The "Permission denied (publickey)" error typically occurs when SSH authentication fails due to mismatched keys or incorrect permissions. From your debug output, we can see:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: bitnami-gce.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickeyThis indicates the client is presenting a key, but the server isn't accepting it. Let's examine the complete solution path.
First, ensure proper file permissions on your local machine:
chmod 600 bitnami-gce.pem
chmod 700 ~/.sshIncorrect permissions often cause silent failures in SSH authentication.
Bitnami VMs typically use a non-standard username. The default is usually bitnami or userbitnami. Try:
ssh -i bitnami-gce.pem bitnami@your-server-ipIf unsure, check your instance metadata in Google Cloud Console:
gcloud compute instances describe YOUR_INSTANCE_NAME --format="value(metadata.ssh-keys)"Older OpenSSH versions (like your 6.2) may need PEM keys converted to the newer format:
ssh-keygen -p -f bitnami-gce.pem -m pemOr convert to OpenSSH format:
ssh-keygen -i -f bitnami-gce.pem > openssh_key
ssh -i openssh_key bitnami@your-server-ipWhen accessing via Google Console works but CLI fails, check the authorized_keys file:
# Via Cloud Console:
cat ~/.ssh/authorized_keys
ls -la /home/bitnami/.ssh/Compare the public key fingerprint:
ssh-keygen -lf bitnami-gce.pemTo enable password auth (security risk), edit /etc/ssh/sshd_config:
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication noThen restart SSH:
sudo service ssh restartSet a password for the bitnami user:
sudo passwd bitnamiFor more reliable connections, create a ~/.ssh/config entry:
Host gce-bitnami
HostName YOUR_SERVER_IP
User bitnami
IdentityFile ~/path/to/bitnami-gce.pem
IdentitiesOnly yes
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms +ssh-rsaThen connect simply with:
ssh gce-bitnamiUse triple verbose mode for maximum debugging:
ssh -vvv -i bitnami-gce.pem bitnami@your-server-ipKey things to check in output:
- Key file being read correctly
- Server accepting key algorithm
- Username being sent
- Authentication methods being offered
Google Compute Engine manages SSH keys through project metadata. To add your key:
gcloud compute instances add-metadata YOUR_INSTANCE_NAME \
--metadata ssh-keys="$(cat ~/.ssh/id_rsa.pub)"Or via the Console:
1. Navigate to Compute Engine > Metadata
2. Add your public key to SSH Keys section
3. Format as: username:publickey
If locked out completely, use Google's serial console:
gcloud compute connect-to-serial-port YOUR_INSTANCE_NAMEFrom there you can reset SSH settings or create a new admin user.
The SSH authentication failure typically occurs due to mismatched key permissions or incorrect key formats. The debug output reveals that while the client successfully reads the PEM key, the server still rejects authentication.
# First check key permissions (should be 400)
chmod 400 bitnami-gce.pem
# Verify key format
file bitnami-gce.pem
# Should output: "bitnami-gce.pem: PEM RSA private key"
# Check key fingerprint matches server
ssh-keygen -lf bitnami-gce.pem
Try these variations of the SSH command:
# Explicitly specify key type
ssh -i bitnami-gce.pem -o IdentitiesOnly=yes xxx@1xx.1xx.5x.1xx
# Force RSA algorithm (for older systems)
ssh -i bitnami-gce.pem -o HostKeyAlgorithms=ssh-rsa xxx@1xx.1xx.5x.1xx
# Verbose output for debugging
ssh -vvv -i bitnami-gce.pem xxx@1xx.1xx.5x.1xx
To enable password authentication (not recommended for production):
- First SSH via Google Console
- Edit SSH config:
sudo nano /etc/ssh/sshd_config
# Change these lines:
PasswordAuthentication yes
ChallengeResponseAuthentication yes
# Then restart service:
sudo service ssh restart
When SSH fails completely:
# Use gcloud command (if SDK installed)
gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]
# Serial console access (last resort)
gcloud compute instances add-metadata [INSTANCE_NAME] \\
--metadata=serial-port-enable=1
gcloud compute connect-to-serial-port [INSTANCE_NAME]
Sometimes converting key formats helps:
# Convert PEM to OpenSSH format
ssh-keygen -p -m PEM -f bitnami-gce.pem
# Extract public key
ssh-keygen -y -f bitnami-gce.pem > ~/.ssh/id_rsa.pub