Cannot login to a gce VM instance using putty with (or without) oslogin.

[Tal Kenig]

Goal:

I have a gce VM I am trying to log onto using SSH with putty from windows 10.

Context:

This is a new laptop I am trying to log on from. I can log on with no problems from my old laptop running win7. Note that it is the same domain and username on both old and new laptops (relevant since I am using oslogin).

What I did:

Installed gcloud SDK on the new laptop and ran gcloud init. Then I used gcloud to log onto the machine (gcloud compute ssh --project [project_name] --zone us-west1-a [instance_name]). Putty opens up and connects without any problem. I get a new folder .ssh under my windows user directory with the public, private and ppk files, just as expected. I created an ssh session on putty, copying all settings from the old computer. Under SSH/Auth I set the private key file to the .ppk which gcloud automatically created for me.

Problem:

Although I can successfully open an ssh session by issuing a gcloud compute ssh command, I cannot do that directly from putty. I get the following error in the terminal: Unable to load private key (createkey failed). There is also an additional popup message saying "No supported authentication methods available (server sent: publickey)" As mentioned above, everything works just fine from my old laptop, where I did the exact same process. Not sure why it is not working from the new one. My guess is that there is some problem related to the fact I am using the same username from two different PCs, but I am not sure. I am using oslogin since this is the preferred method according to google. I also tried to generate my own keys and use those, but also unsuccessful. See section below. Willing to opt for a different method if that makes sense.

Without oslogin:

Tried without oslogin: Generated a key pair using puttygen. Added the public key to the project metadata - made sure it is properly formatted and has the right username. Created a new putty session pointing to the new ppk file. Got an error: "Server refused our key" and a popup saying "No supported authentication methods available (server sent: publickey)". Tried with the enable-oslogin variable in metadata set to both TRUE or FALSE, but same error regardless. Note this happens on both laptops, and was the problem in the past as well, which is why I used oslogin in the first place.

Would greatly appreciate if anyone can help out here. I need a way to be able to ssh from putty directly. I prefer just using my own generated keys, but willing to use oslogin providing it works....

Thanks.

[Fady (Google Cloud Platform)]

When you enable OS-Login for the VM or the project (set “enable-oslogin” to True in metadata), the normal behavior to SSH using public keys in metadata will cease to work. Thus, creating your own key pair won’t work the traditional way, but rather through adding them to the user’s account (and not the VM), and as instructed in this document. 

Furthermore, using the “gcloud compute ssh“ command  to create the key pair and directing an SSH tool to use the private key file is not the appropriate method. It may work as a workaround for one laptop, but not the other, as the command would create a new pair for a new laptop, may expire and would not match with your older laptop. One workaround that may work (not guaranteed)  is to use the same file on both laptops. (use the command that would generate the keys on one laptop, and copy the file to the second laptop). 

However, the proper method to using third party tools, is to manage the keys yourself and per the document shared above. Once the key is added to the user account, you would have to verify the user name using this gcloud command, and then manually add it along with the IP address and the matching private key to your tool. For putty, I found this document that may help. Note that when generating the key pair (puttygen for example), verify that the user name (Key comment) also matches with the user output of the gcloud command. Also, the same private key (file) for the same user should be used in both laptops. 

For further help, please post your question at serverfault.com where you have access to a large community of enthusiasts and experts to share ideas with and get support from.