SSH key authentication fails for PA-VM on GCP after launching when OS Login is enabled

SSH key authentication fails for PA-VM on GCP after launching when OS Login is enabled

653
Created On 06/17/24 09:57 AM - Last Modified 02/24/26 21:17 PM


Symptom


  • When a PA-VM series Firewall is initialized on GCP, an SSH key pair is generated to authenticate with the VM-Series firewall.
  • Once the PA-VM is launched SSH key pair is used to connect and then change the administrator password on the firewall.
  • The first connection to PA-VM using SSH key pair fails prompting for the password which is unavailable before the admin password is reset.

Environment


  • Palo Alto VM Firewalls
  • Google Cloud Platform (GCP)

Cause


  • GCP OS login feature is enabled on the project level or at the instance level.
  • When setting OS Login metadata, Compute Engine deletes the VM's authorized_keys files and no longer accepts connections from SSH keys that are stored in project or instance metadata.
  • This information can be verified in the configuration:
    • At the project level: On the Project go to Compute Engine > under Settings go to Metadata
      - Keyenable-oslogin , ValueTRUE
    • At the instance level: under Custom metadata > verify if the Key enable-oslogin have value of TRUE
       

Resolution


  1. Disable the OS login - delete the Key from the Metadata settings on the project or the instance level
  2. Click on Edit  > Click on the Delete icon < Save
    Screenshot 2024-06-17 at 12.56.41.png

Additional Information


https://cloud.google.com/compute/docs/oslogin
https://cloud.google.com/compute/docs/oslogin/set-up-oslogin
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010z7XCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail