我有一个在 Google Cloud Platform 上运行的 VM (Debian),但无法通过 ssh 或串行控制台连接(由于某种原因无法通过启动脚本创建用户)。已经尝试了一堆故障排除指南来修复它。
我之前使用 ssh 连接时没有任何问题。该虚拟机上运行的网站和数据库仍然正常运行。
我试过了
1 - 检查防火墙条目“default-allow-ssh”是否存在
2 - 尝试使用 cmd 与其他用户连接
gcloud compute ssh another-username@$PROB_INSTANCE
3 - 添加元数据“启动脚本”键,其值为:
#! /bin/bash
useradd -G sudo USER
echo 'USER:PASS' | chpasswd
重新启动(也尝试了中断/启动),尝试通过串行控制台连接,但它说登录不正确。启动脚本不起作用或没有创建我的用户。
4 - 增加磁盘大小。
5-增加内存(升级了 VM 实例类型)。
6 – 从 VM 详细信息和元数据选项卡中删除 ssh 密钥,然后重新启动:
删除后,我尝试使用命令再次生成密钥:
gcloud beta compute ssh INSTANCE_NAME -- -vvv
但它返回:
No zone specified. Using zone [us-east1-b] for instance: [INSTANCE_NAME].
Updating project ssh metadata...⠏Updated [https://www.googleapis.com/compute/beta/projects/PROJECT_NAME].
Updating project ssh metadata...done.
Waiting for SSH key to propagate.
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
USER@IP_ADDRESS: Permission denied (publickey).
更多细节
跑步
gcloud beta compute ssh --zone ZONE INSTANCE_NAME --project PROJECT_NAME
返回:
USER@IP_ADDRESS: Permission denied (publickey).
正在运行(等待传播后第二次)
gcloud beta compute ssh INSTANCE_NAME -- -vvv
返回:
[...]
OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1g 21 Apr 2020
debug1: Reading configuration data /home/USER/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolve_canonicalize: hostname IP_ADDRESS is address
debug2: ssh_connect_direct
debug1: Connecting to IP_ADDRESS [IP_ADDRESS] port 22.
debug1: Connection established.
debug1: identity file /home/USER/.ssh/google_compute_engine type 0
debug1: identity file /home/USER/.ssh/google_compute_engine-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u7 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to IP_ADDRESS:22 as 'USER'
debug1: using hostkeyalias: compute.INSTANCE_ID
debug3: hostkeys_foreach: reading file "/home/USER/.ssh/google_compute_known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/USER/.ssh/google_compute_known_hosts:1
debug3: load_hostkeys: loaded 1 keys from compute.INSTANCE_ID
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-grou
p14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]
,[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-grou
p14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Or8[...]
debug1: using hostkeyalias: compute.INSTANCE_ID
debug3: hostkeys_foreach: reading file "/home/USER/.ssh/google_compute_known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/USER/.ssh/google_compute_known_hosts:1
debug3: load_hostkeys: loaded 1 keys from compute.INSTANCE_ID
debug1: Host 'compute.INSTANCE_ID' is known and matches the ECDSA host key.
debug1: Found key in /home/USER/.ssh/google_compute_known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: Will attempt key: /home/USER/.ssh/google_compute_engine RSA SHA256:brI3[...] explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/USER/.ssh/google_compute_engine RSA SHA256:brI3[...] explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
USER@IP_ADDRESS: Permission denied (publickey).
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
更新
按照 Alex 的建议,串行口输出返回:
Welcome to [1mDebian GNU/Linux 9 (stretch)[0m!
[ 2.364319] systemd[1]: No hostname configured.
[ 2.365157] systemd[1]: Set hostname to <localhost>.
[ 3.142016] systemd[1]: google-shutdown-scripts.service: Cannot add dependency job, ignoring: Unit google-shutdown-scripts.service is masked.
[ 3.144581] systemd[1]: google-clock-skew-daemon.service: Cannot add dependency job, ignoring: Unit google-clock-skew-daemon.service is masked.
[ 3.147589] systemd[1]: google-instance-setup.service: Cannot add dependency job, ignoring: Unit google-instance-setup.service is masked.
[ 3.149799] systemd[1]: google-accounts-daemon.service: Cannot add dependency job, ignoring: Unit google-accounts-daemon.service is masked.
[ 3.152485] systemd[1]: google-startup-scripts.service: Cannot add dependency job, ignoring: Unit google-startup-scripts.service is masked.
我真的希望能有一个解决方案 :/
我将不胜感激任何帮助或建议,谢谢!
答案1
此“权限被拒绝”错误可能由于多种原因而发生。
您是否启用了“OS Login”?如果您的项目启用了 OS Login,则您的 VM 不会接受存储在元数据中的 SSH 密钥。您必须禁用“OS 登录”
或者您使用存储在 OS Login 配置文件中的 SSH 密钥连接到未启用 OS Login 的虚拟机。因此,启用“OS Login”,然后将您的 SSH 密钥添加到元数据中。
如果您手动将 SSH 密钥添加到虚拟机,然后使用 Google Cloud Console 连接到虚拟机,Compute Engine 会为您的连接创建一个新的密钥对。新密钥对过期后,Compute Engine 会删除虚拟机中的 ~/.ssh/authorized_keys 文件,其中包含您手动添加的 SSH 密钥。您必须将 SSH 密钥重新添加到元数据中。
如果您的 sshd 守护程序未运行或配置不正确,则无法使用 SSH 连接到您的虚拟机。您可以通过串行端口连接到您的虚拟机,然后确保您的sshd_配置是否设置正确。
答案2
答案3
SSH:
使用上面由“Alex G”提供的链接作为 ssh 故障排除的参考。或者找到相同的链接这里
使用以下命令检查ssh服务状态
sudo systemctl status sshd
启动脚本:
使用链接作为参考使用启动脚本
使用下面的命令检查已安装的谷歌systemd服务
sudo systemctl list-unit-files | grep google
如果服务被屏蔽,unmask则启用该服务。
sudo systemctl unmask "service-name"
sudo systemctl enable "service-name"
启动脚本在启动时运行,而不是在启动后在后台运行,并且与 SSH 无关。因此,如果启动脚本在上面的列表中被屏蔽/禁用,您可以尝试启用它在启动时自动启动。
此外,如果您有一个需要立即运行的启动脚本,则可以使用以下命令。
sudo systemctl start google-startup-scripts.service.
使用以下命令查看启动脚本的输出。
sudo journalctl -u google-startup-scripts.service
列出正在运行的 google 进程,检查 SSH 所需的进程。验证 google-network-daemon.service和是否google-accounts-daemon.service正在运行。
sudo ps aux | grep google
如果仍然遇到问题,请重新安装/更新访客环境。使用链接作为参考