All Products
Search
Document Center

Elastic Compute Service:Connect to a Linux instance by using an SSH key pair

Last Updated:Jul 21, 2023

SSH key pairs provide a secure and convenient method to authenticate logons. This topic describes how to use an SSH key pair to connect to a Linux instance from a Windows device or a device that supports SSH commands, such as a Linux client or MobaXterm for Windows.

Prerequisites

  • An SSH key pair is created, and the .pem private key file is downloaded. For more information, see Create an SSH key pair.

  • The instance to which you want to connect is in the Running state.

  • An SSH key pair is bound to the instance. For more information, see Bind an SSH key pair to an instance.

  • A public IP address or an elastic IP address (EIP) is associated with the instance. For more information, see Associate an EIP with an ECS instance.

  • A security group rule is added to the security groups of the instance to allow traffic on the required port, such as the default SSH port 22. For more information, see Add security group rules.

    Network type

    Rule direction

    Action

    Port range

    Priority

    Authorization object

    Virtual Private Cloud (VPC)

    Inbound

    Allow

    SSH(22)

    1

    The public IP address of the on-premises client. This public IP address is different from that of the Elastic Compute Service (ECS) instance.

    Important

    You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution.

    Classic network

    Internet ingress

Connect to a Linux instance

You can use one of the following methods to connect to the Linux instance by using an SSH key pair based on the operating system of your device.

Use an SSH key pair to connect to a Linux instance from a Windows device

The following section describes how to convert the format of a private key file from .pem to .ppk and how to use an SSH key pair to connect to a Linux instance. PuTTYgen is used in this example.

  1. Download and install PuTTYgen and PuTTY.

    Download PuTTYgen and PuTTY from the following links:

  2. Convert the format of a private key file from .pem to .ppk.

    1. Start PuTTYgen.

      In this example, PuTTYgen 0.71 is used.

    2. Set Type of key to generate to RSA and click Load.

      windows_puttygen_1
    3. Select All Files (*.*).

      windows_puttygen_2
    4. Select the .pem private key file that you want to convert.

    5. In the dialog box that appears, click OK.

    6. Click Save private key.

    7. In the dialog box that appears, click Yes.

    8. Specify a name for the .ppk private key file and click Save.

  3. Start PuTTY.

  4. Configure the private key file used for authentication.

    1. Choose Connection > SSH > Auth > Credentials.

    2. In the Private key file for authentication: section, click Browse…

    3. Select the resulting .ppk private key file.

    windows_putty_3
  5. Configure required parameters to connect to the Linux instance.

    1. Click Session.

    2. In the Host Name (or IP address) field, enter the logon account and public IP address of the instance.

      Format: <Username>@<IP address of the instance>. Example: ecs-user@10.10.xx.xxx.

    3. In the Port field, enter 22.

    4. Set Connection type to SSH.

    windows_putty_4
  6. Click Open.

    If the following message appears, you are logged on to the instance by using an SSH key pair.windows_putty_5

Use an SSH key pair to connect to a Linux instance from a device that supports SSH commands (configure information by using commands)

The following section describes how to use commands to configure required information on a device that supports SSH commands (such as a Linux client or MobaXterm for Windows) and then how to use SSH commands to connect to the Linux instance from the device.

  1. Find the path of the .pem private key file on the on-premises device. Example: ~/.ssh/ecs.pem.

    The path and file name used are for reference only. You can modify the information in subsequent commands based on actual conditions.

  2. Run the following command to modify the attribute of the private key file:

    chmod 400 [Path of the .pem private key file on your on-premises device]

    Example:

    chmod 400 ~/.ssh/ecs.pem
  3. Run the following command to connect to the instance:

    ssh -i [Path of the .pem private key file on your on-premises device] username@[Public IP address]

    Example:

    ssh -i ~/.ssh/ecs.pem ecs-user@10.10.xx.xxx

Use an SSH key pair to connect to a Linux instance from a device that supports SSH commands (configure information by using the config file)

The following section describes how to use commands to configure required information on a device that supports SSH commands (such as a Linux client or MobaXterm for Windows) and then how to use SSH commands to connect to the Linux instance from the device.

  1. Find the path of the .pem private key file on the on-premises device. Example: ~/.ssh/ecs.pem.

    The path and file name used are for reference only. You can modify the information in subsequent commands based on actual conditions.

  2. Run the following command to modify the attribute of the private key file:

    chmod 400 [Path of the .pem private key file on your on-premises device]

    Example:

    chmod 400 ~/.ssh/ecs.pem
  3. Run the following commands to go to the .ssh directory in the home directory and create a config file:

    cd ~/.ssh
    vim config
  4. In the config file, press the I key to enter the Insert mode and add the following configuration items:

    Sample code used to add configurations items for a single ECS instance:

    # Enter the alias of the ECS instance that you want to connect to over SSH. 
    Host ecs
    # Enter the public IP address of the instance. 
    HostName 121.196.**.**
    # Enter the port number. The default port number is 22. 
    Port 22
    # Enter the logon username. 
    User ecs-user
    # Enter the path of the .pem private key file on your on-premises device. 
    IdentityFile ~/.ssh/ecs.pem

    Sample code used to add configurations items for multiple ECS instances:

    # Enter the alias of the ECS instance that you want to connect to over SSH. 
    Host ecs1
    # Enter the public IP address of the instance. 
    HostName 121.196.**.**
    # Enter the port number. The default port number is 22. 
    Port 22
    # Enter the logon username. 
    User ecs-user
    # Enter the path of the .pem private key file on your on-premises device. 
    IdentityFile ~/.ssh/ecs.pem
    
    # Enter the alias of the ECS instance that you want to connect to over SSH. 
    Host ecs2
    # Enter the public IP address of the instance. 
    HostName 121.196.**.**
    # Enter the port number. The default port number is 22. 
    Port 22
    # Enter the logon username. 
    User ecs-user
    # Enter the path of the .pem private key file on your on-premises device. 
    IdentityFile ~/.ssh/ecs.pem

    After the configuration items are added, press the Esc key and enter :wq to save the config file.

  5. Run the following command to restart the SSH service:

    Warning

    If the SSH service fails to be restarted, the SSH service may become unavailable and service interruptions may occur. We recommend that you restart the SSH service during off-peak hours.

    service sshd restart
  6. Run the following command to connect to the instance:

    ssh [Alias of the instance]

    Example:

    ssh ecs