Reputation: 1758
SSH keys keep getting deleted from Google Compute Engine VM
Background:
- I am running a Google Compute Engine VM, called
host. - There is a Docker container running on the machine called
container. - I connect to the VM using an account called
[email protected]. - I need to connect through
sshfrom thecontainerto thehost, without being prompted for theuserpassword.
Problem:
Minutes after successfully connecting from the container to the host, the user/.ssh/authorized_keys gets "modified" by some process from Google itself. As far as I understood this process appends some ssh keys needed to connect to the VM. In my case though, the process seems to overwrite the key that I generated from the container.
Setup:
I connect to host using Google Compute Engine GUI, pressing on the SSH button.
Then I follow the steps described in this answer on AskUbuntu.
I set the password for user on host:
user@host:~$ sudo passwd user
I set PasswordAuthentication to yes in sshd_config, and I restart sshd:
user@host:~$ sudo nano /etc/ssh/sshd_config
user@host:~$ sudo systemctl restart sshd
I enter in the Docker container using bash, I generate the key, and I copy it on the host:
user@host:~$ docker exec -it container /bin/bash
(base) root@container-id:# ssh-keygen
(base) root@container-id:# ssh-copy-id user@host
The key is successfully copied to the host, the host is added to the known_hosts file, and I am able to connect from the container to the host without being prompted for the password (as I gave it during the ssh-copy-id execution).
Now, if I detach from the host, let some time pass, and attach again, I find that the user/.ssh/authorized_keys file contains some keys generated by Google, but there is no trace of my key (the one that allows the container to connect to the host).
What puzzles me more than everything is that we consistently used this process before and we never had such problem. Some accounts on this same host have still keys from containers that no longer exist!
Does anyone has any idea about this behavior? Do you know about any solutions that let me keep the key for as long as it is needed?
Upvotes: 13
Views: 3697
Answers (3)
Reputation: 210755
In case anyone has trouble with this even AFTER adding SSH keys to the GCE metadata:
Make sure your username is in the SSH key description section!
For example, if your SSH key is
ssh-rsa AAAA...zzzz
and your login is ubuntu, make sure you actually enter
ssh-rsa AAAA...zzzz ubuntu
since it appears Google copies the key to the authorized_keys of the user specified inside the key.
Upvotes: 8
Reputation: 3842
In case anyone is still looking for solution for this, I solved this issue by storing the SSH Keys in Compute Engine Metadata https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
Upvotes: 0
Reputation: 9731
It looks like the accounts daemon is doing this task. You could refer this discussion thread for more details about this.
You might find the OS Login API a easier management option. Once enabled, you can use a single gcloud command or API call to add SSH keys.
Upvotes: 2
Related Questions
- authorized_keys getting deleted from Google Cloud VM
- How to access SSH keys for a Google Cloud Platform Compute Engine VM instance?
- GCP - can't SSH into VM from console - Error updating SSH keys
- Looping transfer SSH keys while opening SSH access of my VM
- Can't keep SSH connection to VM using gcloud-sdk
- Google compute engine - getting blocked after accessing SSH a few times
- How can I prevent GCE from copying ssh keys to all new instances?
- cannot ssh to Google VM Engine
- How do I get the SSH keys I generated in Google Compute Engine?
- Google Cloud Compute Engine sshKeys removal