cloud-sig

#362 F34 GCP - Permission denied (publickey,gssapi-keyex,gssapi-with-mic) with Compute engine metadata ssh keys
Opened by benvdh3. Modified

Open
Close Issue

Today I did a lot of testing with the Fedora-34-GCP-Cloud-Base image, even though my virtual machine boots, I am not able to gain access to it, as sshd keeps rejecting my key with the following error:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Steps to reproduce

  1. Download the Fedora image here: https://fedora.mirror.wearetriple.com/linux/releases/34/Cloud/x86_64/images/Fedora-Cloud-Base-GCP-34-1.2.x86_64.tar.gz
  2. Create a storage bucket in the Google Cloud project where you want to store the image
  3. Upload the image to the storage bucket
  4. Create a new Google Compute Engine image using the gcloud command:
    gcloud compute images create "fedora-34" --source-uri=gs://my-bucket/Fedora-Cloud-Base-GCP-34-1.2.x86_64.tar.gz --guest-os-features=UEFI_COMPATIBLE
  5. Generate an SSH keypair for the VM (in my case I used aan ecdsa keypair):
    ssh-keygen -t ecdsa
  6. Create a new VM in the project where you created the VM image. The VM should use our custom fedora-34 image, and the public key should be added in the Security > SSH keys section. Optionally: add serial-port-enable=TRUE to the VMs metadata to be able to record output from the first boot.
  7. When the machine is ready, try to connect using the username that Google extracted from your ssh public key using the regular ssh command:
    ssh ben@1.2.3.4
  8. Observe the VM throws the following error (if the firewall is correctly setup too):
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Observed behaviour: SSH throws an error.

Expected behaviour: I get logged in to the machine.

Other things I have tried

  • Using the default username fedora attempting to login as root (even though I am aware it is disabled)
  • Attempting to Login in through the serial-port console using username fedora or root and a password.
  • Using other key types
  • attempting ssh logins using gcloud compute ssh
  • rebooting the machine after adding the ssh key as suggested on StackOverflow (see below)
  • Discussed the issue on #fedora-cloud with +davdunc[m
  • Explored stackoverflow:
  • https://stackoverflow.com/questions/20440096/google-cloud-engine-permission-denied-publickey-gssapi-keyex-gssapi-with-mic (suggests this might be an SELinux issue)
  • https://stackoverflow.com/questions/69423435/problem-with-fedora-ssh-connection-on-google-cloud?noredirect=1&lq=1

After a little digging, I found that if your SSH key ends with fedora@something, then you can log in as the fedora user without issues. However, if I supply an SSH key withmajor@something, then I can't log in as fedora or major with my SSH key. Both SSH keys are making it to the system via metadata, but only the fedora key is read and deployed by cloud-init.
Metadata
None
None
None
None
None
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.