ssh like this
ssh VM External IP
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

How to deploy from CircleCI to Google Compute Engine?

I want to deploy CircleCi's artifacts to Google Compute Engine after CI test,
but I got stuck in SSH key issues.
When gcloud compute copy-files ran, gcloud will ask for ssh key generating during CircleCI's deployment process, which I don't know how to handle.
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
I've looked into document here and here, but none of them mentioned SSH related topics. So what SSH key should I use and how can I pass it to gcloud securely?
[UPDATED]
Here's my commands in the deployment step.
- echo $GCLOUD_SERVICE_KEY | base64 --decode --ignore-garbage > ${HOME}/gcloud-service-key.json
- sudo /opt/google-cloud-sdk/bin/gcloud --quiet components update
- sudo /opt/google-cloud-sdk/bin/gcloud auth activate-service-account --key-file ${HOME}/gcloud-service-key.json
- sudo /opt/google-cloud-sdk/bin/gcloud config set project $GCLOUD_PROJECT_ID
- sudo /opt/google-cloud-sdk/bin/gcloud compute copy-files ./dist instance-1:/tmp/ --zone $GCLOUD_INSTANCE_ZONE
First error:
Enter passphrase (empty for no passphrase):
You have to add the --quiet flag.
gcloud compute copy-files
This command ensures that the user's public SSH key is present in the project's metadata. If the user does not have a public SSH key, one is generated using ssh-keygen(1) (if the --quiet flag is given, the generated key will have an empty passphrase).
https://cloud.google.com/sdk/gcloud/reference/compute/copy-files
Second error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
add a user before the instance name 338234243-compute#instance-1:/tmp
remove the last / of the instance path instance-1:/tmp
Check the owner of the tmp directory (user you choose should have a R&W right)
It seems that the user by default of my generated ssh key was root, and GCC sshd is not allowing root connection...
I had the same issue, and upon tinkering more and reading the google cloud docs, I realized I needed to generate an ssh key.
I use CircleCI (this also works with TravisCI) and this was the command I added to my circle.yml file to generate the ssh key:
- ssh-keygen -q -N "" -f ~/.ssh/google_compute_engine

scikit on Google Compute Engine: gcloud compute ssh: ssh-flag "-D" fails

My overall-goal is to run scikit-scripts on GCE and therefore I try to use Anaconda/IPython (which I use on my desktop) on GCE.
I am following this tutorial here (https://cloud.google.com/dataproc/tutorials/jupyter-notebook#verify_cluster_and_notebook_creation) but struggling on the following step:
gcloud compute ssh --zone=<master-host-zone> \
--ssh-flag="-D 1080" --ssh-flag="-N" --ssh-flag="-n" <master-host-name>
My console always responds with the following error message and I have no idea what is wrong:
unknown option "-D 1080"
Thanks for your help!
This makes sense because on Windows, gcloud compute ssh uses PuTTY for SSH; the PuTTY client doesn't respect the -D flag. You'll have to use PuTTY-specific options for creating an SSH tunnel; I'm not a Windows user so I don't know what those are.
I'll get the tutorial updated.

ssh -T git#github.com Permission denied (publickey)

I tried to push my blog (Octopress) to github and got this error:
MacBook-Air:octopress bdeely$ git push origin source
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
I generated an SSH key, saved it, and even linked it with my GitHub account in the SSH key settings, but I went ahead and checked the status and got the same error:
MacBook-Air:.ssh bdeely$ ssh -T git#github.com
Permission denied (publickey).
In addition to this, I checked github's help page, did the following and got this error message:
MacBook-Air:~ bdeely$ ssh-add -l
The agent has no identities.
Does anyone know what is wrong and how I can fix this?
On OSX, if you type
ssh-add -l
and you get back "no identities", that means your ssh agent does not have any identities loaded into it. Oftentimes, when the mac reboots, you have no identities.
I add mine back after a re-boot by explicitly running
ssh-add
This loads a default identity from ~/.ssh/id_rsa
You can also use the ssh-add command with a specific identity
ssh-add ~/foo/bar/is_rsa
After you add your identies, you can seem them all listed by typing
ssh-add -l
Make sure you have at least one listed.
Follow the commands:
mkdir ~/.ssh //in case that the folder doesnt exist...
cd ~/.ssh
ssh-keygen -t rsa -C "youremail#somewhere.gr"
#hit enter when asks for file to save the key.
#enter the passphrase
At last copy the id_rsa.pub into your github account.
Try this in your terminal:
eval `ssh-agent -s`
ssh-add ~/.ssh/id_rsa
enter your passphrase if any and it should work. Hope this helps :-)
I hope this helps you:
I was having the identical problem and about to take my own eyes out with insane frustration; nothing online led me to an answer and I was trying to use the git push command without specifying the URL exactly (which could also solve the problem I believe), so I didn't see how the connection was failing.
I had set up my .ssh/config correctly for two users with two different keys, even using IdentitiesOnly yes which is supposed to override ssh-agent that was automatically supplying the WRONG ssh identity.
I finally realized the problem as I examined the local repository configuration - it was the entry
[remote "origin"]
url = git#github.com:{my-username}/{my-repo-name}.git
My configuration in .ssh/config file was using the same HostName github.com entry for both users and I'm completely new to all this so I didn't realize that to correctly override ssh-agent, I had to specify the exact URL or else the specific identities in my .ssh/config file would be ignored and the first key that ssy-agent listed (which was the wrong one my my case) would be used by default.
I fixed this by changing the local repo URL to url = git#github-personal:{my-username}/{my-repo-name}.git, where I had set Host github-personal as the identity in my .ssh/config.
Another way to solve this would be specifying the user in the URL in the git push command itself, or even better, a solution described here in a post AFTER solving this my own crappy way:
https://superuser.com/questions/272465/using-multiple-ssh-public-keys
I can't believe that no official source could offer a solution for or even properly explain this edge-case that seems really common (accessing two different github accounts from one machine with SSL).
I experienced the same problem. The reason was that I moved the key-files to another folder; it worked successfully when I moved them back to where they were originally.