Why Compute Engine SSH access doesn't work with username defined on SSH key creation?

I'm starting work with GCP and currently I'm learn how to work with the Compute Engine.

I've followed the tutorial to set up the SSH keys on Compute Engine but an odd thing happens. My Google e-mail is: [email protected]. At the first time I could access the machine using gcloud CLI tool, but I wanted configure the SSH third tool to access that. So, I've created the keys with my username, ssh-keygen -t rsa -f ~/.ssh/instance-1-trial -C ascadini.services. This generate a correct SSH file and I've copied to Metadata SSH Keys.

The problem is that connection fail when I try connect use that username.

agstcadini@Augustos-MacBook-Air .ssh % ssh -i instance-1-trial [email protected]
[email protected]: Permission denied (publickey).

And works fine when I've tried use:

ssh -i instance-1-trial ascadini_services_gmail_com@XX

enter image description here

I've figured out use ascadini_services_gmail_com because when I was connected on machine I've listed the users on ~/home:

ascadini_services_gmail_com@instance-1:/home$ ls
agstcadini  ascadini_services  ascadini_services_gmail_com

So I've no idea for what reason the three users were created and the reason the ascadini.services username defined on SSH key does not work. Also, why . were replaced with _ on the username folders beneath home folder?


Solution 1:

The SSH key pair intrinsically doesn't have any username associated. When the key is created, you define no username. That part after the base64 block in the public key serves just as a comment, to remind you when this particular key was created. It has absolutely no effect on authentication.

You can install this public key it into any SSH server for any user. The user who is able to authenticate with this key pair is defined on actual public key installation, not on the key creation. The server would accept authentication as the user for which you installed the key, not as the user whose name was specified in the key comment (it could be easily there is even no system user with that name on the server).

Usually (on Linux systems using OpenSSH software) it gets installed by appending a line containing a public key to ~/.ssh/authorized_keys, where ~ is a home directory of some user. It is this user who could then authenticate using the corresponding private key.

It just happened the google cloud uses usernames of this form, where dots are replaced with underscores. There is no apparent reason for this; it's just their decision, probably based on some internal knowledge of their system. But in general Unix-based system don't like usernames with dots.