Unable to Connect to google compute engine via SSH Client (PuttY and SSH on Linux and Mac)

[Johan Regar]

Hello Community,

I got some weird issue which i've searched the Web but got no answer.

I have several VM's on my google cloud project, i can connect to almost all of the instances using Putty or SSH client. But for one VM i could only connect to those instance using SSH client, right after i do update a firewall rule. Several time after that, i can't connect to it. I've tried using gcloud command, but no luck. The only way i can connect after "those several time" is using SSH on Web Browser. Does anyone experienced this before ?

FYI, this "weird VM" is cloned from other VM, and the parent VM got no problem with SSH Client and gcloud command.

Any suggestion would be appreciated.

BR,

Johan

[Fady (Google Cloud Platform)]

This explanation may not completely answer your question as you are able to login with the same key to all instances but the cloned one. However, there is a possibility that you may have confused an instance level key with a project wide one. Also, I am taking this opportunity to further explain the differences as if a community member ran into a similar issue.

When you SSH from browser, GCE will manage your SSH keys for you. It will create/apply the SSH key pairs when needed, and the user created is an IAM project member (compute instance admin). The public key will be added as a project wide key (metadata) and not an instance specific one to reuse the key with other instances. Furthermore, using gcloud (in cloud shell or an authenticated SDK) should behave almost the same by executing the command (without key file):

gcloud compute ssh [INSTANCE]

That said, it is odd in your case that SSH from the browser is working but not the gcloud command unless if you used the ssh-key-file flag ( your keys) like this example.

On the other hand, when you manage your own keys to use with third party software like putty or macOS SSH software, you would also have to manually attach (add metadata) the public key to either the project metadata to use for all instances, or add it to the (one) instance (instance level). Hence, if that public key is attached to only one instance you would not be able to use the same key with the rest of your project instances. For more information about editing public SSH key metadata you may check this link.

For your issue, you may start by comparing the public keys in your software (putty) with both the project wide metadata at this link, and your instance metadata by clicking on it (in the instances list) and scrolling down to ssh keys. [verify also if “block project-wide ssh keys checkbox” is not checked (tick)]. And since you have access to the instance from the browser, you can check if the keys were propagated to the instance by checking this file (do not edit the file, the changes could get erased by the daemon):

~/.ssh/authorized_keys

That said, and after checking the above, you may privately send me the output of the gcloud command with verbosity flags for both instances (mark the cloned one) for further inspection.

gcloud compute ssh [instance] --ssh-flag="-vvv"