All Products
Search
Document Center

Elastic Compute Service:Connect to a Linux instance by using a password or key

Last Updated:Sep 26, 2023

Workbench is a more efficient and convenient connection tool than Virtual Network Computing (VNC) and allows multiple users to connect to a single Elastic Compute Service (ECS) instance at the same time. Workbench supports the following authentication methods for logons to instances: password-based authentication, key-based authentication, and credential-based authentication.

Prerequisites

  • A logon password is set for or a key pair is bound to the Linux instance to which you want to connect. For more information, see Reset the logon password of an instance or Bind an SSH key pair to an instance.

  • The instance is in the Running state.

  • Security group rules that allow the IP addresses related to the Workbench service to access the instance are added. The security group rules vary based on the network type of the instance.

    Instance that resides in a virtual private network (VPC)

    If you want to connect to an instance that resides in a VPC, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters that must be configured for the rule.

    Action

    Priority

    Protocol type

    Port range

    Authorization object

    Allow

    1

    Custom TCP

    • To open the default port 22 on the Linux instance, select SSH (22).

    • To open other ports on the Linux instance, specify a port range.

    • To connect to the instance by using the auto-assigned public IP address or elastic IP address (EIP) that is associated with the instance, specify 161.117.90.22.

    • To connect to the instance by using the private IP address of the instance, specify 100.104.0.0/16.

    Warning

    You can specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this setting exposes your instance to security risks. Proceed with caution.

    Instance that resides in the classic network

    • If you want to connect to a Linux instance that resides in the classic network over the Internet, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internet Ingress tab. The following table describes the parameters that must be configured for the rule.

      Action

      Priority

      Protocol type

      Port range

      Authorization object

      Allow

      1

      Custom TCP

      • To open the default port 22 on the Linux instance, select SSH (22).

      • To open other ports on the Linux instance, specify a port range.

      To connect to the instance by using the auto-assigned public IP address or EIP that is associated with the instance, specify 161.117.90.22.

      Warning

      You can specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this setting exposes your instance to security risks. Proceed with caution.

    • If you want to connect to a Linux instance that resides in the classic network over the internal network, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters that must be configured for the rule.

      Action

      Priority

      Protocol type

      Port range

      Authorization object

      Allow

      1

      Custom TCP

      • To open the default port 22 on the Linux instance, select SSH (22).

      • To open other ports on the Linux instance, specify a port range.

      To connect to the instance that resides in the classic network by using the internal IP address of the instance, specify 161.117.90.22.

      Warning

      High security risks may arise if you specify 0.0.0.0/0 as the authorization object. We recommend that you do not specify 0.0.0.0/0.

Procedure

By default, a Workbench remote connection persists for 6 hours. If you do not perform operations for 6 hours, the remote connection is closed. You must reconnect to the instance.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region. 地域

  4. On the Instances page, find the instance to which you want to connect. In the Actions column, click Remote connection.

  5. In the Remote connection dialog box, click Workbench in the Sign in now section.

  6. In the Instance Login dialog box, configure parameters.

    The following table describes the required parameters.

    Parameter

    Description

    Instance

    The information of the current instance is automatically populated. You can manually enter the IP address or name of another instance.

    Connection

    • To connect to an instance that resides in a VPC, use the public or private IP address of the instance.

    • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.

    For information about different network types, see Overview and IP addresses of ECS instances in the classic network.

    Authentication

    Select an authentication method. The following authentication methods are supported:

    • Password-based: Enter a username, such as root or ecs-user, and a password.

    • SSH Key Authentication: Enter a username, such as root or ecs-user, and then enter or upload a private key file. If the private key file is encrypted, enter the passphrase of the private key.

    • Credential-based: Select or create a credential.

      Credentials are used to store instance information such as usernames, passwords, and keys. You can use credentials to connect to instances in a secure manner without the need to enter usernames or passwords. If no credentials exist for an instance in Workbench, create a credential for the instance. For more information, see Create a credential to allow password-free logon section of this topic.

    In the lower part of the dialog box, click More Options to show the optional parameters. The following table describes the parameters.

    Parameter

    Description

    Resource Group

    By default, All is selected. You can select a resource group from the drop-down list.

    Region

    By default, All is selected. You can select a region from the drop-down list.

    Protocol

    By default, Terminal Connection (SSH) is selected.

    Note

    To use Remote Desktop (RDP) to connect to the instance, install an RDP service such as xrdp and a graphical desktop on the instance. For information about how to install a graphical desktop on a Linux instance, see Installing a graphical desktop environment for a Linux instance.

    Port

    If Protocol is set to Terminal Connection (SSH), this parameter is automatically set to 22.

    If you specified a different port as the remote connection port, enter the port number.

    Note

    If Protocol is set to Remote Desktop (RDP), this parameter is automatically set to 3389.

    Language

    Select your preferred language. The selected language affects the outputs of the instance. We recommend that you select Default. This way, Workbench detects the language settings of the instance and configures appropriate settings.

    Character Set

    Select your preferred character set. The selected character set affects the outputs of the instance. We recommend that you select Default. This way, Workbench detects the character set settings of the instance and configures appropriate settings.

  7. Click OK.

If all of the prerequisites are met but the instance cannot be connected, perform the following operations on the instance:

  • Check whether the sshd service (such as sshd in Linux) is enabled. If not, enable the sshd service.

  • Check whether the required SSH port (typically port 22) is open. If not, open the port.

  • To use the root username to connect to the Linux instance, make sure that the /etc/ssh/sshd_config file contains the PermitRootLogin yes and PasswordAuthentication yes settings. For more information, see the Enable root logon over SSH on a Linux instance section of this topic.

Create a credential to allow password-free logon

This section describes how to create a credential for an instance in Workbench. After the credential is created, you can use the credential when you connect to the instance.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region. 地域

  4. On the Instances page, find the instance to which you want to connect. In the Actions column, click Remote connection.

  5. In the Remote connection dialog box, click Workbench in the Sign in now section.

  6. In the Instance Login dialog box, configure parameters.

  7. Create a credential.

    1. The following table describes the required parameters.

      Parameter

      Description

      Instance

      The information of the current instance is automatically populated. You can select another instance from the drop-down list.

      Connection

      • To connect to an instance that resides in a VPC, use the public or private IP address of the instance.

      • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.

      Authentication

      1. Select Credential-based.

      2. Select Create Credential from the Credential drop-down list.

    2. In the Add Credential dialog box, configure the parameters that are described in the following table.

      Parameter

      Description

      Credential Name

      Enter a name for the credential.

      Username

      Enter a username, such as root or ecs-user.

      Credential Type

      Select a credential type. Valid values:

      • Password: If you select this value, you must continue to enter the password that is used to connect to the instance.

      • Private Key: If you select this value, you must continue to enter the content of the private key file or upload a private key file. If the private key file is encrypted, enter the passphrase of the private key.

      Material Name

      Enter a name for the authentication material.

      Password

      Enter the password that is used to connect to the instance.

      Fingerprint

      The fingerprint is automatically generated based on the authentication material.

    3. Click OK.

  8. In the Instance Login dialog box, select the credential that you created from the Credential drop-down list and click OK.

Enable root logon over SSH on a Linux instance

In specific Linux operating systems, sshd disables root logon by default. If this occurs, when you attempt to connect to an instance as the root user over SSH, you are prompted that your username or password is invalid. To enable root logon over SSH on a Linux instance, perform the following steps:

  1. Connect to the Linux instance by using VNC.

    For more information, see Connect to an instance by using VNC.

  2. Open the SSH configuration file.

    vim /etc/ssh/sshd_config
  3. Press the I key to enter Insert mode.

  4. Set both the PermitRootLogin and PasswordAuthentication parameters to yes, as displayed in the following lines:

    PermitRootLogin yes
    PasswordAuthentication yes
  5. Press the Esc key and enter the :wq to save the changes.

  6. Restart sshd.

    systemctl restart sshd.service