Site icon Super Computer World

Permission Denied Publickey Gssapi With Mic Password

ssh permission denied publickey gssapi keyex gssapi with mic (1)

Introduction

Permission Denied Publickey Gssapi With Mic Password probably indicates that the SSH private key authentication failed. Assuming you’re using an image derived from the Debian or Centos images recommended by gcutil, it’s perhaps one of the following:

  1. You have not loaded any ssh key into your ssh keyring, and you have not specified a private ssh key with the -I option.
  2. None of your ssh keys match the entries in .ssh/authorized_keys for the account you are trying to connect to.
  3. You are trying to log in to an account that does not exist on the machine, or you are trying to log in as root. (The default images incapacitate direct root login – most ssh brute force attacks are against root or other known accounts with weak passwords.)

How to determine which accounts and keys are on the instance:

There is a script that runs every minute on Compute Engine Centos and Debian standard images that gets the “sshKeys” metadata entry from the metadata server and creates accounts (with sudoer access) as needed. This script expects entries in the format “account:\n” in the sshKeys metadata and can place multiple entries in the authorized_keys file for a single account. (or create multiple accounts if you wish)

In recent versions of the image, this writing sends its production to the serial docks via syslog and to the machine’s local logs. You can read the last MB of serial port output via gcutil getsserialportoutput, which can be helpful when the device is not responding via SSH.

How gcutil ssh works:

gcutil ssh does the following:

  1. Find a key in $HOME/.ssh/google_compute_engine and call ssh-keygen to create one if not present.
  2. Check the current contents of the project metadata entry for sshKeys for an entry similar to ${USER}:$(cat $HOME/.ssh/google_compute_engine.pub)
  3. If no such entry exists, add this entry to the project metadata and wait up to 5 minutes for the metadata change to propagate and the script inside the VM to detect the new entrance and create the new account.
  4. Once the new entry is in place (or immediately, if the user:key was already present), gcutil ssh invokes ssh with command line arguments to connect to the VM.

Here are some ways it could fail and what you could do to fix it:

  1. Permission Denied Publickey Gssapi With Mic Password If you’ve removed or changed scripts that read sshKeys, the console and command line tool won’t notice that changing sshKeys doesn’t work, and a lot of the old automatic magic may break.
  2. If you try to ssh raw, it may not find your .ssh/google_computer_enginer key. You can fix this using gcutil ssh or copying your public ssh key (ending in .pub) and adding it to the project’s or instance’s sshKeys entry in the console. (You’ll also need to enter a username, probably the same as your local computer’s account name.)
  3. If you’ve never used gcutil ssh, you probably don’t have a .ssh/google_compute_engine.pub file. You can use ssh-keygen to create a new SSH public/private key pair and add it to sshKeys, as above, or use gcutil ssh to generate and manage sshKeys.
  4. If you mainly use the console, the account name in the sshKeys entry may not match your local username, you may need to supply the -l argument to SSH.
Exit mobile version