无法通过 SSH 谷歌云实例 -答案

【问题标题】：Cannot SSH Google Cloud Instance -无法通过 SSH 谷歌云实例 -
【发布时间】：2017-03-13 09:25:58
【问题描述】：

我已经尝试了谷歌文档中可用的所有方法 - 但我仍然无法通过 ssh 连接到谷歌云上的计算引擎实例。发布日志以获取上下文。

username@instancename:~$ gcloud compute ssh instancename --ssh-flag="-vvv"
For the following instances:
 - [instancename]
choose a zone:
 [1] asia-east1-c
 [2] asia-east1-a
 [3] asia-east1-b
 [4] asia-northeast1-b
 [5] asia-northeast1-c
 [6] asia-northeast1-a
 [7] europe-west1-c
 [8] europe-west1-b
 [9] europe-west1-d
 [10] us-central1-f
 [11] us-central1-a
 [12] us-central1-c
 [13] us-central1-b
 [14] us-east1-b
 [15] us-east1-d
 [16] us-east1-c
 [17] us-west1-b
 [18] us-west1-a
Please enter your numeric choice:  13 

OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 104.xxx.xxx.xx [104.xxx.xxx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/google_compute_engine type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/username/.ssh/google_compute_engine-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Debian-4~bpo70+1
debug1: match: OpenSSH_6.6.1p1 Debian-4~bpo70+1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: using hostkeyalias: compute.14068955514934919297
debug3: load_hostkeys: loading entries for host "compute.14068955514934919297" from file "/home/username/.ssh/google_compute_known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/username/.ssh/google_compute_known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha
1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnd
ael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnd
ael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@ope
nssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@ope
nssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 23:66:fa:ae:3e:da:ec:f8:d3:ea:c8:c0:84:de:91:82
debug1: using hostkeyalias: compute.14068955514934919297
debug3: load_hostkeys: loading entries for host "compute.14068955514934919297" from file "/home/username/.ssh/google_compute_known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/username/.ssh/google_compute_known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'compute.14068955514934919297' is known and matches the ECDSA host key.
debug1: Found key in /home/username/.ssh/google_compute_known_hosts:1
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/username/.ssh/google_compute_engine (0x7fc8787042f0), explicit
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/username/.ssh/google_compute_engine
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255]. See https://cloud.google.com/compute/docs/troubleshooting#ssherrors for troubleshooting hints.
username@instancename:~$

这是来自 gcloud shell 中的 ssh 尝试，我还尝试了 cli 工具并通过 VM 连接。我允许 gcloud 自动生成密钥并检查私钥和公钥文件是否存在。实例正在运行并且端口 22 已打开。我完全没有想法。

【问题讨论】：

您是否尝试直接从 Web 控制台通过 ssh 进入实例？它不需要本地计算机上的 ssh 密钥。 cloud.google.com/compute/docs/instances/…
是的。那是我从那里复制日志的地方。我认为此时我的私钥可能配置错误，但我不确定如何检查。
您似乎试图通过 Google Cloud Shell SSH 到您的实例？我不是这个意思，请打开我分享的链接，有一个小的“SSH”图标。
道歉。是的，我已经尝试过使用 Web 控制台。那里也没有运气。检查串行控制台输出总是给我这个 ` Nov 3 08:14:18 instancename sshd[27725]: Connection closed by xx.xxx.xx.35 [preauth] Nov 3 08:14:21 instancename sshd[27727]: Connection由 xx.xxx.xx.33 [preauth] 11 月 3 日 08:14:25 instancename sshd [27729] 关闭：连接由 xx.xxx.xx.32 [preauth] Nov 3 08:14:29 instancename sshd [27731] 关闭: 连接由 xx.xxx.xx.32 [preauth] ` 关闭
这个问题是发生在这个特定的实例上还是你的所有实例上？

标签： ssh google-compute-engine google-cloud-platform gcloud

【解决方案1】：

以下步骤将为您提供对 Google Cloud 实例的串行访问权限，您可以从那里验证 Guest environment

我建议您首先验证对实例的 SSH 访问没有被firewall 阻止。

gcloud 计算防火墙规则列表 | grep "tcp:22"

通过在 shell 中运行以下 gcloud 命令，确保根卷中仍有足够的磁盘空间。

gcloud 计算实例 get-serial-port-output [INSTANCE-NAME]

寻找一些类似的条目

...No space left on device...

...google-accounts: ERROR Exception calling the response handler. [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']...

使用串行控制台连接到实例

1. Go to the VM instances page in Google Cloud Platform console. 
2. Click on the instance for which you want to add a startup script. 
3. Click the Edit button at the top of the page.
4. Click on ‘Enable connecting to serial ports’
5. Under Custom metadata, click Add item. 
6. Set 'Key' to 'startup-script' and set 'Value' to this script:

#! /bin/bash 
useradd -G sudo USERNAME 
echo 'USERNAME:PASSWORD' | chpasswd

7. Click Save and then click RESET on the top of the page. You might need to wait for some time for the instance to reboot. 
8. Click on 'Connect to serial port' in the page. 
9.  In the new window, you might need to wait a bit and press on Enter of your keyboard once; then, you should see the login prompt. 
10. Login using the USERNAME and PASSWORD you provided.

验证来宾环境

然后在您需要通过验证来宾环境获取无效的实例内部：

首先：查看您的串行控制台是否列出了以下这些行：

Started Google Compute Engine Accounts Daemon 
Started Google Compute Engine IP Forwarding Daemon 
Started Google Compute Engine Clock Skew Daemon 
Started Google Compute Engine Instance Setup 
Started Google Compute Engine Startup Scripts 
Started Google Compute Engine Shutdown Scripts 
Started Google Compute Engine Network Setup

第二步：验证客户环境的软件包是否已安装，运行串行输出中的命令

apt 列表 --已安装 | grep 谷歌计算

它应该列出以下行：

google-compute-engine
google-compute-engine-oslogin
python-google-compute-engine
python3-google-compute-engine

第三：你需要通过运行这个命令来验证guest环境的所有服务是否都在运行：

sudo systemctl list-unit-files | grep 谷歌 |启用 grep

它应该列出以下行：

google-accounts-daemon.service      enabled
google-ip-forwarding-daemon.service enabled
google-clock-skew-daemon.service    enabled
google-instance-setup.service       enabled
google-shutdown-scripts.service     enabled
google-startup-scripts.service      enabled
google-network-setup.service        enabled

【讨论】：

感谢您的启动脚本教程。
这个过程对我不起作用。具体我在startup-script中提供的用户名和密码无效，串口连接还是说登录不好。请指教

【解决方案2】：

我认为您需要将您的公共 ssh 密钥 (/home/username/.ssh/google_compute_engine) 添加到您的服务器。你可以从这里添加它：https://console.cloud.google.com/compute/metadata/sshKeys?project={YOUR-PROJECT-ID}

【讨论】：

是的。我还检查了 google_compute_engine.pub 文件以确保它们匹配。
在虚拟机实例页面下console.cloud.google.com/compute/instances?project={PROJECT NAME}&graph=GCE_CPU&duration=P30D 我在自定义元数据下有相同的 ssh 密钥，它也有设置“阻止项目范围的 SSH 密钥”我需要在这里做点什么？
您可以从元数据中删除密钥吗？ gcloud compute ssh 应该在需要时添加它。也许那里的密钥格式不正确。