All Products
Search

This Product

    Bastionhost:FAQ related to passwords and key pairs

    Document Center

    Bastionhost:FAQ related to passwords and key pairs

    Last Updated:May 28, 2025

    This topic provides answers to some frequently asked questions about passwords and key pairs.

    What do I do if I am prompted to enter a password after I configure key pair or private key authentication?

    When a bastion host accesses an ECS instance, key pair authentication takes precedence over password authentication. If key pair authentication fails, password authentication is automatically implemented. If a key pair is configured for your host account but no passwords are configured, you are prompted to enter the password of the ECS instance when key pair authentication fails.

    Therefore, you need to ensure that the private key is correctly configured on your bastion host and verify that you can access the server with this private key. You can verify this by logging on to the ECS instance with the private key. For information about how to generate a key pair and configure key pair authentication on a bastion host, see How do I generate a key pair and configure key pair authentication to access an ECS instance?.

    Note

    For information about how to configure SSH private key authentication, see Configure SSH private key authentication.

    Can I use a key pair for authentication when I log on to a bastion host in SSH mode?

    Yes, you can use a key pair or a password for authentication when you log on to a bastion host in SSH mode over port 60022.

    • For information about how to configure a user to log on to a bastion host by using a key pair, see Manage public keys of users.

    • For more information about how to log on to a bastion host over SSH, see one of the following links based on your operating system:

    I am an O&M engineer. How do I change the password that is used to log on to a bastion host?

    You can use one of the following methods to change the password that is used to log on to a bastion host:

    Can I log on to a bastion host by using a key pair after my password expires?

    Yes, you can still log on by using a key pair after your password expires.

    How do I generate a key pair and configure key pair authentication to access an ECS instance?

    Bastionhost supports RSA key pairs and Ed25519 key pairs. The following example shows how to generate an RSA key pair for the root account.

    1. On the ECS instance, run the following command to switch to the .ssh directory: 

      cd ~/.ssh/

    2. In the .ssh directory, run the following command to generate an RSA key pair:

      ssh-keygen -t RSA -m PEM

      After you run the command, an RSA key pair that contains the private key id_rsa and the public key id_rsa.pub is generated in the current directory.

    3. Copy the private key id_rsa to the host account for which you want to configure the private key on your bastion host. For more information, see Configure host accounts.

    4. Run the following command to copy the public key id_rsa.pub to the authorized_keys directory:

      cp id_rsa.pub authorized_keys
    Note

    • When you call the CreateHostAccount operation to create a host account, encode the key pair of the host account in Base64.

    • Key pair authentication takes precedence over password authentication. If key pair authentication fails, password authentication is implemented.