Use temporary SSH key pairs in Alibaba Cloud Workbench to securely log on to instances without a password. This method eliminates the need to manage or expose long-term passwords or keys. It effectively mitigates the risks of credential leaks and brute-force attacks.
Why use password-free logon with temporary key pairs
Traditional static credentials, such as passwords and long-term SSH key pairs, pose security risks. Because they are valid for a long time, an attacker who cracks or steals them gains persistent access to your server. In addition, the processes for distributing, rotating, and revoking these credentials are complex and prone to error. Workbench solves these problems using temporary key pairs.
Core advantages | Description |
Reduced risk of credential leaks | Users never handle any permanent passwords or keys. This reduces the risk of credential leaks caused by human error. |
Defense against brute-force attacks | Logon credentials are generated for one-time use and are valid for only 60 seconds. This greatly reduces the risk of brute-force attacks on your Elastic Compute Service (ECS) instances. |
Centralized permission control | Use Resource Access Management (RAM) access policies to implement fine-grained control over who can log on to instances. |
How it works
Logging on with a temporary key pair still requires authentication. It replaces static credentials with a more secure, centralized authentication method managed by Alibaba Cloud. The following list describes how it works:
Initiate password-free logon from the console.
Verify RAM permissions: Workbench verifies whether the current Resource Access Management (RAM) user has permission to log on to the target instance.
Generate a temporary SSH key pair: After the permission is verified, Workbench dynamically generates a one-time SSH key pair (a public key and a private key) that is valid for 60 seconds. The private key is temporarily stored on the Alibaba Cloud Workbench server.
Send the public key to the instance: Workbench adds the temporary public key to the instance using the Cloud Assistant Agent installed on the ECS instance.
Complete SSH authentication and establish a connection: Workbench uses the temporary private key stored on the server to complete the public key authentication process with the SSH service on the instance and establish a connection.
Automatically destroy the key pair: After the 60-second validity period expires, the temporary key pair is immediately and automatically destroyed, regardless of whether the logon was successful. The public key is removed from the ECS instance, and the private key is destroyed from Workbench. This process ensures that each key is used only once and cannot be reused.