gce public key instance level

[Dmitry Chorine]

Hello,

Per Managing SSH keys in Metadata  |  Compute Engine Documentation  |  Google Cloud, I edited instance-level public SSH key metadata by adding my public key:

format of my key:

ssh-rsa [KEY_VALUE] [USERNAME]

yet, seeing following:

/var/log/auth.log

Apr 18 15:24:19 web0 sshd[5080]: Invalid user staging from X.X.X.X port 52403

Apr 18 15:24:19 web0 sshd[5080]: input_userauth_request: invalid user XXX [preauth]

Apr 18 15:24:19 web0 sshd[5080]: error: Received disconnect from X.X.X.X port 52403:14: No supported authentication methods available [preauth]

Apr 18 15:24:19 web0 sshd[5080]: Disconnected from X.X.X.X port 52403 [preauth]

needless to say I cannot connect, any advise would be appreciate)

Thanks in advance.

[Dinesh (Google Platform Support)]

Hello Dmitry,

First please note that the Google group is intended for general product-related discussions and service status, not for the troubleshooting. You can use the Community Support Overview to figure out which of our support platforms is better suited for your question. Server Fault is likely to be a good fit.

Regarding your SSH issue, can you please try the gcloud SSH command from the cloud shell terminal?
-gcloud compute ssh [username]@[Instancename] --zone=[zonename];

Alternatively, you may try this command in debug level mode with --ssh-flag="-v" from cloud shell. Let me know if this helps?

Regards,

[Dmitry Chorine]

Dinesh,

I asked my question on Server Fault as well:

google cloud platform - Adding instance-level public SSH keys to GCE instance - Server Fault

still unable to ssh in(

I tried gcloud ssh command from cloud shell terminal as well

Welcome to Cloud Shell! Type "help" to get started.
alexus@deep-timer-155418:~$ gcloud compute ssh staging@web0 --ssh-flag="-v"
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
This tool needs to create the directory [/home/alexus/.ssh] before
being able to generate SSH keys.

Do you want to continue (Y/n)?

I'm not quite sure how this is relevant to my issue, as my private key isn't residing on gcloud home dir, it resides else where.

It looks to me some issue with instance as even though I added key, username didn't really propagate to instance and there for I cannot ssh in.

[Dinesh (Google Platform Support)]

Gcloud command line tool could be used to update instance SSH metadata and propagate instance level SSH key. As you suggested in your initial post that you were unable to connect to your instance, glcoud command line could be an alternative way to connect. 

Please make sure that you copy correctly SSH keys into console page (without any extra space or line etc). You may want to view this document[1], as I believe you are trying to connect via some thirty party tool. 

[1]: https://cloud.google.com/compute/docs/instances/connecting-advanced#thirdpartytools

[Dmitry Chorine]

Dinesh,

Can you provide a command (syntax) for gcloud how to update instance's ssh metadata?

I looked at link that you provided and this is exactly how I try to connect to my instance, however as I mentioned earlier per instance auth log, it looks like issue is not exactly with a key, but userid (or rather lack of it)

Apr 18 15:24:19 web0 sshd[5080]: Invalid user staging from X.X.X.X port 52403

Apr 18 15:24:19 web0 sshd[5080]: input_userauth_request: invalid user XXX [preauth]

I have another key on same instance and that key's userid is present in instance, yet newly added public key's username isn't...

again connecting to instance with correct private key isn't an issue here, it's more instance doesn't have username/public key on system present for me to connect/pair.

I hope that makes sense...

On Friday, April 20, 2018 at 6:22:46 PM UTC-4, Dinesh (Google Platform Support) wrote:

Gcloud command line tool could be used to update instance SSH metadata and propagate instance level SSH key. As you suggested in your initial post that you were unable to connect to your instance, glcoud command line could be an alternative way to connect. 

Please make sure that you copy correctly SSH keys into console page (without any extra space or line etc. You may want to view this document[1], as I believe you are trying to connect via some thirty party tool. 

[Dinesh (Google Platform Support)]

Here are the gcloud commands to add or update instance metadata[1] and project info add metadata[2].

 

I tried to reproduce this issue on my end but unable to do so as I can successfully update instance metadata SSH key for newly created SSH keys using "ssh-keygen -t rsa -f ~/.ssh/[KEY_FILENAME] -C [USERNAME]" command. 

Going forward, please verify and confirm the following points:-

1. Make sure your SSH keys are being generated with [USERNAME]. Specify the -C flag to add a comment with your username.

2. Copy public SSH Keys into instance level SSH Keys as described in the public documentation you posted above and make sure username is correctly populated on the left side of key text data box as soon as you copy key in the box. If you did not get username populated on the right-side of the ssh key box, I suspect your key was generated without a username.

[1]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata

[2]: https://cloud.google.com/sdk/gcloud/reference/compute/project-info/add-metadata

[Dmitry Chorine]

Dinesh,

I'm sorry, I totally forgot to mention about existing public key, can you provide command for not generating a brand new key pair, but rather use existing public key, I already add " myusername" after key actual key (same line) and placed it into /root of my Linux instance.

[Dmitry Chorine]

just to reiterate

1) key is already generated

2) added per link I posted earlier, and even though username appears via GCP's console, username is NOT appears in instance

and that's is why I created this very topic)

is there anything I can do to help troubleshoot it from Linux instance? (instance is up to date)

[Dinesh (Google Platform Support)]

If you go through the documentation of the previously shared command, same commands can be used to add or update the metadata of a virtual machine instance. I don't precisely understand what do you mean by "username is NOT appears in instance"? From your post, I understand you are manually updating username and corresponding SSH keys for your environment and at the same time, you wanted to manage your SSH keys through the Google Compute Engine metadata.

According to this document, The guest environment does not update the keys for manually created users. Hence, it is not advisable to manually create them and then add the users to their keys through metadata (or the opposite, if apply so) as this causes conflicts. The guest environment by default is a normal setup and without any manual modifications automatically creates the users, their home directories, and their corresponding (~/.ssh/authorized_keys) file which contains the public keys. Removing or restricting access to each user’s home directory and its content will cause authentication issues.If you are managing your username and SSH keys manually, it is advisable, to manually add the keys to the corresponding directory that the manually configured SSH daemon checks, rather than adding them through metadata.  

Having said that, if you still have any query about how to manage manually created username and SSH keys, I will suggest to please follow up on your Server Fault thread which is more appropriate for such queries.