Issue #362: F34 GCP - Permission denied (publickey,gssapi-keyex,gssapi-with-mic) with Compute engine metadata ssh keys - cloud-sig

cloud-sig

#362 F34 GCP - Permission denied (publickey,gssapi-keyex,gssapi-with-mic) with Compute engine metadata ssh keys

Opened 3 years ago by benvdh3. Modified 3 years ago

Today I did a lot of testing with the Fedora-34-GCP-Cloud-Base image, even though my virtual machine boots, I am not able to gain access to it, as sshd keeps rejecting my key with the following error:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Steps to reproduce

Download the Fedora image here: https://fedora.mirror.wearetriple.com/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-GCP-34-1.2.x86_64.tar.gz
Create a storage bucket in the Google Cloud project where you want to store the image
Upload the image to the storage bucket
Create a new Google Compute Engine image using the gcloud command:
gcloud compute images create "fedora-34" --source-uri=gs://my-bucket/Fedora-Cloud-Base-GCP-34-1.2.x86_64.tar.gz --guest-os-features=UEFI_COMPATIBLE
Generate an SSH keypair for the VM (in my case I used aan ecdsa keypair):
ssh-keygen -t ecdsa
Create a new VM in the project where you created the VM image. The VM should use our custom fedora-34 image, and the public key should be added in the Security > SSH keys section. Optionally: add serial-port-enable=TRUE to the VMs metadata to be able to record output from the first boot.
When the machine is ready, try to connect using the username that Google extracted from your ssh public key using the regular ssh command:
ssh ben@1.2.3.4
Observe the VM throws the following error (if the firewall is correctly setup too):
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Observed behaviour: SSH throws an error.

Expected behaviour: I get logged in to the machine.

Other things I have tried

Using the default username fedora attempting to login as root (even though I am aware it is disabled)
Attempting to Login in through the serial-port console using username fedora or root and a password.
Using other key types
attempting ssh logins using gcloud compute ssh
rebooting the machine after adding the ssh key as suggested on StackOverflow (see below)
Discussed the issue on #fedora-cloud with +davdunc[m
Explored stackoverflow:
https://stackoverflow.com/questions/20440096/google-cloud-engine-permission-denied-publickey-gssapi-keyex-gssapi-with-mic (suggests this might be an SELinux issue)
https://stackoverflow.com/questions/69423435/problem-with-fedora-ssh-connection-on-google-cloud?noredirect=1&lq=1

mhayden commented 3 years ago

After a little digging, I found that if your SSH key ends with fedora@something, then you can log in as the fedora user without issues. However, if I supply an SSH key withmajor@something, then I can't log in as fedora or major with my SSH key. Both SSH keys are making it to the system via metadata, but only the fedora key is read and deployed by cloud-init.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

cloud-sig

Source Code

#362 F34 GCP - Permission denied (publickey,gssapi-keyex,gssapi-with-mic) with Compute engine metadata ssh keys Opened 3 years ago by benvdh3. Modified 3 years ago

Close issue as:

Metadata

#362 F34 GCP - Permission denied (publickey,gssapi-keyex,gssapi-with-mic) with Compute engine metadata ssh keys

Opened 3 years ago by benvdh3. Modified 3 years ago