All Products
Search

This Product

    Elastic Compute Service:Connect to a Linux instance with OpenSSH or Xshell

    Document Center

    Elastic Compute Service:Connect to a Linux instance with OpenSSH or Xshell

    Last Updated:May 15, 2026

    Use OpenSSH (macOS/Windows) or Xshell (Windows) to connect to a Linux ECS instance with a password or key pair.

    Important

    For a simpler browser-based experience with password-free logon, use Workbench instead.

    Before you connect

    Method 1: Use an OpenSSH client (command line)

    OpenSSH is the standard SSH client built into macOS and modern Windows, enabling command-line connections to remote servers.

    Prerequisites

    Procedure

    Windows 10/11

    Connect with a password

    1. Open PowerShell.

      Press Win+R, enter powershell, and then press Enter.

    2. Connect to the instance.

      ssh <instance_username>@<instance_public_IP_address>
      Example: ssh root@47.98.xxx.xxx

    3. Verify the host fingerprint (first-time only).

      On first connection, the SSH client displays the host key fingerprint for verification.

      For security, get the host key fingerprint and compare it with the one displayed. If they do not match, you may be experiencing a man-in-the-middle attack. Switch to a secure network and try again.

      After confirming the fingerprint, enter yes and press Enter.

      The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
ED25519 key fingerprint is SHA256:AbCdEf123456...
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

    4. Enter the password.

      No characters appear on screen as you type. Press Enter when done.

      On success, a welcome message appears and the prompt changes to [<username>@<hostname> ~]$.

      Welcome to Alibaba Cloud Elastic Compute Service !

[root@Connect-Instance-Example ~]#

    Connect with a key pair

    1. Open PowerShell.

      Press Win+R, enter powershell, and then press Enter.

    2. Connect to the instance.

      ssh -i /path/to/private_key.pem <instance_username>@<instance_public_IP_address>
      Example: ssh -i /path/to/private_key.pem root@47.98.xxx.xxx. In this command, /path/to/private_key.pem is the path to your private key file, such as C:\Users\Administrator\Downloads\private_key.pem.

    3. Verify the host fingerprint (first-time only).

      On first connection, the SSH client displays the host key fingerprint for verification.

      For security, get the host key fingerprint and compare it with the one displayed. If they do not match, you may be experiencing a man-in-the-middle attack. Switch to a secure network and try again.

      After confirming the fingerprint, enter yes and press Enter.

      The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
ED25519 key fingerprint is SHA256:AbCdEf123456...
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

    4. Authenticate and access the instance.

      On success, a welcome message appears and the prompt changes to [<username>@<hostname> ~]$.

      Welcome to Alibaba Cloud Elastic Compute Service !

[root@Connect-Instance-Example ~]#

    macOS

    Connect with a password

    1. Open Terminal.

    2. Connect to the instance.

      ssh <instance_username>@<instance_public_IP_address>
      Example: ssh root@47.98.xxx.xxx

    3. Verify the host fingerprint (first-time only).

      On first connection, the SSH client displays the host key fingerprint for verification.

      For security, get the host key fingerprint and compare it with the one displayed. If they do not match, you may be experiencing a man-in-the-middle attack. Switch to a secure network and try again.

      After confirming the fingerprint, enter yes and press Enter.

      The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
ED25519 key fingerprint is SHA256:AbCdEf123456...
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

    4. Enter the password.

      No characters appear on screen as you type. Press Enter when done.

      On success, a welcome message appears and the prompt changes to [<username>@<hostname> ~]$.

      Welcome to Alibaba Cloud Elastic Compute Service !

[root@Connect-Instance-Example ~]#

    Connect with a key pair

    1. Open Terminal.

    2. Connect to the instance.

      # chmod 400: Sets read-only permissions for the owner of the private key file. This is a security requirement of the SSH client.
chmod 400 /path/to/private_key.pem
ssh -i /path/to/private_key.pem <instance_username>@<instance_public_IP_address>
      Example: ssh -i /path/to/private_key.pem root@47.98.xxx.xxx. In this command, /path/to/private_key.pem is the path to your private key file.

    3. Verify the host fingerprint (first-time only).

      On first connection, the SSH client displays the host key fingerprint for verification.

      For security, get the host key fingerprint and compare it with the one displayed. If they do not match, you may be experiencing a man-in-the-middle attack. Switch to a secure network and try again.

      After confirming the fingerprint, enter yes and press Enter.

      The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
ED25519 key fingerprint is SHA256:AbCdEf123456...
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

    4. Authenticate and access the instance.

      On success, a welcome message appears and the prompt changes to [<username>@<hostname> ~]$.

      Welcome to Alibaba Cloud Elastic Compute Service !

[root@Connect-Instance-Example ~]#

    Method 2: Use the Xshell client (Windows only)

    Xshell is a Windows SSH client for managing Linux servers.

    Prerequisites

    Procedure

    1. Start Xshell and create a session.

      1. Open the Xshell application.

      2. In the Sessions window that appears, click New. Alternatively, from the menu bar, select File > New.

    2. Configure the connection.

      In the left navigation pane, click Connection and configure:

      • Name: A descriptive session name, such as My-Web-Server.

      • Protocol: Default SSH.

      • Host: The instance's public IP address.

      • Port Number: Default 22.

    3. Configure user authentication.

      In the left navigation pane, click Authentication.

      Connect with a password

      1. Method: Select Password.

      2. User Name: The logon username, such as root.

      3. Password: The logon password.

      Connect with a key pair

      1. User Name: The logon username, such as root.

      2. Method: Select Public Key and configure the user key as follows:

        1. Click Settings....

        2. Select the Key File option. Click ... next to User Key, click Import..., and then select the .pem private key file from your local storage.

        3. After import, select the key and click OK.

        4. (Optional) If your key file is password-protected, enter the Password.

    4. Connect to the instance.

      Click Connect.

    5. Verify the host key (first-time only).

      On first connection, Xshell displays an SSH Security Warning with the host key fingerprint.

      For security, get the host key fingerprint and compare it with the one displayed. If they do not match, you may be experiencing a man-in-the-middle attack. Switch to a secure network and try again.

      After verifying, click Accept and Save.

    6. Access the instance.

      The command prompt indicates a successful connection.

      Welcome to Alibaba Cloud Elastic Compute Service !

[root@Connect-Instance-Example ~]#

    Apply in production

    Harden your SSH connections for production environments.

    • Verify the host fingerprint to prevent man-in-the-middle attacks

      On first connection, verify the host key fingerprint to confirm you are connecting to the correct instance.

    • Disable password-based logon and enforce key pair authentication

      Key pair authentication is more secure than passwords and reduces the risk of brute-force attacks.

      1. Bind a key pair to your instance.

      2. Log on to the instance, edit /etc/ssh/sshd_config, and set PasswordAuthentication to no. Restart the SSH service.

    • Change the default SSH port

      Changing port 22 to a non-standard port (such as 2222) reduces exposure to automated scans.

      1. Allow the new port: Add an inbound rule to allow traffic on the new port.

      2. Change the SSH port: Log on to the instance, edit /etc/ssh/sshd_config, and change #Port 22 to Port 2222. Restart the SSH service.

      3. Connect with the new port: Specify the port with -p, for example: ssh -p 2222 username@instance_ip.

    • Allow access only from trusted IP addresses

      Modify security group rules to allow SSH access only from trusted IP addresses.

    FAQ

    • How do I configure a security group rule for port 22?

      In the instance's security group, add a rule with these settings:

      Action

      Protocol

      Source

      Destination (This Instance)

      Allow

      Custom TCP

      Your local client's public IP address.

      Important

      Using 0.0.0.0/0 allows any IP address to access the port, posing a security risk.

      SSH(22)

      If you changed the SSH port, use the new port number.

    • How do I verify the instance's host key fingerprint?

      On first connection, the SSH client prompts you to verify the host key fingerprint.

      In the console

      1. Go to ECS console - Instances. Select a region and resource group.

      2. Find the instance and click image > Obtain Instance System Logs. Find BEGIN SSH HOST KEY FINGERPRINTS to view the fingerprints.

        image

        Verify that the fingerprint displayed by your SSH client exactly matches one in the output. A mismatch may indicate a man-in-the-middle attack.

        If this section is missing, log on to the instance to view the fingerprint.

      In the instance

      Log on to the instance using Workbench and run the following command:

      for f in /etc/ssh/ssh_host_*_key.pub; do ssh-keygen -l -f "$f"; done

      Sample output:

      1024 SHA256:9C******co root@Connect-Instance-Example (DSA)
256 SHA256:u6******SU root@Connect-Instance-Example (ECDSA)
256 SHA256:iQ******jg root@Connect-Instance-Example (ED25519)
3072 SHA256:8R******64 root@Connect-Instance-Example (RSA)

      Verify that the fingerprint displayed by your SSH client exactly matches one in the output. A mismatch may indicate a man-in-the-middle attack.

    • How can I simplify the connection command with an SSH config file?

      Create an SSH config file on your local machine to define server aliases.

      1. Find or create the config file.

        Windows 10/11

        Default path: C:\Users\YourUsername\.ssh\config. Create the file if it does not exist.

        Replace YourUsername with your current Windows username.

        macOS

        Default path: ~/.ssh/config. Create the file if it does not exist.

      2. Edit the config file and add instance information.

        Open the config file and add a Host block for each server.

        # Configure an alias "web-server" for the web server
Host web-server
    HostName        47.98.xxx.xxx
    User            root
    Port            22
    # (Optional) If you use a key pair to log on, specify the private key path. Ignore this if you use a password.
    IdentityFile    /path/to/your/private_key.pem

# You can add more configurations for other servers
Host other-server
    HostName        8.123.xxx.xxx
    User            ecs-user
    Port            2222
    IdentityFile    ~/.ssh/another_key.pem

        Parameter description:

        • Host: A custom alias.

        • HostName: The public IP address.

        • User: The logon username.

        • Port: The SSH port (default: 22).

        • IdentityFile: The private key file path.

      3. Connect using the alias.

        Save the config file. Connect using the alias:

        # Connect directly using the alias. SSH automatically reads the IP address, username, and key information from the config file.
ssh web-server

    • Why do I get a Connection timed out error?

      The client failed to reach the server. Check the following:

      1. The public IP address is correct.

      2. The security group allows traffic on the required port.

      3. The instance is Running.

      4. Use the ECS console - Self-service Troubleshooting tool to diagnose any issues.

    • Why do I get a Permission denied, please try again error?

      The server rejected your password. Check the following:

      1. Reset the password in the console and try again.

      2. Use the ECS console - Self-service Troubleshooting tool to diagnose any issues.

    • Why do I get a Permission denied (publickey) error?

      The server rejected your key. Check the following:

      1. Bind the key pair again in the console and retry.

      2. The path to the private key file is correct and matches the key pair bound to the instance.

      3. (On macOS) The private key file permissions are 400 or 600.

      4. Use the ECS console - Self-service Troubleshooting tool to diagnose any issues.

    • Why do I get a WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! error?

      This SSH security feature triggers when the server's host key changes. This can happen after a system disk change, OS reinstallation, or host key file deletion.

      Solution: Verify the host key fingerprint. If correct, remove the outdated fingerprint:

      ssh-keygen -R <instance_public_IP_address>