Introduction

One of the more frequent problems on Stackoverflow is Compute Engine SSH. This article will dive into how SSH is configured on Compute Engine and how to connect using various SSH tools. I will also cover how to create SSH key pairs and install them on Compute Engine.

Note: I am in the process of writing this article. I decided to release the first part early for everyone’s benefit.

Last Update: February 10, 2020

Initial Setup

In this step, we will set some defaults to minimize the number of command parameters required.

I will be using the Windows Command Prompt syntax. To switch to Linux usually means change the line continuation character ^ to \ and modifying command line parameter quoting.

Set the default region to us-central1

Se the default zone to us-central1-a

Double-check the default configuration

Which displays on my system as:

I removed extra information. Check that the account and project are set correctly.

Check for existing Google SSH Key Pair

The CLI will use an existing Google SSH Key Pair if they already exist. On Windows, several files are stored in the directory c:\Users\username\.ssh. The Google Key Pair filenames are:

  • google_compute_engine – This is the private key.
  • google_compute_engine.ppk – This is the PuTTY file format containing both the private and public key.
  • google_compute_engine.pub – This is the public key.

Note: The private key contains everything required. The public key can be extracted from the private key. The PPK is just a different file format containing both the private and public keys.

If these files exist, create a backup directory and move these files there so you can follow along with this tutorial. Do a file move instead of copy/delete so that the file permissions are not changed.

SSH Configuration on a New Compute Engine VM Instance

Create a new instance using the CLI with the minimum number of parameters. Use this command as the basis for future commands. To keep costs low, specify the machine type as f1-micro instead of the default which is n1-standard-1. This article uses Ubuntu 18.04 (Bionic) as the VM instance operating system.

Fetch a list of machine types for a zone

A truncated list looks like this:

Create the first test instance

The output from the command:

Connect to the instance

The output from the command:

On Windows, this command launches a PuTTY SSH terminal window. You will either think this is normal or if you know SSH well, magical. For some clouds, the first SSH connection setup is complicated. Now let’s investigate what really happened.

To connect to a system via SSH, three items are necessary:

  • username
  • SSH private key on the client computer
  • SSH public key on the remote computer setup with the SSH server

This means that the CLI did something on both the local computer and the Compute Engine VM instance.

In the PuTTY SSH terminal window type this command:

The output will look like this:

Notice a few items about the format:

  • Begins with the string “ssh-rsa”. This is the key type.
  • PEM-encoded data starting with “AAAAB3N”.
  • A comment at the end which happens to be the username/computer-name of my system.

For the previous command, I specified the ~ directory. This is the home directory for the logged-in user. What user is that? How did the CLI choose the username?

Get the logged-in username

In the PuTTY SSH terminal window type this command:

On my system, this results in:

How did the CLI choose the username?

In the output from gcloud config list one of the lines is account = john.hanley@example.com. The CLI uses the username part of the email address for the Linux username.

This means that if you use different Google Cloud credentials to SSH into an instance, you will log in as different users.

Specify the username

Maybe I prefer to use the username john instead of john.hanley. To do that specify the username in front of the instance name in the format username@instance_name.

Where does the CLI store the SSH key pair?

The CLI will generate a new Google SSH Key Pair if they do not already exist. On Windows, several files are stored in the directory c:\Users\username\.ssh. The Google Key Pair filenames are:

  • google_compute_engine – This is the private key.
  • google_compute_engine.ppk – This is the PuTTY file format containing both the private and public key.
  • google_compute_engine.pub – This is the public key.

Note: The key pair private key contains everything required. The public key can be extracted from the private key. The PPK is just a different file format containing both the private and public keys.

The CLI will reuse the existing key pair when creating a new instance. The public key is set up on the remote instance.

Delete the test instance

We are now finished with this test instance. Delete it so that we can go to the next step.

Improving Google Compute Engine SSH security

Host Keys

A host key is a key pair that identifies a remote system. The host key is used to verify that you are connecting to the intended system and to prevent man-in-the-middle (MITM) attacks.

SSH host keys are stored as guest attributes. If guest attributes are enabled on the initial boot, Compute Engine stores the generated host keys as guest attributes. To enable guest attributes, add the command line parameter --metadata enable-guest-attributes=TRUE.

Create a new test VM instance

Read the VM instance host keys

Command output:

Connect to the instance

The output from the command:

Enable project-wide guest attributes

 

Display project info

The output includes guest attributes and remembered SSH public keys.

 

 

Summary

 

More Information

Credits

I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Piet Bakker at Pexels.