ECS instances do not have a default password. If you forget the password, you can reset it. If you do not specify a username when you create an instance, the system uses the default username.
Operating system | Default username | Description |
Linux |
| The super administrator for the Linux system. |
Windows |
| The super administrator for the Windows system. |
The root user has high-level permissions. Using it directly is a security risk. Use ecs-user and obtain temporary root privileges with sudo for sensitive operations.
Password Management
1.1 Reset a password (if you do not know or have forgotten the original password)
Try the online password reset method first because it does not require an instance restart.
Online password reset (no restart required)
Online password reset requires the Cloud Assistant Agent. Check the status of the Cloud Assistant Agent and install it if necessary.
Go to the Instances page of the ECS console, select a region and resource group, and then find the target instance.
Follow the instructions to open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click Confirm Change. Wait for the password to be reset. Keep the default values for other parameters.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
Set Password Reset Method to Online Reset Password.
ImportantIf Online Reset Instance Password is unavailable, use the Offline password reset (restart required) method.
If the password reset fails, use the Offline password reset (restart required) method.
Offline password reset (restart required)
An offline password reset requires you to restart the instance for the change to take effect. A restart may interrupt services that are running on the instance. Plan the restart time accordingly.
Go to the Instances page of the ECS console, select a region and resource group, and then find the instance that you want to manage.
Follow the instructions to open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click Confirm Change. Wait for the password to be reset.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
Set Password Reset Method to Offline Reset Password.
You must restart the instance for the new password to take effect. To ensure service stability, restart the instance during off-peak hours.
Connect to the instance using VNC.
A successful VNC logon indicates that the password was successfully reset in the operating system.
If you can log on to the instance using VNC but cannot log on using tools such as Workbench, the password was reset successfully. The issue may be with the SSH configuration. For more information, see Troubleshoot connection failures to a Linux instance.
1.2 Change a password (if you know the original password)
We recommend that you first try to reset the password online from the console.
Online password reset
Online password reset requires the Cloud Assistant Agent. Check the status of the Cloud Assistant Agent and install it if necessary.
Go to the Instances page of the ECS console, select a region and resource group, and then find the instance that you want to manage.
Depending on your console version, open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click Confirm Change. Wait for the password to be reset. Keep the default values for other parameters.
New Password/Confirm Password: Enter a new password for the instance. Create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
Set Password Reset Method to Online Reset Password.
ImportantIf Online Reset Instance Password is unavailable, change the password manually within the instance.
If the password reset fails, change the password manually within the instance.
Change the password manually within the instance
Windows instance
This example uses a Windows Server 2019 instance.
Right-click the Start icon
, click Run (R), enter compmgmt.msc, and then pressEnter.In the navigation pane on the left, choose .
Right-click the username for which you want to change the password, such as Administrator, and then click Set Password.
In the Set Password for Administrator dialog box, click Proceed. Enter a new password in the New Password and Confirm Password fields.
ImportantCreate a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
Click OK. A confirmation message appears, indicating that the password has been set.
Linux instance
This topic uses the Alibaba Cloud Linux 3 operating system as an example:
Run the following command:
Replace
<username>with the username whose password you want to change.sudo passwd <username>Enter the new password and press
Enter. Re-enter the new password and pressEnteragain.ImportantCreate a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
Upon successful modification, the system displays output similar to the following:
passwd: all authentication tokens updated successfully.
II. Key Pair Management
When you create an instance, you can attach a key pair that has been created in or imported to Alibaba Cloud to log on to the instance. If you did not attach a key pair when you created the instance, you must attach a key pair to the instance.
A key pair is a more secure credential that can effectively defend against brute-force attacks and dictionary attacks. It consists of a public key, which is stored on the instance, and a private key, which you must keep secure. To log on to the instance, you must provide the private key for identity verification.
The following figure shows the simplified SSH key pair authentication process. After the client initiates a logon request, the server uses the public key to encrypt a random string. The client decrypts this string with the private key and returns it to the server. The server then verifies the identity by comparing the returned string with the original one.
To use a key pair with a Windows instance, enable the SSH service on the instance. The console does not support managing key pairs for Windows instances.
2.1 Create or import a key pair
Console
Create a key pair
Go to the Key Pairs page of the ECS console. In the upper-left corner, select a region and resource group.
An ECS instance can be attached only to a key pair in the same region.
Click Create Key Pair. Set the creation type to Automatically Create a Key Pair.
Click OK.
After the key pair is successfully created, the browser automatically downloads the private key file (key_pair_name.pem) to your local computer.
Import a key pair
View the public key for a private key
Local machine runs Linux or macOS
Use the
ssh-keygencommand to extract and display the public key from an existing private key fileReplace <path_to_key_pair> with the path to your private key file, for example,
/path_to_key_pair/my-key-pair.pem.ssh-keygen -y -f <path_to_key_pair>The public key information is returned:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA****+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIPxxxxxxxxxx/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcxxxxxxxxxxx/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjxxxxxxxxxx+lHtTGiAIRG1riyNRVC47ZEVCxxxxxxLocal machine runs Windows
Perform the following steps to view the public key:
Start PuTTYgen.
Click Load.
Select a
.ppkor.pemfile.PuTTYgen displays the public key.
Import a key pair (public key)
Go to the Key Pairs page of the ECS console. In the upper-left corner, select a region.
An ECS instance can be attached only to a key pair in the same region.
Click Create Key Pair, set the creation type to Import an Existing Key Pair, and provide the Public Key Content.
Click OK to complete the import.
API
Create a key pair: For more information, see CreateKeyPair.
Import a public key: ImportKeyPair.
2.2 Attach or replace a key pair
Console
Only Linux instances support attaching, detaching, and replacing key pairs in the console.
Attach a key pair when you create an instance
When you create an instance using the custom launch method, you can set Logon Credential to Key Pair and then select an existing Key Pair.
Attach or replace a key pair
Attaching or replacing a key pair in the console requires an instance restart for the change to take effect. Restarting the instance may interrupt your services. Plan this operation for a time that minimizes impact.
You can attach a maximum of one key pair to each instance in the console. To attach multiple key pairs, manually attach them on the instance.
Attach or replace in the console (restart required)
Go to the Instances page of the ECS console. In the upper-left corner, select a region and resource group. Find the ECS instance and follow these instructions:
In the Actions column, click 
> Attach Key Pair. Select an existing key pair and click OK. The change takes effect after you restart the instance.
Manually attach on the instance (no restart required)
Generate a key pair
The steps to generate a key pair vary depending on the tool. This example uses the
ssh-keygentool.Run the following command to generate a key pair.
ssh-keygen -t rsa -b 2048 -f id_rsaParameter description:
-t rsa: Specifies the key type asrsa.-b 2048: Specifies the key length as 2048 bits.-f id_rsa: Specifies the filename and save location for the key pair.
The system prompts you to enter a passphrase. This passphrase protects your private key. Setting a passphrase is a recommended security measure. If you do not need a passphrase, press Enter to continue.
After the command runs successfully, two files are generated in the current directory:
id_rsa: Your private key.id_rsa.pub: Your public key.
ImportantKeep your private key secure and do not share it with others.
Attach the public key to the instance
After you log on to the instance using Workbench, follow these steps.
The procedure differs for root and non-root users. Choose the appropriate steps based on your needs.
Set the public key for the root user
Create the
authorized_keysconfiguration file.If the
/root/.sshdirectory or theauthorized_keysfile does not exist, run the following commands to create them.sudo mkdir /root/.ssh sudo touch /root/.ssh/authorized_keysAdd the public key.
Open the
authorized_keysfile with a text editor such as Vim.sudo vim /root/.ssh/authorized_keysPaste your public key content into the file. You can add multiple public keys, with each public key on a new line. Save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chmod 700 /root/.ssh sudo chmod 600 /root/.ssh/authorized_keys
Set the public key for a non-root user
Create the
authorized_keysconfiguration file.If the
/root/.sshdirectory or theauthorized_keysfile does not exist, run the following commands to create them.In the commands,
<username>represents the username for which you want to attach the public key.sudo mkdir /home/<username>/.ssh sudo touch /home/<username>/.ssh/authorized_keysAdd the public key.
Open the
authorized_keysfile with a text editor such as Vim.sudo vim /home/<username>/.ssh/authorized_keysPaste your public key content into the file. You can add multiple public keys, with each public key on a new line. Save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chown -R <username>:<username> /home/<username>/.ssh sudo chmod 700 /home/<username>/.ssh sudo chmod 600 /home/<username>/.ssh/authorized_keys
Enable public key authentication for the SSH service
After you configure the public key, you must enable SSH public key authentication on the server. Otherwise, key-based logon will fail.
Back up the SSH configuration file
/etc/ssh/sshd_config.sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Open the
/etc/ssh/sshd_configfile with a text editor such as Vim. Find thePubkeyAuthenticationparameter and set its value toyesto enable public key authentication.sudo vim /etc/ssh/sshd_configRestart the SSH service to apply the changes.
For Alibaba Cloud Linux 3:
sudo systemctl restart sshdOn some operating systems, such as Ubuntu and Debian, the SSH service is named
sshinstead ofsshd. Adjust the command accordingly.ImportantIf you are connected to the instance over SSH, restarting the service may disconnect you. You can reconnect after the service restarts.
API
Only Linux instances support attaching, replacing, and detaching key pairs using the API.
Set a key pair when you create an instance: When you call RunInstances to create an instance, set the
KeyPairNameparameter to the name of the key pair.Attach or replace a key pair: Call AttachKeyPair and specify the key pair name
KeyPairNameand instance IDsInstanceIds.Detach a key pair: Call DetachKeyPair and specify the key pair name
KeyPairNameand instance IDsInstanceIds.
2.3 Detach a key pair
Detaching a key pair in the console requires an instance restart for the change to take effect. Restarting the instance may interrupt your services. Plan this operation for a time that minimizes impact.
Detach in the console (restart required)
Go to the Instances page of the ECS console. In the upper-left corner, select a region and resource group. Find the ECS instance and follow these instructions:
In the Actions column, click > Detach Key Pair, and then click Detach. The change takes effect after you restart the instance.
Manually detach on the instance (no restart required)
You can manually purge the public keys stored in the authorized_keys file on the instance to detach a key pair. The path to the authorized_keys configuration file varies depending on the user:
root user:
/root/.ssh/authorized_keysNon-root user:
/home/<username>/.ssh/authorized_keyswhere
<username>is the username of the user to whom you attach the public key.
2.4 Delete
Console
You cannot delete a key pair that is attached to an instance.
Go to the Key Pairs page of the ECS console. In the upper-left corner, select a region and resource group.
Find the key pair that you want to delete and click Delete in the Actions column. This deletes the key pair.
API
Call DeleteKeyPairs and specify the KeyPairNames parameter with the names of the key pairs that you want to delete.
III. Multi-user remote logon
To allow multiple users to access an ECS instance, follow these steps to create a regular user and enable remote access.
Linux system
Log on to the instance using Workbench and follow these steps to create a user:
Create a user
Replace <username> in the command with the desired username. For example, to create a user named
exampleuser, runsudo useradd -m exampleuser.sudo useradd -m <username>Set a password or key pair
Attach a key pair
Generate a key pair file on your local machine.
ImportantFor security reasons, do not create a key pair using ssh-keygen on the instance. Do not save the generated private key on the ECS instance that you want to connect to.
The steps to generate a key pair vary depending on the tool. This example uses the
ssh-keygentool.Run the following command to generate a key pair.
ssh-keygen -t rsa -b 2048 -f id_rsaParameter description:
-t rsa: Specifies the key type asrsa.-b 2048: Specifies the key length as 2048 bits.-f id_rsa: Specifies the filename and save location for the key pair.
The system prompts you to enter a passphrase. This passphrase protects your private key. Setting a passphrase is a recommended security measure. If you do not need a passphrase, press Enter to continue.
After the command runs successfully, two files are generated in the current directory:
id_rsa: Your private key.id_rsa.pub: Your public key.
ImportantKeep your private key secure and do not share it with others.
Attach the public key to the user.
Create the
authorized_keysconfiguration file.If the
/root/.sshdirectory or theauthorized_keysfile does not exist, run the following commands to create them.In the commands,
<username>represents the username for which you want to attach the public key.sudo mkdir /home/<username>/.ssh sudo touch /home/<username>/.ssh/authorized_keysAdd the public key.
Open the
authorized_keysfile with a text editor such as Vim.sudo vim /home/<username>/.ssh/authorized_keysPaste your public key content into the file. You can add multiple public keys, with each public key on a new line. Save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chown -R <username>:<username> /home/<username>/.ssh sudo chmod 700 /home/<username>/.ssh sudo chmod 600 /home/<username>/.ssh/authorized_keys
Enable public key authentication for the SSH service.
After you configure the public key, you must enable SSH public key authentication on the server. Otherwise, key-based logon will fail.
Back up the SSH configuration file
/etc/ssh/sshd_config.sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Open the
/etc/ssh/sshd_configfile with a text editor such as Vim. Find thePubkeyAuthenticationparameter and set its value toyesto enable public key authentication.sudo vim /etc/ssh/sshd_configRestart the SSH service to apply the changes.
For Alibaba Cloud Linux 3:
sudo systemctl restart sshdOn some operating systems, such as Ubuntu and Debian, the SSH service is named
sshinstead ofsshd. Adjust the command accordingly.ImportantIf you are connected to the instance over SSH, restarting the service may disconnect you. You can reconnect after the service restarts.
Set a password
Run the following command:
Replace
<username>with the username for which you want to set the password.sudo passwd <username>Enter the new password and press
Enter. Re-enter the new password to confirm and pressEnter.If the change is successful, a message similar to the following is displayed:
passwd: all authentication tokens updated successfully.(Optional) Remotely log on to the ECS instance as the new user to verify the configuration.
Windows system
By default, Windows supports a maximum of two concurrent remote connections over Remote Desktop Protocol (RDP). If you need more than two users to log on to a Windows instance at the same time, you must use Microsoft's Remote Desktop Services.
Log on to the instance using Workbench and follow these steps:
Create a user
Open Control Panel, find User Accounts, and click Change account type.
On the Manage Accounts page, click Add a user account to go to the Add a user page.
On the Add a user page, follow the on-screen instructions to set the username and password for the new user.
This example creates a user named exampleuser. Set the User name as needed.
Click Next, and then click Finish. The new user is created.
Add the new user to the
Remote Desktop UsersgroupOnly users in the Remote Desktop Users group can log on to the instance remotely.
In the search box on the taskbar, search for Computer Management, and click Computer Management to open the Computer Management window.
Under , find the Remote Desktop Users group. Double-click it to open the Remote Desktop Users Properties page.
Follow these steps:
On the Remote Desktop Users Properties page, click Add.
Enter the username that you created in Step 2 and click Check Name. The full name is automatically populated.
Click OK. On the Remote Desktop Users Properties page, click Apply and then OK. The user is added to the group.
(Optional) Remotely log on to the ECS instance as the new user to verify the configuration.
4. FAQ
Q1: What is the default or initial username for an ECS instance?
Linux instances: The default username is
root. If you selectedecs-userduring creation, the username isecs-user.Windows instances: The default username is
Administrator.
Q2: What is the default or initial password for an ECS instance?
No.
For security, Alibaba Cloud does not set a default or initial password for ECS instances. If you did not set a password when you created the instance, reset the password.
Q3: How can I view the instance password?
Alibaba Cloud does not store instance passwords and cannot retrieve them.
Q4: How do I recover credentials if I forgot my username or password?
Forgot username: The username set during instance creation is displayed at the top of the Reset Instance Password dialog box.
Forgot password: Reset the password.
Q5: Why does the online password reset fail?
This usually happens because security software on the instance blocks the password change command from Cloud Assistant. Use the offline password reset method.
Q6: How do I switch between the root and ecs-user accounts?
Switching from root to ecs-user
You can set the username to
ecs-useronly when you create an instance from a supported Linux image using the custom launch method.After an instance is created, you cannot directly switch the default user to
ecs-user. As a workaround, create a new user namedecs-user, grant itsudopermissions, and then configure it for remote logon.Switching from ecs-user to root
We strongly recommend that you continue to use
ecs-userand execute privileged commands withsudoinstead of logging in directly as therootuser.If you must switch to the
rootuser within a logged-in session, log in as `ecs-user` and run thesudo sucommand to switch to therootuser.
Console features such as offline password reset and attaching key pairs apply only to the username that was set when the instance was created.
Q7: How can I enable both SSH key pair and password authentication for a Linux instance?
Modify the SSH service's /etc/ssh/sshd_config configuration file.
Enable SSH key pair authentication (recommended, more secure): This is controlled by the
PubkeyAuthenticationoption. Set its value toyesto enable key pair authentication. Restart the instance's SSH service after you modify the configuration.Enable SSH password authentication (not recommended, less secure): This is controlled by the
PasswordAuthenticationoption. Set its value toyesto enable password authentication. Restart the instance's SSH service after you modify the configuration.
Q8: How do I set the ECS logon username when I create an instance using Terraform?
The default username for an ECS instance is determined by its image (for example, `root` for Linux and `Administrator` for Windows). When you create an ECS instance using Terraform, you can use the login_as_non_root parameter in the image_options block to configure the instance to use a non-root logon user.
Parameter:
login_as_non_root(Boolean value).Method: Set this parameter to
true.Result: The instance logon username is set to
ecs-user.