Oracle Cloud: Permission denied (publickey,gssapi-keyex,gssapi-with-mic) - oracle-cloud-infrastructure

I created an new Oracle cloud Linux instance, downloaded the private and public keys on creation, and now I cannot access it. I followed the guides and searched around, but I can mostly just find people who got their keys mixed up, which I have double-checked.
It shows as running, but if I try to SSH by doing:
ssh -i ssh-key-2022-09-18.key ops#xxx.xxx.xxx.xxx
Then I get:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Any help?

If you have used the OCI auto generated keys during Instance Creation then the default username is opc and not ops as mentioned in your question.
You will only be able to connect via SSH only if the keys are not misplaced as there is no way to retrieve the private key after the instance is created.
In case you have misplaced the keys then to upload new keys you will have to work with the boot volume (refer this answer How do you change the public key of a Oracle Cloud Instance? for more details on how to add new SSH key)
Note: To access OCI Instance, there are many other prerequisites like having public IP or accessing via bastion, etc. Please review this https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/accessinginstance.htm document for more details.

Related

When connecting to an oracle cloud instance it asks me for a username and password

I just created an instance in oracle cloud and I managed to connect to it by ssh but when completing the connection it asks me for a password and a user that I do not know, I have not set this protection at any time.
The default username for all compute instances is "opc", which is mentioned in the documentation. During instance creation you must either download the generated SSH private key or provide self-generated keys for upload to the new instance. If you don't download the private key from Oracle or upload your own public key, then there won't be any way to connect to the instance using SSH. There is no password option. This is stated explicitly in the "Add SSH Keys" section of the "Create Compute Instance" screen when creating the instance.
OCI Documentation: https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/launchinginstance.htm
You cannot provide a public key or save the key pair that is generated
by Oracle Cloud Infrastructure after the instance is created.
The following link describes various methods of creating SSH key pairs for use if you choose to create your own rather than download the ones provided by Oracle.
https://docs.oracle.com/en/learn/generate_ssh_keys/index.html#introduction

Navicat or MySQL Workbench SSH Tunnel with MFA

Is it even possible to use Navicat or MySQL workbench (or any other tool) to connect to an Amazon RDS via a jump box like a bastion host?
I can do this if I manually open an ssh tunnel in a terminal like so:
ssh -A <my_user>#<bastion_endpoint> -L 3306:<RDS_ENDPOINT>:3306
Then connect to localhost:3306 from the mysql tool, this works. It's important to know that on the bastion MFA is required to login.
I can't even connect to my bastion box from Navicat using the exact same credentials as I used in the terminal/command line. I get the error:
Access denied for 'none'. Authentication that can continue: keyboard-interactive (11)
So I went to the bastion box and removed keyboard-interactive from the authentication methods and it works. However, that obviously breaks the MFA I'm using so that's not an option.
Is there any other configuration I need to do on my bastion box in order to make this work, or is this simply not possible?
Turns out my sshd configuration was fine, however, I did go back and enable auto pushing with MFA.
Navicat
If auto push is disabled for MFA you need to select Password and Public Key (even though we're just using a public key here). In the password field it can be blank, if auto push is enabled, otherwise put the number of your selection you want to be notified here (thats right it's not a normal password, dumb I know). Then just use your normal private key and password for the private key and it should connect fine.
MySQL Workbench / Sequel Pro
You MUST have autopush or something similar to it in order to work with MFA. If I didn't have auto push enabled it would fail to connect. Again use Password and Public Key. The password to the instance is blank then its just the normal public key and password for you public key.
IntelliJ
This is nicer. It will work with prompting with the MFA choice if you don't have auto push enabled. Unlike the others you can select the Public Key option instead of Password and Public Key and it should connect and work fine.
- - - - - Errors With Rotating IPs - - - - -
Now unfortunately you will get the annoying "man-in-the-middle" scary error with ssh if you have a constant endpoint with rotating IPs under it (like I did). If that's the case ONLY IntelliJ offers a checkbox for ignore StrictHostSSHKeyChecking.
So to get around that ONLY for this specific endpoint you can make it be forced to ignore SSH Key Checking. To do that add the following entry to your ~/.ssh/config file:
# changing IPs
Host my-custom-host.com
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
You can use as many wildcards in the Host section which is nice. So customize it to your needs. Now you won't be checking the ssh key but it's better than having to daily (or how often the IP gets rotated) delete the endpoint entry in ~/.ssh/known_hosts.
Hopefully this helps to save someone a lot of pain.

Why don't I have access to the database from aws lambda but have from a local computer with the same login data?

I created a new Mysql database in Amazon RDS, and on my local computer I get access through the console
mysql -u username -p -h test.c2nfdg67dbdpb.us-east-1.rds.amazonaws.com
Now I try to connect via Aws Lamda using python and pymysql module
rds_host = "test.c2nfdg67dbdpb.us-east-1.rds.amazonaws.com"
name = 'username'
password = 'pass'
db_name = 'dbtest'
conn = pymysql.connect(rds_host, user=name, passwd=password, db=db_name, connect_timeout=5)
and got an error ERROR] 2019-11-20T14:30:05.261Z 7b1ed2e0-03ba-4c62-9525-22d84582f (1049, "Unknown database 'dbtest'")
It seems strange that I don't use the database name at all through the local console and I get access.
p.s.I run show databases; on local console and cant see dbtest in databaselist. I was confused because when I created the new database, I entered a name, but only default databases are listed. What am I connected to then?
p.s.s
hm why DB name is undefined ?
Your code explicitly tries to connect a specific database named dbtest. It will either connect to this database or fail, contrary to your mysql client which can connect without a database selection. Clearly, the database is missing, since you verified that show databases results does not include dbtest.
Then only possible explanation is that the database was never created.
The RDS console provides the ability to create a database with default settings. That's the way I used it. But no physical database is created, only database instances.
I can't found a way to add a new database to the created instance. Now, after a few hours of troubleshooting, I recreated the new database without using the default settings and there was a point - database name entry. I added this name and everything worked out.
But here's what I don't understand is why AWS added a quick creation way, which in the end doesn't actually create a database that you can join.
If you have created the database in Amazon RDS and are able to connect to it from your local computer, it may be a connection/permission issue with your lambda. Your Lambda function may be inside a VPC subnet with no internet access. Either pull it out of the VPC or grant internet access to the Lambda function like this:
https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/
However, if your Lambda function will be communicating with RDS instances, you should consider doing this via private channels for security purposes.
Update
A third possibility is that the database in question doesn't exist even though the asker implies that there was a successful connection to the database from his/her local computer.

How do I resolve this error when trying to connect to an SQL server hosted on a Google Compute Engine Ubuntu VM

For a database course that I'm in, the professor has tasked us with setting up several VM MySQL servers and remote connections. I've found proper documentation to solve most of my problems, but I've pored over docs trying to find a solution to my latest issue.
I've set up an Ubuntu VM on the Google Cloud Compute Engine. I installed a MySQL server to this VM instance, and I need to log in remotely from my laptop. I've followed this documentation https://cloud.google.com/solutions/mysql-remote-access and this youtube video https://www.youtube.com/watch?v=f5qQDm3ciDg.
However, I still get an Unable to Connect to Server message when I test my connection. What could I be overlooking that will help me connect?
Thanks!
So, I slammed my head against a wall for long enough to realize that ssh will be an easier solution than a direct connection.
So, at least for my Windows machine, these are the steps I followed to make the connection:
Download the sql server (You don't need to add a user unless necessary, and you don't change the bind-address in the config file).
Use PuTTYgen to create a private public key pair. Export the private key as an openssh format (in the export options)
Click the edit button on your VM instance then scroll down to the SSH key section.
Paste the public key into the text box (be sure to change the last comment portion to a username on the Linus VM)
Use the SSH connection on MySQL Workbench. Use the external IP of your VM as the first (ssh) host name and localhost as the second (SQL) host name. Input all other info as it is asked for.

Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

After creating the instance, I can login using gcutil or ssh. I tried copy/paste from the ssh link listed at the bottom of the instance and get the same error message.
The permission denied error probably indicates that SSH private key authentication has failed. Assuming that you're using an image derived from the Debian or Centos images recommended by gcutil, it's likely one of the following:
You don't have any ssh keys loaded into your ssh keychain, and you haven't specified a private ssh key with the -i option.
None of your ssh keys match the entries in .ssh/authorized_keys for the account you're attempting to log in to.
You're attempting to log into an account that doesn't exist on the machine, or attempting to log in as root. (The default images disable direct root login – most ssh brute-force attacks are against root or other well-known accounts with weak passwords.)
How to determine what accounts and keys are on the instance:
There's a script that runs every minute on the standard Compute Engine Centos and Debian images which fetches the 'sshKeys' metadata entry from the metadata server, and creates accounts (with sudoers access) as necessary. This script expects entries of the form "account:\n" in the sshKeys metadata, and can put several entries into authorized_keys for a single account. (or create multiple accounts if desired)
In recent versions of the image, this script sends its output to the serial port via syslog, as well as to the local logs on the machine. You can read the last 1MB of serial port output via gcutil getserialportoutput, which can be handy when the machine isn't responding via SSH.
How gcutil ssh works:
gcutil ssh does the following:
Looks for a key in $HOME/.ssh/google_compute_engine, and calls ssh-keygen to create one if not present.
Checks the current contents of the project metadata entry for sshKeys for an entry that looks like ${USER}:$(cat $HOME/.ssh/google_compute_engine.pub)
If no such entry exists, adds that entry to the project metadata, and waits for up to 5 minutes for the metadata change to propagate and for the script inside the VM to notice the new entry and create the new account.
Once the new entry is in place, (or immediately, if the user:key was already present) gcutil ssh invokes ssh with a few command-line arguments to connect to the VM.
A few ways this could break down, and what you might be able to do to fix them:
If you've removed or modified the scripts that read sshKeys, the console and command line tool won't realize that modifying sshKeys doesn't work, and a lot of the automatic magic above can get broken.
If you're trying to use raw ssh, it may not find your .ssh/google_compute_engine key. You can fix this by using gcutil ssh, or by copying your ssh public key (ends in .pub) and adding to the sshKeys entry for the project or instance in the console. (You'll also need to put in a username, probably the same as your local-machine account name.)
If you've never used gcutil ssh, you probably don't have a .ssh/google_compute_engine.pub file. You can either use ssh-keygen to create a new SSH public/private keypair and add it to sshKeys, as above, or use gcutil ssh to create them and manage sshKeys.
If you're mostly using the console, it's possible that the account name in the sshKeys entry doesn't match your local username, you may need to supply the -l argument to SSH.
Ensure that the permissions on your home directory and on the home directory of the user on the host you're connecting to are set to 700 ( owning user rwx only to prevent others seeing the .ssh subdirectory ).
Then ensure that the ~/.ssh directory is also 700 ( user rwx ) and that the authorized_keys is 600 ( user rw ) .
Private keys in your ~/.ssh directory should be 600 or 400 ( user rw or user r )
I was facing this issue for long time. Finally it was issue of ssh-add. Git ssh credentials were not taken into consideration.
Check following command might work for you:
ssh-add
I had the same problem and for some reason The sshKeys was not syncing up with my user on the instance.
I created another user by adding --ssh_user=anotheruser to gcutil command.
The gcutil looked like this
gcutil --service_version="v1" --project="project" --ssh_user=anotheruser ssh --zone="us-central1-a" "inst1"
I just experienced a similar message [ mine was "Permission denied (publickey)"] after connecting to a compute engine VM which I just created. After reading this post, I decided to try it again.
That time it worked. So i see 3 possible reasons for it working the second time,
connecting the second time resolves the problem (after the ssh key was created the first time), or
perhaps trying to connect to a compute engine immediately after it was created could also cause a problem which resolves itself after a while, or
merely reading this post resolves the problem
I suspect the last is unlikely :)
I found this error while connecting ec2 instance with ssh.
and it comes if i write wrong user name.
eg. for ubuntu I need to use ubuntu as user name
and for others I need to use ec2-user.
You haven't accepted an answer, so here's what worked for me in PuTTY:
Without allowing username changes, i got this question's subject as error on the gateway machine.
You need to follow this instructions
https://cloud.google.com/compute/docs/instances/connecting-to-instance#generatesshkeypair
If get "Permission denied (publickey)." with the follow command
ssh -i ~/.ssh/my-ssh-key [USERNAME]#[IP_ADDRESS]
you need to modify the /etc/ssh/sshd_config file and add the line
AllowUsers [USERNAME]
Then restart the ssh service with
service ssh restart
if you get the message "Could not load host key: /etc/ssh/ssh_host_ed25519_key" execute:
ssh-keygen -A
and finally restart the ssh service again.
service ssh restart
I followed everything from here:
https://cloud.google.com/compute/docs/instances/connecting-to-instance#generatesshkeypair
But still there was an error and SSH keys in my instance metadata wasn't getting recognized.
Solution: Check if your ssh key has any new-line. When I copied my public key using cat, it added into-lines into the key, thus breaking the key. Had to manually check any line-breaks and correct it.
The trick here is to use the -C (comment) parameter to specify your GCE userid. It looks like Google introduced this change last in 2018.
If the Google user who owns the GCE instance is myname#gmail.com (which you will use as your login userid), then generate the key pair with (for example)
ssh-keygen -b521 -t ecdsa -C myname -f mykeypair
When you paste mykeypair.pub into the instance's public key list, you should see "myname" appear as the userid of the key.
Setting this up will let you use ssh, scp, etc from your command line.
Add ssh public key to Google cloud
cat ~/.ssh/id_rsa.pub
go and click your VM instances
edit VM instances
add ssh public key(from id_rsa.pub) in SSH keys area
ssh login from Git bash on your computer
ssh -i ~/.ssh/id_rsa tiennt#x.y.z.120