FAQ about passwords and key pairs - Bastionhost - Alibaba Cloud Documentation Center

This topic provides answers to some frequently asked questions about passwords and key pairs.

What do I do if I am prompted to enter a password after I configure key pair or private key authentication?

When a bastion host accesses an Elastic Compute Service (ECS) instance, key pair authentication takes precedence over password authentication. If key pair authentication fails, password authentication is automatically implemented. If a key pair is configured for your host account but no passwords are configured, you are prompted to enter the password of the ECS instance when key pair authentication fails.

To troubleshoot the preceding issue, perform the following operations:

Make sure that you configure a valid private key on the bastion host and the private key can be used to access the ECS instance. To check whether the private key can be used to access the ECS instance, use the private key to log on to the ECS instance. For more information about how to generate a key pair and configure key pair authentication on a bastion host, see How do I generate a key pair and configure key pair authentication?
Note
For more information about how to configure SSH private key-based authentication, see Configure SSH private key-based authentication.
Check whether OpenSSH is upgraded to version 9.0 or later, or whether the operating system is Rocky Linux 9.0 or later, Ubuntu 22.04 or later, or Mac 13.0 or later.
If OpenSSH is upgraded to version 9.0 or later, or the operating system is Rocky Linux 9.0 or later, Ubuntu 22.04 or later, or Mac 13.0 or later, the ssh-rsa public key signature algorithm is disabled by default. You can configure the parameters in a relevant file to manually enable the ssh-rsa public key signature algorithm on the on-premises client or remote server.
- If you use a client that runs Mac 13.0.1 or later to access Bastionhost, perform the following steps to enable the ssh-rsa public key signature algorithm:
  1. Run the following command on the ECS instance to open the ssh_config configuration file:
```
vim /etc/ssh/ssh_config
```
  2. Add the following configuration items to the ssh_config configuration file and save the file:
```
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
```
  3. Restart sshd.
```
systemctl restart sshd
```
- If you use a client that runs Rocky Linux 9.0 or later or Ubuntu 22.04 or later to access Bastionhost, perform the following steps to enable the ssh-rsa public key signature algorithm:
  1. Run the following command on the ECS instance to open the sshd_config configuration file:
```
vim /etc/ssh/sshd_config
```
  2. Add the following configuration items to the sshd_config configuration file and save the file:
```
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
```
  3. Restart sshd.
```
systemctl restart sshd
```

Can I use a key pair for authentication when I log on to a bastion host in SSH mode?

Yes, you can use a key pair or a password for authentication when you log on to a bastion host in SSH mode over port 60022.

For more information about how to use a key pair to log on to a bastion host, see Host the public key of a user.
For more information about how to log on to a bastion host over SSH, see one of the following links based on your operating system:
- Windows: SSH-based O&M
- macOS: SSH-based O&M

I am an O&M engineer. How do I change the password that is used to log on to a bastion host?

You can use one of the following methods to change the password that is used to log on to a bastion host:

Contact the administrator of the bastion host.
Log on to the bastion host and change the password. For more information, see Security policies for O&M administrators.

Can I log on to a bastion host by using a key pair after my password expires?

Yes, you can still log on by using a key pair after your password expires.

How do I generate a key pair and configure key pair authentication to access an ECS instance?

Bastionhost supports RSA key pairs and Ed25519 key pairs. The following example shows how to generate an RSA key pair for the root account.

Run the following command on the ECS instance to go to the .ssh directory:
```
cd ~/.ssh/
```
In the .ssh directory, run the following command to generate an RSA key pair:
```
ssh-keygen -t RSA -m PEM
```
After you run the command, an RSA key pair that contains the private key id_rsa and the public key id_rsa.pub is generated in the current directory.
Copy the id_rsa private key to the host account for which you want to configure the private key on your bastion host. For more information, see Configure account settings for a host.
Run the following command to copy the id_rsa.pub public key to the authorized_keys directory:
```
cp id_rsa.pub authorized_keys
```

Note

When you call the CreateHostAccount operation to create a host account, encode the key pair of the host account in Base64.
Key pair authentication takes precedence over password authentication. If key pair authentication fails, password authentication is implemented.