Instance connection issues (Linux)

This document describes troubleshooting steps for SSH connection-related issues in a Linux server.

• Pre-check items
  • Check default usernames
  • Check security groups and route tables
  • Check state of Linux server
• SSH Error Messages
  • WARNING: UNPROTECTED PRIVATE KEY FILE!
  • Load key {SSH key file} : invalid format
  • Warning: Identity file {SSH key file} not accessible: No such file or directory.
  • ssh: connect to host {Host} port 22: Operation timed out
  • WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
  • Permission denied (publickey), Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
  • ssh connect to host {Server IP} port 22: Network is unreachable

---

Pre-check items

Before resolving SSH connection issues on a Linux server, please check the following items first.

Check default usernames

The default usernames for instances are as follows. You can check the default usernames at KakaoCloud console > Virtual Machine > Instance menu > [More] icon > Use SSH to connect.

OS	Default username
Ubuntu	ubuntu
CentOS	centos
Rocky Linux	rocky
Alma Linux	almalinux

info

KakaoCloud supports SSH key-based connection by default, and SSH uses port 22.

Check security groups and route tables

• Verify that the network is properly connected from the source to the Linux server.
• Check the security group associated with the instance to ensure that connections are allowed. And, inspect the route table to ensure there are no communication issues in the network path.

Check state of Linux server

Verify if the Linux server is functioning properly:

• Ensure that the instance is in the Active state in the KakaoCloud console.
• Check if { Hostname } login: is being output in the instance's system logs.
  • You can check the system log at KakaoCloud console > Virtual Machine > Instance menu > [More] icon > View system log.

---

SSH Error Messages

The followings are the error messages that may occur when attempting to SSH and their respective solutions.

WARNING: UNPROTECTED PRIVATE KEY FILE!

This error occurs when too many permissions are granted to the SSH key file.

ssh -i {SSH key file} ubuntu@'{HOST}' -v

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0666 for '{SSH key file}' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

▶️ Follow these steps to change the permissions of the SSH key file.

1. Check the current permissions of the SSH key file.

   ls -al {SSH key file}

2. Change the permissions of the SSH key file to allow only the owner to read.

   chmod 0400 {SSH key file}

---

Load key {SSH key file} : invalid format

This error occurs when the SSH key file is not in the correct format or when the file is corrupted or improperly saved.

ssh -i {SSH key file} ubuntu@{HOST}  
Load key "{SSH key file}": invalid format
{HOST}: Permission denied (publickey).

▶️ Open the SSH key file to check its contents.

If the key is in the correct format, it should follow the format below. If it does not match this format, verify whether the key is valid. If there are issues with the key file, you may need to generate a new key pair for recovery. For more information, refer to the Resolve lost key pair.

RSA ssh key format

vi {SSH key file}

-----BEGIN RSA PRIVATE KEY-----
contents...
-----END RSA PRIVATE KEY-----

---

Warning: Identity file {SSH key file} not accessible: No such file or directory.

This error occurs when the SSH key file cannot be found.

ssh -i {SSH key file} ubuntu@{HOST}
Warning: Identity file {SSH key file} not accessible: No such file or directory.
{HOST}: Permission denied (publickey).

▶️ Check if the SSH key file exists and if access to the directory where the SSH key file is located is possible.

ls -al {SSH key file}

---

ssh: connect to host {Host} port 22: Operation timed out

This error occurs when a timeout occurs while attempting to connect to the server.

ssh -i {SSH key file} ubuntu@'{HOST}' -v
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/kakao_ent/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to '{HOST}' port 22.
debug1: connect to address '{HOST}' port 22: Operation timed out
ssh: connect to host '{HOST}' port 22: Operation timed out  

▶️ To resolve the issue, please check the followings.

• Ensure that the network connection from the source to the Linux server is established properly.
• Verify whether the connections are allowed in the security group and check the route table to ensure there are no communication issues.
• Check in the KakaoCloud console if the instance is in an 'Active' state.
• If there are issues with the SSH daemon, consider restarting the instance as direct SSH access to the server might not be possible for troubleshooting.

---

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

This error indicates that the SSH client has detected a change in the identification information of a previously connected server. Such changes can signify security issues and should be handled with caution. This error may occur in the following situations:

• Changed host key: This occurs when the SSH server's host key has been altered. Host keys uniquely identify servers and ensure the security of connections. Host keys are typically generated when the SSH client first connects to a server, and warnings like these can occur if the host key on the server has changed. Host keys may also change if the SSH server is reset or reinstalled.

• Man-in-the-middle attack: There is also the possibility of a man-in-the-middle attack, where a malicious actor intercepts and alters network traffic.

  ssh -i {SSH key file} ubuntu@'{HOST}'
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  It is also possible that a host key has just been changed.
  The fingerprint for the ED25519 key sent by the remote host is
  SHA256:PtRMM9ps+sHDxMmgDlabcdefghaddfQQpylRabcdefg6bPI.
  Please contact your system administrator.
  Add correct host key in ~/.ssh/known_hosts to get rid of this message.
  Offending ECDSA key in ~/.ssh/known_hosts:25
  Host key for {HOST} has changed and you have requested strict checking.
  Host key verification failed.

▶️ In a scenario where you are aware of the change in the server's HOST key and assuming there are no security concerns, you can resolve the issue as follows:

• Solution 1

  Delete the HOST key and perform SSH reconnection:

  1. Open the ~/.ssh/known_hosts file on the SSH client.

  2. Delete the registered HOST key entry for the source server and save the changes.

  3. Attempt SSH connection again afterward.

     ssh -i {SSH key file} ubuntu@'{HOST}' 

• Solution 2

  Add the -o StrictHostKeyChecking=no option each time you connect to the server:

  ssh -i {SSH key file} -o StrictHostKeyChecking=no ubuntu@'{HOST}' 

---

Permission denied (publickey), Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

This error can occur due to various reasons, primarily including the following:

• Attempting SSH connection with a different SSH key

• Attempting SSH connection with an incorrect user

• Trying to SSH connect without specifying a key

• Attempting SSH connection when the SSH key setting for the instance is not properly configured after instance creation, among other reasons.

  ssh -i {SSH key file} ubuntu@'{HOST}'
  
  '{SSH key file} ubuntu@{HOST}': Permission denied (publickey).

▶️ As the cause of this error varies, take necessary actions based on the specific cause.

When creating an instance for the first time in KakaoCloud, communication with the 169.254.169.254 (KakaoCloud Meta) server is necessary for instance setup. If the communication with the 169.254.169.254 server is not allowed in the security group, it can lead to issues with the SSH key setup for the instance, resulting in this error.
Therefore, when creating the initial instance, ensure that communication with 169.254.169.254 is allowed in the security group.

---

ssh connect to host {Server IP} port 22: Network is unreachable

This error occurs when there is no route to the destination host or when it is unreachable. It can mainly occur due to the following reasons:

• Error in network configuration: The system's network configuration may be incorrect, such as incorrect IP addresses, subnet masks, or route table settings.

• Error in gateway configuration: The gateway used to find the route to the destination host may not be correctly configured. This error can occur if the gateway is not connected to the network or if its settings are incorrect.

  ssh -i {SSH key file} ubuntu@'{HOST}'
  
  ssh: connect to host {Server IP} port 22: Network is unreachable

▶️ Refer to VPC to inspect the network configuration and settings for gateways and route tables.