The SSH connection through Okta Advanced Server Access(ASA)/Okta Privileged Access(OPA) fails to connect to a Linux server in GCP.
- Advanced Server Access (ASA)
- Okta Privileged Access (OPA)
- Google Cloud Platform (GCP)
- Secure Shell (SSH)
If the OS Login feature is used, then it will update the sshd configuration with the following directives** on the server:
#### Google OS Login control. Do not edit this section. ####
#TrustedUserCAKeys /etc/ssh/oslogin_trustedca.pub
#AuthorizedPrincipalsCommand /usr/bin/google_authorized_principals %u %k
#AuthorizedPrincipalsCommandUser root
#AuthorizedKeysCommand /usr/bin/google_authorized_keys
#AuthorizedKeysCommandUser root
#### End Google OS Login control section. ####OPA/ASA agents use similar directives, but because of the order in sshd_config, the first ones (added by GCP) take precedence. As a result, the ASA/OPA SSH session will fail. The workaround is to comment out the directives (using #), followed by an sshd restart or disabling OS login.
**NOTE: The directives are shown in a commented state here, starting with #. They will not be the same on the server /etc/ssh/sshd_config and need to be commented as a workaround.
OS login should be disabled on GCP as the configuration will be added back even if commented out.
