GUI SSH Connect failed, retrying: AuthorizedKeysCommand failed

793 views
Skip to first unread message

Marc B

unread,
Feb 19, 2019, 5:37:46 PM2/19/19
to gce-discussion
I want to give a less-technical colleague access to a GCE VM instance via the GUI.
  1. Created an instance
  2. Set oslogin-enabled TRUE in the instance metadata
  3. Gave the user the role Compute OS Login
When she tries to connect, we see
  1. Transferring SSH keys to the VM
  2. Establishing connection the the SSH server ...
  3. Could not connect, retrying (1/3).
I am a project owner and can access the instance via the GUI with no problems. If I su root, I can run tcpdump to see what's happening ...

root@instance-3:/home/marcbtech_gmail_com# w
 16:18:32 up  1:49,  1 user,  load average: 0.10, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
my_user pts/0    74.125.42.32     16:00    0.00s  0.11s  0.02s sshd: my_user_gmail_com [priv]
root@instance-3:/home/my_user_gmail_com# tcpdump -w oslogin2.pcap -i eth0 host not 74.125.42.32

This shows the following happening when she tries to connect
  1. Client connects to instance SSH port, and SSH preliminaries occur
  2. Instance sends a REST request an internal metadata server endpoint (/computeMetadata/v1/oslogin/users), providing her email address and which returns a JSON blob including "name"
  3. Instance sends a REST request to authorise the returned name (/computeMetadata/v1/oslogin/authorize), which returns a JSON failure status ( {success: false} ).
In /var/log/auth.log, I see 
  • Feb 19 16:16:26 instance-3 sshd[2756]: error: AuthorizedKeysCommand /usr/bin/google_authorized_keys colleague-user_gmail_com failed, status 1
I have looked in StackOverflow and ServerFault but this situation (GUI user) is not covered anywhere I can see. I can provide a pcap via private messaging

What am I doing wrong?

Cheers,

Marc

Max Illfelder

unread,
Feb 20, 2019, 12:53:50 PM2/20/19
to gce-discussion
Hi Marc,

The response from the authorize command indicates the user does not have permission to log in. It's likely that your VM is running with a service account and your colleague does not have the service account role: roles/iam.serviceAccountUser.


Hopefully that helps, but reach out if that doesn't resolve your troubles!

Max

Marc B

unread,
Feb 21, 2019, 12:53:01 PM2/21/19
to gce-discussion
Hi Max,

Thanks very much for getting back to me - I added 'Service Account | Service Account User' and it now works, but I promise I tried that before to no avail!

This one is definitely down to user error - sorry to have wasted your time.

Cheers,

Marc.
Reply all
Reply to author
Forward
0 new messages