An SSH key pair is a secure authentication method provided by Alibaba Cloud for logon to your instance. An SSH key pair consists of a public key and a private key. You can use SSH key pairs to log on to only Linux instances.

Introduction

An SSH key pair is a pair of public and private keys that are generated based on a cryptographic algorithm. By default, 2048-bit RSA key pairs are used. Before you log on to a Linux instance by using an SSH key pair, you must first create the SSH key pair. You can specify an SSH key pair when you create an instance, or bind an SSH key pair to an instance after the instance is created. Then, you can use the private key to connect to the instance.

After you create an SSH key pair, take note of the following items:
  • Alibaba Cloud stores the public key of the SSH key pair. After an SSH key pair is bound to a Linux instance, the public key of the key pair is stored in the ~/.ssh/authorized_keys file.
  • You must download and securely store the private key. The private key is in the unencrypted Privacy-Enhanced Mail (PEM)-encoded PKCS#8 format.

Benefits

Compared with the username and password authentication, SSH key pairs have the following benefits:
  • Security: SSH key pair-based authentication is more secure and reliable.
    • SSH key pairs provide higher security than common user passwords and can prevent brute-force attacks.
    • The private key cannot be deduced even if the public key is maliciously acquired.
  • Ease of use:
    • If you configure a public key on a Linux instance, you can use the corresponding private key to run SSH commands or other tools for passwordless logon to the instance.
    • You can log on to a large number of Linux instances at the same time for easy management. If you want to manage multiple Linux instances, we recommend that you use this method.

Limits

SSH key pairs have the following limits:
  • If you use an SSH key pair to log on to a Linux instance, the password logon method will be disabled for higher security.
  • SSH key pairs apply only to Linux instances.
  • Currently, only RSA 2048-bit key pairs can be created in the ECS console.
  • An Alibaba Cloud account can have a maximum of 500 key pairs in a region.
  • When you bind SSH key pairs to Linux instances in the ECS console, you can bind only one SSH key pair to each instance. If your instance has a key pair bound, the new key pair will replace the original one. If you want to use multiple key pairs to log on to an instance, you can manually modify the ~/.ssh/authorized_keys file from within the instance to add multiple key pairs.
  • Instances of phased-out instance types cannot use SSH key pairs. For more information about, see Phased-out instance types.
  • If you bind an SSH key pair to or unbind an SSH key pair from an instance in the Running (Running) state, you must restart the instance for the operation to take effect. This enhances data security.

Creation methods

You can use one of the following methods to create an SSH key pair:
  • Create an SSH key pair in the ECS console. By default, the key pair is generated in the RSA 2048-bit format. For more information, see Create an SSH key pair.
    Note If you create a key pair in the ECS console, you must download and securely store the private key. After the key pair is bound to an instance, you cannot log on to the instance if you do not have the private key.
  • Create an SSH key pair by using a key pair generator and import the key pair to the ECS console. The imported key pair must support one of the following encryption methods:
    • rsa
    • dsa
    • ssh-rsa
    • ssh-dss
    • ecdsa
    • ssh-rsa-cert-v00@openssh.com
    • ssh-dss-cert-v00@openssh.com
    • ssh-rsa-cert-v01@openssh.com
    • ssh-dss-cert-v01@openssh.com
    • ecdsa-sha2-nistp256-cert-v01@openssh.com
    • ecdsa-sha2-nistp384-cert-v01@openssh.com
    • ecdsa-sha2-nistp521-cert-v01@openssh.com