1. Using Oracle Cloud Infrastructure Compute Classic
  2. Troubleshooting Compute Classic
  3. SSH Key Problems

SSH Key Problems

This section lists problems you might encounter while using SSH public keys to securely access your Compute Classic Linux instances.

My SSH public key doesn’t show up in the Create Instance wizard

Description

I’ve uploaded my SSH public key and I can see it on the SSH Public Keys page, but when I try to create an instance, the SSH key isn’t listed in the Create Instance wizard. So I’m unable to associate this key with any instance.

Solution

Check whether your SSH key has been disabled. If an SSH public key is disabled, it isn’t listed in the Create Instance wizard and you can’t associate it with your instance. Go to the SSH Public Keys page and update the SSH key to enable it, and then launch the Create Instance wizard again. See Enabling an SSH Public Key.

Can’t connect to an instance using SSH

Description

I've created an instance but can’t connect to it using SSH.

Solution

Check for each of the following possible causes:

  1. Is your instance configured for SSH access?

    All Oracle-provided Oracle Linux and Solaris instances are by default configured to allow SSH access. However, if you’re creating an instance using a private image or an image from Oracle Cloud Marketplace, the instance might not be configured to allow SSH access. Check with the owner of the machine image.

    Remember, also, that you can’t access Windows instances using SSH. If you’re trying to log in to a Windows instance, use RDP. See Accessing a Windows Instance Using RDP.

  2. Did you use the correct user?

    • To log in to an instance that was created by using an Oracle-provided Oracle Linux machine image, use the opc user.

      For instances created by using other machine images, find out which SSH-enabled users are defined in that machine image, and log in as one of those users.

    • To log in to an instance as a user that was created after the instance was provisioned, you must generate an SSH key pair for the new user and copy the public key to the ~/.ssh/authorized_keys file of the user. You must also add the new user to the list of allowed users in the /etc/ssh/sshd_config file on the instance. See Adding Users on an Oracle Linux Instance.

  3. Did you specify the correct public IP address of the instance?

    To find out the public IP address of your instance, view the information on the Instances page. See Listing Instances.

    If no public IP address is associated with the instance, reserve and associate a public IP address. See Reserving a Public IP Address and Updating an IP Reservation.

  4. Did you specify the correct private key?

    The private key that you specify must correspond to one of the public keys associated with the instance.

  5. Does the instance belong to a security list with the inbound policy set to deny?

    An instance can be associated with multiple security lists. You can find out which security lists an instance is attached to by viewing the details of the instance. See Monitoring Instances.

    You can see the policies used by each security list by viewing the details of the security list from the web console.

    If there’s a conflict between the policies of the various security lists, then the most restrictive policy is applicable. This means that if even one of the security lists that your instance is attached to has the inbound policy set to deny, then your instance can’t receive traffic.

    If this is the case, then create a security rule to explicitly allow traffic to a security list that your instance is attached to.

  6. Does the error message contain the following warning?

    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

    If yes, then see RSA key fingerprint error while connecting to an instance.

Can’t access an instance as a local user over SSH

Description

I created a local user on an instance by using the useradd command, but I can't access the instance over SSH as that user.

Solution

To SSH into an instance using a local user account created with useradd, you must generate an SSH key pair for the new user and copy the SSH public key to the appropriate path for the new user. You must also add the new user to the list of allowed users in the /etc/ssh/sshd_config file on the instance. See Adding Users on an Oracle Linux Instance.

RSA key fingerprint error while connecting to an instance

Description

When I try to SSH to my Compute Classic instance, I get a warning message like the following: 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
d2:aa:50:d4:ff:dc:76:1d:16:95:4a:77:c4:12:87:0f.
Please contact your system administrator.
Add correct host key in /home/joe/.ssh/known_hosts to get rid of this message.
Offending key in /home/joe/.ssh/known_hosts:63
RSA host key for 11.12.13.14 has changed and you have requested strict checking.
Host key verification failed.

Solution

This error occurs when you use SSH to connect to an Oracle-provided Oracle Linux instance that has a new RSA key fingerprint.

The RSA key fingerprint of a Compute Classic instance changes when, for example, an instance that isn’t set up to boot from a persistent disk is re-created. When you first connected to your Compute Classic instance, the original RSA key fingerprint was stored on your local host. Subsequently, whenever you use SSH to connect to your instance, the instance sends its current fingerprint. The SSH client compares the received fingerprint with the locally stored fingerprint. If the fingerprints don’t match, then this error occurs, and the ssh command fails.

Note that this warning message is returned by the OpenSSH client on an Oracle Linux host. If you’re using a different SSH client or a different operating system, then the error message may be different.

To solve this error, you must remove the old (and now invalid) RSA fingerprint of the instance from the local host.

  • In Linux, the RSA key fingerprints are usually stored in the /home/user/.ssh/known_hosts file on the host from which you are trying to ssh to the instance. Each line in this file starts with the IP address or host name of a remote host. Open the file in a text editor, identify the line corresponding to the IP address of the instance that you’re trying to access, and delete that line.

  • In Windows, by default, PuTTY stores keys for known hosts in the HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys registry. Each key has a name in the format, rsa2@22:ip_address. Using the Registry Editor, identify the key corresponding to the IP address of the instance that you’re trying to access, and delete it.

    Caution:

    Improper use of the Windows Registry Editor can cause serious problems. Before you do this, make sure that you’re aware of the associated risks. See the documentation accompanying the operating system of your local host.

The next time you use SSH to connect to the Compute Classic instance, a message is displayed indicating that the authenticity of the host can’t be established. At the prompt to continue connecting, enter yes. The new fingerprint is added to the local host, and the connection goes through.