Alibaba Cloud provides the secure, convenient key pair-based authentication method for logons to Elastic Compute Service (ECS) instances. An SSH key pair is a set of security credentials that you can use to authenticate to an ECS instance when you connect to the instance. You can use SSH key pairs to log on to only Linux instances.
An SSH key pair consists of a public key and a private key that are generated based on an encryption algorithm. By default, the keys are encrypted by using the RSA-2048 algorithm. If you plan to SSH into Linux instances, you must create an SSH key pair. Then, you can specify the SSH key pair when you create a Linux instance, or bind the SSH key pair to an instance after the instance is created. This way, you can use the private key of the key pair to connect to the instance.
After you create an SSH key pair, take note of the following items:
Alibaba Cloud stores the public key of the key pair. After the key pair is bound to a Linux instance, the public key of the key pair is stored in the ~/.ssh/authorized_keys file.
Download and store the private key in a secure location. The private key is unencrypted. It is in the Public-Key Cryptography Standards
(PKCS) #8format and Privacy-Enhanced Mail (PEM) encoded.
SSH key pair-based authentication provides the following advantages over username/password-based authentication:
Increased security: SSH key pairs provide higher security and reliability for authentication.
SSH key pairs are more secure than regular passwords against brute-force attacks.
Private keys cannot be deduced from public keys even if the public keys are maliciously acquired.
Ease of use:
If you configure a public key on a Linux instance, you can run an SSH command or use a connection tool to log on to the instance with the corresponding private key, instead of a password.
You can log on to a large number of Linux instances at the same time by using an SSH key pair. This way, you can manage your instances in a more convenient manner. If you want to batch maintain multiple Linux instances, we recommend that you use this authentication method.
SSH key pairs have the following limits:
SSH key pairs are supported only by Linux instances.
If you use an SSH key pair to log on to a Linux instance, the username/password-based authentication method is disabled to increase security.
Only 2048-bit RSA key pairs can be created in the ECS console.
Up to 500 SSH key pairs can be retained per region in an Alibaba Cloud account.
When you bind SSH key pairs to Linux instances in the ECS console, you can bind only a single SSH key pair to a Linux instance.
If a key pair is already bound to the instance, the new key pair replaces the original key pair on the instance.
If you want to use multiple key pairs on a Linux instance, you can modify the ~/.ssh/authorized_keys file on the instance to add the key pairs. For more information, see Add or replace an SSH key pair.
Instances of retired instance types do not support SSH key pairs. For more information, see Retired instance types.
For data security purposes, after you bind an SSH key pair to or unbind an SSH key pair from an instance in the Running (
Running) state, restart the instance for the operation to take effect.
Methods for creating SSH key pairs
You can use one of the following methods to create an SSH key pair:
Create an SSH key pair in the ECS console. By default, the keys are encrypted by using the RSA-2048 algorithm. For more information, see Create an SSH key pair.Important
If you create a key pair in the ECS console, download and store the private key in a secure location. After you bind the key pair to an instance, you cannot log on to the instance if you do not have the private key.
Create an SSH key pair by using a key pair generator and then import the key pair to the ECS console. The imported key pair must support one of the following encryption methods: