Ask Your Question

SSH to instance in Physical Network fails "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)"

asked 2019-01-17 19:15:37 -0600

nconiglio gravatar image

The problem described. When I want to access to an instance that is on physical/provider network, I get this error: Permission denied (publickey,gssapi-keyex,gssapi-with-mic) I am connecting with a key pair file.

This only happens in the mentioned external network, because if I launch an instance in the private network with the same authentication method and key pair file, I can access with no problems.

This is the ssh -vvv output of failed ssh connection. If you need anything else i am happy to provide it. Thanks in advance!

Regards, nconiglio

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file KeyPair.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file KeyPair.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to as 'centos'
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:14
debug3: load_hostkeys: loaded 1 keys from
debug3: hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: order_hostkeyalgs: prefer hostkeyalgs:,,,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms:,,,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,,,,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos:,aes128-ctr,aes192-ctr,aes256-ctr,,,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc:,aes128-ctr,aes192-ctr,aes256-ctr,,,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos:,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:,,,,,,,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,,zlib
debug2: compression stoc: none,,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos ...
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2019-01-17 20:58:30 -0600

SSH keys are normally transferred to the instance via metadata. Problem: The metadata server is not connected to the physical network. There are solutions on, for example (I haven't tried it).

It's also possible to configure Nova so that SSH keys are injected into the instance's filesystem (only if it's a Linux instance).

edit flag offensive delete link more


Thanks for your help, the diagnostic and the solutions. Just perfect The first solution doesn't looks to be clear. I don't know why, but my server calls physical router for getting metadata instead of my controller host( Calling '' failed

nconiglio gravatar imagenconiglio ( 2019-01-18 09:47:59 -0600 )edit

The second solution works for an instance created from the CLI, and from an image. If I create the instance from Horizon, it force to create a volume (for persistent storage), and the KeyPair is not injected. "Be aware that the injection is not possible when the instance gets launched from a volume"

nconiglio gravatar imagenconiglio ( 2019-01-18 09:51:17 -0600 )edit

For 1st solution, if you use provider network, the DHCP must post routing rules for address. If you have enable dhcp on your subnet and DHCP agent run must do this. If you use your own DHCP out of openstack then you must add these options. Check the routes from working environment.

tze gravatar imagetze ( 2019-01-23 01:49:10 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2019-01-17 19:15:37 -0600

Seen: 88 times

Last updated: Jan 17