https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533827#M1837 <P>we are having s simlier issue, with or without management swap at instance launch state, firewall still asking for password. Launched almost 10 firewalls (BYOL, bundle2) and same behavior. tried to change the pem key aswell, no luck. this is really frustrating, I have launched couple of paloalto firewalls in the past but never experienced like this. anyone found the solution.&nbsp;</P> <P>&nbsp;</P> Thu, 09 Mar 2023 19:05:46 GMT RPendela 2023-03-09T19:05:46Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/298364#M700 <P>I;ve installed a new firewall using Bundle 1, I get this error with a new VM</P><P>&nbsp;</P><P>One of them worked correctly, but after I killed it, I started to get these issues. Any idea what can be wrong?</P><P>The PEM key is the proper one, created when I launched the machine</P><P>&nbsp;</P><P>This seems to happen after I killed the first "bundle 1 machine" and it said trial expired, I re subscribed (hourly rate) but I still can;t get to the machines</P><P>&nbsp;</P><LI-CODE lang="markup">➜ Downloads ssh -i paloalto.pem admin@REDACTEDIP -v OpenSSH_7.9p1, LibreSSL 2.7.3 debug1: Reading configuration data /Users/xxx/.ssh/config debug1: /Users/xxx/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 48: Applying options for * debug1: Connecting to REDACTEDIP [REDACTEDIP] port 22. debug1: Connection established. debug1: identity file paloalto.pem type -1 debug1: identity file paloalto.pem-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.9 debug1: Remote protocol version 2.0, remote software version OpenSSH_12.1 debug1: match: OpenSSH_12.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to REDACTEDIP:22 as 'admin' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: ecdh-sha2-nistp256 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server-&gt;client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none debug1: kex: client-&gt;server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-rsa SHA256:+qi4tx18hKBnH3R12SYeAF2XtsL1df+A+3EHsabgYi0 debug1: Host 'REDACTEDIP' is known and matches the RSA host key. debug1: Found key in /Users/xxx/.ssh/known_hosts:40 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 4294967296 blocks debug1: Will attempt key: paloalto.pem explicit debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: paloalto.pem debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: keyboard-interactive Password: </LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Nov 2019 21:49:18 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/298364#M700 nronica 2019-11-13T21:49:18Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/298372#M702 <P>In all honestly, waiting longer and reconnect your SSH session.&nbsp; You will get the password prompt during the firewall start-up which could take 10-15 minutes.&nbsp; Once you log in with the pem file you should set a password and commit.</P><P>&nbsp;</P><P>configure</P><P>set mgt-config users admin password</P><P>commit</P> Wed, 13 Nov 2019 21:51:57 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/298372#M702 jmeurer 2019-11-13T21:51:57Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/511786#M1645 <P>Running into this same issue. We've let it sit for days, re-spun it up with a different AMI (10.1.3, and 10.1.6), and still the same issue. It worked once, and now will not again.&nbsp;</P> <P>&nbsp;</P> Fri, 12 Aug 2022 20:54:22 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/511786#M1645 jwainwright 2022-08-12T20:54:22Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/511787#M1646 <P>Any ideas?</P> Fri, 12 Aug 2022 20:54:32 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/511787#M1646 jwainwright 2022-08-12T20:54:32Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533827#M1837 <P>we are having s simlier issue, with or without management swap at instance launch state, firewall still asking for password. Launched almost 10 firewalls (BYOL, bundle2) and same behavior. tried to change the pem key aswell, no luck. this is really frustrating, I have launched couple of paloalto firewalls in the past but never experienced like this. anyone found the solution.&nbsp;</P> <P>&nbsp;</P> Thu, 09 Mar 2023 19:05:46 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533827#M1837 RPendela 2023-03-09T19:05:46Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533831#M1838 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71965">@RPendela</a>&nbsp;</P> <P>&nbsp;</P> <P>Our issue turned out that you cannot turn off the ec2 instance metadata, or force HTTPS tokens on the ec2 instance metadata endpoint. This is because the palo uses this endpoint to grab the public key to add to the user at launch. They should code the bootstrap process to use the IMDBS tokens.&nbsp;</P> Thu, 09 Mar 2023 19:24:07 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533831#M1838 jwainwright 2023-03-09T19:24:07Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533832#M1839 <P><STRONG><A href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html" target="_blank">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html</A></STRONG></P> Thu, 09 Mar 2023 19:25:04 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533832#M1839 jwainwright 2023-03-09T19:25:04Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533839#M1840 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71965">@RPendela</a> ,</P> <P>&nbsp;</P> <P>What does the prompt say?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 09 Mar 2023 20:36:31 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/new-vm-asks-for-password-using-ssh/m-p/533839#M1840 TomYoung 2023-03-09T20:36:31Z