New VM asks for password using SSH

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

New VM asks for password using SSH

L1 Bithead

I;ve installed a new firewall using Bundle 1, I get this error with a new VM

 

One of them worked correctly, but after I killed it, I started to get these issues. Any idea what can be wrong?

The PEM key is the proper one, created when I launched the machine

 

This seems to happen after I killed the first "bundle 1 machine" and it said trial expired, I re subscribed (hourly rate) but I still can;t get to the machines

 

➜  Downloads ssh -i paloalto.pem admin@REDACTEDIP -v
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/xxx/.ssh/config
debug1: /Users/xxx/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to REDACTEDIP [REDACTEDIP] port 22.
debug1: Connection established.
debug1: identity file paloalto.pem type -1
debug1: identity file paloalto.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_12.1
debug1: match: OpenSSH_12.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to REDACTEDIP:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:+qi4tx18hKBnH3R12SYeAF2XtsL1df+A+3EHsabgYi0
debug1: Host 'REDACTEDIP' is known and matches the RSA host key.
debug1: Found key in /Users/xxx/.ssh/known_hosts:40
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Will attempt key: paloalto.pem  explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: paloalto.pem
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password: 

 

 

1 accepted solution

Accepted Solutions

L4 Transporter

In all honestly, waiting longer and reconnect your SSH session.  You will get the password prompt during the firewall start-up which could take 10-15 minutes.  Once you log in with the pem file you should set a password and commit.

 

configure

set mgt-config users admin password

commit

View solution in original post

7 REPLIES 7

L4 Transporter

In all honestly, waiting longer and reconnect your SSH session.  You will get the password prompt during the firewall start-up which could take 10-15 minutes.  Once you log in with the pem file you should set a password and commit.

 

configure

set mgt-config users admin password

commit

L1 Bithead

Running into this same issue. We've let it sit for days, re-spun it up with a different AMI (10.1.3, and 10.1.6), and still the same issue. It worked once, and now will not again. 

 

L1 Bithead

Any ideas?

L1 Bithead

we are having s simlier issue, with or without management swap at instance launch state, firewall still asking for password. Launched almost 10 firewalls (BYOL, bundle2) and same behavior. tried to change the pem key aswell, no luck. this is really frustrating, I have launched couple of paloalto firewalls in the past but never experienced like this. anyone found the solution. 

 

L1 Bithead

@RPendela 

 

Our issue turned out that you cannot turn off the ec2 instance metadata, or force HTTPS tokens on the ec2 instance metadata endpoint. This is because the palo uses this endpoint to grab the public key to add to the user at launch. They should code the bootstrap process to use the IMDBS tokens. 

Cyber Elite
Cyber Elite

Hi @RPendela ,

 

What does the prompt say?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 5953 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!