使用 gcloud 的 Google Cloud Compute (GCE) 无法为 SSH 创建有效格式的公钥

我们在使用 SSH 时遇到了问题，既包括自己创建密钥的问题，也包括 gcloud 创建密钥时也存在同样的问题。

为了证明这不是自己造成的问题，我们进行了以下操作：

1. 我们通过 gcloud 创建了一个临时服务器：gcloud compute instances create temp-machine --scopes compute-rw
2. 然后我们通过 SSH 进入临时机器实例：gcloud compute ssh temp-machine

3. 由于我们没有定义密钥，步骤 2 中的命令为我们创建一个密钥对，结果如下：

   WARNING: The private SSH key file for Google Compute Engine does not exist.
   WARNING: You do not have an SSH key for Google Compute Engine.
   WARNING: [/usr/bin/ssh-keygen] will be executed to generate a key.
   Generating public/private rsa key pair.
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again: 
   Your identification has been saved in /home/davebeach/.ssh/google_compute_engine.
   Your public key has been saved in /home/davebeach/.ssh/google_compute_engine.pub.
   

4. 一旦 gcloud 创建了密钥对，它就会继续使用密钥登录到 temp-machine 实例。它成功登录并在本地机器上向 google_known_hosts 添加条目。

   updating project ssh metadata...\Updated     [https://www.googleapis.com/compute/v1/projects/pro-ppm].
   Updating project ssh metadata...done.
   Warning: Permanently added 'compute.3605686430923056095' (ECDSA) to the list of known hosts.
   

5. 然后我们关闭连接并尝试重新运行 SSH 连接。当它尝试使用 gcloud 在前面的步骤中创建的密钥时，它指出密钥的格式无效：

   OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
   debug1: Reading configuration data /Users/davebeach/.ssh/config
   debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
   debug2: resolving "130.211.121.82" port 22
   debug2: ssh_connect_direct: needpriv 0
   debug1: Connecting to 130.211.121.82 [130.211.121.82] port 22.
   debug1: Connection established.
   key_load_public: invalid format
   

6. 登录继续，它会找到 google_known_hosts 文件，从该文件中提取一个密钥，然后使用该文件成功地与服务器进行身份验证：

   debug1: identity file /Users/davebeach/.ssh/google_compute_engine type -1
   debug1: key_load_public: No such file or directory
   debug1: identity file /Users/davebeach/.ssh/google_compute_engine-cert type -1
   debug1: identity file /Users/davebeach/.ssh/id_ed25519 type 4
   debug1: key_load_public: No such file or directory
   debug1: identity file /Users/davebeach/.ssh/id_ed25519-cert type -1
   debug1: Enabling compatibility mode for protocol 2.0
   debug1: Local version string SSH-2.0-OpenSSH_7.3
   debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
   debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
   debug2: fd 3 setting O_NONBLOCK
   debug1: Authenticating to 130.211.121.82:22 as 'davebeach'
   debug1: using hostkeyalias: compute.3605686430923056095
   debug3: hostkeys_foreach: reading file "/Users/davebeach/.ssh/google_compute_known_hosts"
   debug3: record_hostkey: found key type ECDSA in file /Users/davebeach/.ssh/google_compute_known_hosts:6
   debug3: load_hostkeys: loaded 1 keys from compute.3605686430923056095
   debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-
   ......
   debug1: Server host key: ecdsa-sha2-nistp256   SHA256:f9dkkPHglZNpR0XtAK33OWYNlyLc/jjHsbTpQvyhcys
   debug1: using hostkeyalias: compute.3605686430923056095
   debug3: hostkeys_foreach: reading file "/Users/davebeach/.ssh/google_compute_known_hosts"
   debug3: record_hostkey: found key type ECDSA in file /Users/davebeach/.ssh/google_compute_known_hosts:6
   debug3: load_hostkeys: loaded 1 keys from compute.3605686430923056095
   debug1: Host 'compute.3605686430923056095' is known and matches the ECDSA host key.
   debug1: Found key in /Users/davebeach/.ssh/google_compute_known_hosts:6
   

7. google_known_hosts 的内容仅由 gcloud 创建（在第一次连接期间）。

为什么我们永远无法让实例接受 gcloud 创建的密钥，为什么它使用 google_known_hosts 密钥作为可接受的密钥？ SSHD_CONFIG 中的设置是否导致了这种情况？ 为我们创建的原始密钥的格式有什么问题？