StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>The permission denied error probably indicates that SSH private key authentication has failed. Assuming that you're using an image derived from the Debian or Centos images recommended by gcutil, it's likely one of the following:</p> <ol> <li>You don't have any ssh keys loaded into your ssh keychain, and you haven't specified a private ssh key with the <code>-i</code> option.</li> <li>None of your ssh keys match the entries in .ssh/authorized_keys for the account you're attempting to log in to.</li> <li>You're attempting to log into an account that doesn't exist on the machine, or attempting to log in as root. (The default images disable direct root login – most ssh brute-force attacks are against root or other well-known accounts with weak passwords.)</li> </ol> <h2>How to determine what accounts and keys are on the instance:</h2> <p>There's a script that runs every minute on the standard Compute Engine Centos and Debian images which fetches the 'sshKeys' metadata entry from the metadata server, and creates accounts (with sudoers access) as necessary. This script expects entries of the form "account:\n" in the sshKeys metadata, and can put several entries into authorized_keys for a single account. (or create multiple accounts if desired)</p> <p>In recent versions of the image, this script sends its output to the serial port via syslog, as well as to the local logs on the machine. You can read the last 1MB of serial port output via <code>gcutil getserialportoutput</code>, which can be handy when the machine isn't responding via SSH.</p> <h2>How <code>gcutil ssh</code> works:</h2> <p><code>gcutil ssh</code> does the following:</p> <ol> <li>Looks for a key in <code>$HOME/.ssh/google_compute_engine</code>, and calls <code>ssh-keygen</code> to create one if not present.</li> <li>Checks the current contents of the project metadata entry for <code>sshKeys</code> for an entry that looks like <code>${USER}:$(cat $HOME/.ssh/google_compute_engine.pub)</code></li> <li>If no such entry exists, adds that entry to the project metadata, and waits for up to 5 minutes for the metadata change to propagate and for the script inside the VM to notice the new entry and create the new account.</li> <li>Once the new entry is in place, (or immediately, if the user:key was already present) <code>gcutil ssh</code> invokes <code>ssh</code> with a few command-line arguments to connect to the VM.</li> </ol> <h2>A few ways this could break down, and what you might be able to do to fix them:</h2> <ol> <li>If you've removed or modified the scripts that read <code>sshKeys</code>, the console and command line tool won't realize that modifying <code>sshKeys</code> doesn't work, and a lot of the automatic magic above can get broken.</li> <li>If you're trying to use raw <code>ssh</code>, it may not find your <code>.ssh/google_compute_engine</code> key. You can fix this by using <code>gcutil ssh</code>, or by copying your ssh public key (ends in <code>.pub</code>) and adding to the <code>sshKeys</code> entry for the project or instance in the console. (You'll also need to put in a username, probably the same as your local-machine account name.)</li> <li>If you've never used <code>gcutil ssh</code>, you probably don't have a <code>.ssh/google_compute_engine.pub</code> file. You can either use <code>ssh-keygen</code> to create a new SSH public/private keypair and add it to <code>sshKeys</code>, as above, or use <code>gcutil ssh</code> to create them and manage <code>sshKeys</code>.</li> <li>If you're mostly using the console, it's possible that the account name in the <code>sshKeys</code> entry doesn't match your local username, you may need to supply the <code>-l</code> argument to SSH.</li> </ol>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload