Join Log in
Score:1
Philip avatar Server

Unable to SSH to GCP VM after reboot

it flag
Philip

I used to do the remote development via VS code. I created SSH key on my local Windows 10 and added the public key to the VM instance. Everything was fine for a week. But my VS Code suddenly show permission denied today. So I try to find out why in GCP console. Here is what I found but I have no clues what is the cause and how to fix it.

  • firewall rules are correct and unchanged.
  • unable to connect to VM in GCP console by clicking VM instances list > Connect > SSH. It show "Connection Failed". Clicking "Troubleshoot" button will show VM Status OK and Network status OK but Stuck at loading when checking User permissions.

From here, I think its related to some permission problem, maybe SSH key?

  • Then I created a new SSH key pairs on my local Windows 10.
  • The new key is then added to the VM. No expiry date is set, just "{KEY} {USER}". However, I still cannot connect SSH via VScode.
  • Connect to VM in GCP still fail
  • I tried to create a new VM and test with the SSH key pairs. The key is working. I can connect with VS code.

Then I try to "View Log". And found there are many Errors every time a Updating keys for user g3dayseo is logged. Here are some examples.

Title

Updating keys for user g3dayseo.

{
insertId: "27ysnuf4tckja"
jsonPayload: {
localTimestamp: "2023-06-30T00:09:42.8300Z"
message: "Updating keys for user g3dayseo."
}
logName: "projects/beautylnfcom/logs/GCEGuestAgent"
receiveTimestamp: "2023-06-30T00:09:43.842531278Z"
resource: {2}
severity: "INFO"
sourceLocation: {3}
timestamp: "2023-06-30T00:09:42.830084525Z"
}

Title

Invalid ssh key entry - expired key: g3dayseo:ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFKv3f/jQZRbGdQnvL5Swy6f/E4Z84nnwHfgyiorYPu5VS5GF9yOOTe3wFFtGLFQns0qHtzIn2MgsEfQQIml8Vk= google-ssh {"userName":"[email protected]","expireOn":"2023-06-30T00:12:27+0000"}

Content

{
insertId: "1js4l5ne4dso2"
jsonPayload: {
localTimestamp: "2023-06-30T00:12:42.9094Z"
message: "Invalid ssh key entry - expired key: g3dayseo:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWSRpEt0TN03Jehtu0HEM2pXoJK7+wqZfss/TSbCGqPaZ4y36nZ8d/zyc9Q3cLkTFN9nYlDEwwUnG1UASpKBYox0Q7o/KTBOP0YGzksTPTvBjWaiUlCmZ/jAdj3ATaH5xyyjX89V5BXWAJRG2HxbW/U1r48Uk5Z+OZ8Q82MzYST6FkJbONp2jG9NEIiyg/oEj8iCpAMlh6xcioAlYZSyvAcKR6auCDkOcUTOkTG09/UG/3ZHdY+ZnMiMyGI1rc9fTN36yA7oSMvpKWxvk+caWpUTA4jlovxYIm5EeN9vk5BKK2YGt7cBNynZgA394M/mKAIk/n3rLaAVBitIexwntL google-ssh {"userName":"[email protected]","expireOn":"2023-06-30T00:12:41+0000"}"
}
logName: "projects/beautylnfcom/logs/GCEGuestAgent"
receiveTimestamp: "2023-06-30T00:12:43.919710439Z"
resource: {
labels: {3}
type: "gce_instance"
}
severity: "ERROR"
sourceLocation: {
file: "non_windows_accounts.go"
function: "main.getUserKeys"
line: "199"
}
timestamp: "2023-06-30T00:12:42.909503214Z"
}

I don't know what I can do at the moment. I searched for many articles. Some told us to try on the cloud shell.

gcloud compute ssh --zone "asia-east1-b" "newpostai" --project "beautylnfcom"

Then it asks for password. But as I remember, I didn't set a password before.

Please help. I am quite frustrated. Althought I have backup and I could load it on new instance, I really want to figure out how this happen after a reboot, how to fix it and how to prevent it.

Thank you in advanced to reading this.

253
1 + 3
ssh
gcp
Veera Nagireddy avatar
nl flag
Veera Nagireddy
Check RAM might not be sufficient for all the processes that the VM instance is running, VSCode server requires more RAM. Refer to [Use Coder to Run VS Code on Google Cloud](https://fireship.io/lessons/vscode-cloud-coder-tensorflow/)
0
Reply
Veera Nagireddy avatar
nl flag
Veera Nagireddy
Upgrade VM resources or Change the code editor like Pycharm, it may work.
0
Reply
Veera Nagireddy avatar
nl flag
Veera Nagireddy
Have you tried the above comment and it helped you to resolve your issue?
0
Reply
Score:1
Veera Nagireddy avatar Server
nl flag
Veera Nagireddy

The error "Permission denied (publickey)" can occur for several reasons. Follow below 2 workarounds, which may help to resolve your issue:

It's impossible to fetch the actual password from a Linux VM (it's encrypted), but if you want to fetch/reset a password for a local user on a Linux VM, it's possible to set a new password.

Workaround 1 : Resetting a password via a startup script:

This startup script can be used to set a temporary password on instance boot (replace [username] and [password] with the actual username and a temporary password of your choice:

Method-1 :

#! /bin/bash
echo [Username] : [Password] | chpasswd

If you don't have a root password, follow the steps to use a startup script to add it to your instance :

  1. Go to the VM instances page in the GCP console.

  2. Click on the instance for which you want to add a startup script.

  3. Click the Edit button at the top of the page.

  4. Click on 'Enable connecting to serial ports'

  5. Under Custom metadata, you will find the 'Automation' section.

  6. Set below 'Value' into the 'Startup script' box:

Method-1:

#! /bin/bash
echo root:PASSWORD | chpasswd

Method-2 :

#! /bin/bash
usermod -p $(echo "password" | openssl passwd -1 -stdin) root

  1. Click Save and then click RESET on the top of the page. You might need to wait for some time for the instance to reboot.

  2. Click on 'Connect to serial port' on the page.

  3. In the new window, you might need to wait a bit and press 'Enter' on your keyboard once; then, you should see the login prompt.

  4. Login using the root and PASSWORD you provided.

Note : Remove the custom metadata you entered once you have regained access to your VM, otherwise it will execute every time your instance reboots. Also, omitting this step can expose the root password in the console.

Workaround 2: Check your issue may be due to the host key missing on the instance, or the permission of the host key has been modified. Follow the below steps to verify this behavior and resolving the issue:

  1. If the serial console can connect to the instance, then check the permission for the /etc/ssh/ssh_host_rsa_key file using ls -ltrh command in the /etc/ssh directory.

  2. The permission for the file should be -rw-r---r--. If not, chmod 644 ssh_host_rsa_key command can be used to set the permissions.

  3. If the serial console connection is not working, check the permissions by mounting the boot disk on the rescue instance.

  4. Create a snapshot of the boot disk. See Create a Snapshot

  5. Create a rescue instance and attach an additional disk of the snapshot.

  6. Run lsblk -f to identify the secondary disk added.

  7. Mount the disk using commands

Command to create the directory: mkdir ~/recovery Command to mount the disk: mount -o nouuid <disk_path> ~/recovery

  1. Check for the ssh_host_rsa_key and ssh_host_rsa_key.pub files in the /etc/ssh/ directory and verify the permission by referring to step 2.

  2. If the files are not present, then generate a key for the instance.Change the root directory by running the command: chroot ~/recovery/

Generate the host keys by running the command:

$ sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
$ sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
$ sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key

  1. Unmount the disk using umount ~/recovery from the rescue VM and detach the disk from the instance

  2. Attach the disk back to the affected instance and restart the instance.

+ 2
Veera Nagireddy avatar
nl flag
Veera Nagireddy
Also refer to my previous similar [SO](https://stackoverflow.com/questions/75296079) Answer, which may help to resolve your issue.
0
Reply
Philip avatar
it flag
Philip
The problem is automatically solved after a few day untouched and I cannot reproduce the error again. Thank you for the detailed suggestion. I will mark this as most helpful answer and hope this could help someone in the future. Thank you very much.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.