An SSH key pair is a secure authentication method provided by Alibaba Cloud for logon to your instance. An SSH key pair consists of a public key and a private key. You can use SSH key pairs to log on to only Linux instances.

Introduction

An SSH key pair is a pair of public and private keys that are generated based on a cryptographic algorithm. By default, 2048-bit RSA key pairs are used. Before you log on to a Linux instance with an SSH key pair, you must first create the SSH key pair. You can specify an SSH key pair when you create an instance, or bind an SSH key pair to an instance after the instance is created. Then, you can use the private key to connect to the instance.

After you create an SSH key pair, take note of the following items:
  • Alibaba Cloud stores the public key of the SSH key pair. After an SSH key pair is bound to a Linux instance, the public key of the key pair is stored in the ~/.ssh/authorized_keys file.
  • You must download and securely store the private key for later use. The private key is in the unencrypted Privacy-Enhanced Mail (PEM)-encoded PKCS#8 format.

Benefits

Compared with the username and password authentication, SSH key pairs have the following benefits:
  • Security: SSH key pair-based authentication is more secure and reliable.
    • SSH key pairs provide higher security than common user passwords and can prevent brute-force attacks.
    • The private key cannot be deduced even if the public key is maliciously acquired.
  • Ease of use:
    • If you configure the public key on a Linux instance, you can use the private key to run SSH commands or other tools for logon to the instance. This means you do not need to enter the password every time you log on.
    • You can log on to a large number of Linux instances, which enables easy management. If you need to manage multiple Linux instances, we recommend that you use this method.

Limits

SSH key pairs have the following limits:
  • If you use an SSH key pair to log on to a Linux instance, the password logon method will be disabled for higher security.
  • SSH key pairs apply only to Linux instances.
  • Currently, only RSA 2048-bit key pairs can be created in the ECS console.
  • An Alibaba Cloud account can have a maximum of 500 key pairs in a region.
  • A Linux instance can be bound with only one SSH key pair. If your instance has a key pair bound, the new key pair will replace the original one.
  • Instances of phased-out instance types cannot use SSH key pairs. For more information, see Phased-out instance types.
  • If you bind an SSH key pair to or unbind an SSH key pair from an instance in the Running (Running) state, you must restart the instance for the operation to take effect. This enhances data security.

Creation method

You can use one of the following methods to create an SSH key pair:
  • Create an SSH key pair in the ECS console. By default, the key pair is generated in the RSA 2048-bit format. For more information, see Create an SSH key pair.
    Note If you create a key pair in the ECS console, you must download and securely store the private key for later use. After the key pair is bound to an instance, you cannot log on to the instance if you do not have the private key.
  • Create an SSH key pair by using a key pair generator and import the key pair to the ECS console. The imported key pair must support one of the following encryption methods:
    • rsa
    • dsa
    • ssh-rsa
    • ssh-dss
    • ecdsa
    • ssh-rsa-cert-v00@openssh.com
    • ssh-dss-cert-v00@openssh.com
    • ssh-rsa-cert-v01@openssh.com
    • ssh-dss-cert-v01@openssh.com
    • ecdsa-sha2-nistp256-cert-v01@openssh.com
    • ecdsa-sha2-nistp384-cert-v01@openssh.com
    • ecdsa-sha2-nistp521-cert-v01@openssh.com