Workbench is a more efficient and convenient connection tool than Virtual Network Computing (VNC) and allows multiple users to connect to a single Elastic Compute Service (ECS) instance at the same time. Workbench supports the following authentication methods for logons to instances: password-based authentication, key-based authentication, and credential-based authentication.

Prerequisites

  • A logon password is set for or a key pair is bound to the Linux instance to which you want to connect.
  • The instance is in the Running state.
  • Security group rules are added to allow the IP addresses related to the Workbench service to access the instance. For more information about the security group rules, see the Add security group rules to allow Workbench access to a Linux instance section in this topic.

Background information

  • By default, a Workbench remote session persists for 6 hours. If you go 6 hours without performing operations, the remote connection is disconnected. You must reconnect to the instance.
  • By default, when you use Workbench to access Linux instances, you are connected to the instances over SSH. For more information, see the "Connect to a Linux instance over SSH" section of this topic.
  • You can use the GUI provided by Workbench to manage files and system services in your Linux instances in a visual manner. For more information, see Manage files and Perform system management.

Connect to a Linux instance over SSH

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect and click Connect in the Actions column.
  5. In the Remote connection dialog box, click Sign in now in the Workbench section.
  6. In the Instance Login dialog box, configure parameters.
    The following table describes the required parameters in the dialog box.
    ParameterDescription
    InstanceThe information of the current instance is automatically populated. You can also manually enter the IP address or name of another instance.
    Connection
    • To connect to an instance that resides in a virtual private cloud (VPC), use the public or private IP address of the instance.
    • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.
    AuthenticationSelect an authentication method. The following authentication methods are supported:
    • Password-based: Enter a username, such as root or ecs-user, and its password.
    • Certificate-based: Enter a username, such as root or ecs-user, and then enter or upload a certificate. If the certificate is encrypted, enter the key passphrase of the certificate.
    • Credential-based: Select an existing credential or create a credential.

      Credentials are used to store instance information such as usernames, passwords, and keys. You can use credentials to log on to instances in a secure manner without the need to enter usernames and passwords. If no credentials exist for an instance in Workbench, create a credential for the instance. For more information, see the Create a credential in Workbench section of this topic.

    In the lower part of the dialog box, click More Options to show the optional parameters. The following table describes the parameters.
    ParameterDescription
    Resource GroupBy default, All is selected. You can manually select a resource group from the drop-down list.
    RegionBy default, All is selected. You can manually select a region from the drop-down list.
    ProtocolBy default, Terminal Connection (SSH) is selected.
    PortIf Protocol is set to Terminal Connection (SSH), this parameter is automatically set to 22.
    LanguageSelect your preferred language. The selected language affects the outputs of the instance. We recommend that you select Default. This way, Workbench detects the language settings of the instance and configures appropriate settings.
    Character SetSelect your preferred character set. The selected character set affects the outputs of the instance. We recommend that you select Default. This way, Workbench detects the character set settings of the instance and configures appropriate settings.
  7. Click OK.
If all of the prerequisites are met but the instance cannot be connected, perform the following checks on the instance:
  • Check whether the sshd service (such as sshd in Linux) is enabled. If not, enable the sshd service.
  • Check whether the required terminal connection port (typically port 22) is enabled. If not, enable the port.
  • If you want to log on to the Linux instance as the root user, make sure that both the PermitRootLogin and PasswordAuthentication parameters are set to yes in the /etc/ssh/sshd_config file. For more information, see the "Enable root logon over SSH on a Linux instance" section of this topic.

Create a credential in Workbench

This section describes how to create a credential for an instance in Workbench. After the credential is created, you can use it for authentication when you log on to the instance.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
  5. In the Connection and Command dialog box, click Connect in the Workbench Connection (Default) section.
  6. In the Instance Login dialog box, specify parameters to log on to the instance.
    • If no credentials are present for the instance in Workbench, perform the following steps:
      1. Specify the parameters described in the following table.
        ParameterDescription
        InstanceThe information of the current instance is automatically populated. You can also select another instance from the drop-down list.
        Connection
        • To connect to an instance that resides in a VPC, use the public or private IP address of the instance.
        • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.
        Authentication
        1. Select Credential-based.
        2. Select Create Credential from the Credential drop-down list.
      2. In the Add Credential dialog box, specify parameters described in the following table.
        ParameterDescription
        Credential NameEnter a name for the credential.
        UsernameEnter a username, such as root or ecs-user.
        Credential TypeSelect a credential type. Valid values:
        • Password: If you select this value, you must continue to enter a password for the authentication material.
        • PrivateKey: If you select this value, you must continue to enter or upload a private key certificate. If the certificate is encrypted, enter the key passphrase of the certificate.
        Material NameEnter a name for the authentication material.
        PasswordEnter a password to use for authentication.
        FingerprintFingerprint is automatically generated based on the password or key of the authentication material.
      3. Optional: You can click Add Material to add more authentication materials. At least one authentication material must be retained for each credential.
      4. Click OK.
      5. In the Instance Login dialog box, select the credential that you created from the Credential drop-down list and click OK.
    • If credentials are present for the instance in Workbench, perform the following steps:
      1. Specify the parameters described in the following table.
        ParameterDescription
        InstanceThe information of the current instance is automatically populated. You can also select another instance from the drop-down list.
        Connection
        • To connect to an instance that resides in a VPC, use the public or private IP address of the instance.
        • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.
        AuthenticationSelect an existing credential.

        You can modify or delete credentials based on your needs.

      2. Click OK.

Enable root logon over SSH on a Linux instance

In some Linux operating systems, sshd disables root logon by default. If this occurs, when you attempt to connect to an instance as the root user over SSH, you are prompted that your username or password is invalid. To enable root logon over SSH, perform the following operations.

  1. Use VNC to connect to a Linux instance with a password. For more information, see Connect to a Linux instance by using password authentication.
  2. Open the SSH configuration file. 
    vim /etc/ssh/sshd_config
  3. Press the I key to enter the Insert mode.
  4. Set both PermitRootLogin and PasswordAuthentication to yes, as shown in the following lines: 
    PermitRootLogin yes
PasswordAuthentication yes
  5. Press the Esc key and enter :wq to save the change.
  6. Restart sshd. 
    systemctl restart sshd.service

Add security group rules to allow Workbench access to a Linux instance

This section describes how to add rules to security groups of different network types in the ECS console to allow Workbench access to a Linux instance.
  • If you want to connect to a Linux instance that resides in a VPC, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters that must be configured for the rule.
    ActionPriorityProtocol TypePortAuthorization Object
    Allow1Custom TCP
    • If port 22 is opened by default on the Linux instance, select SSH (22).
    • If you have manually opened other ports on the Linux instance, enter a corresponding port range.
    • If you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an elastic IP address (EIP) that is associated with the instance.
    • If you want to connect to the instance by using its private IP address, specify 100.104.0.0/16.
    Important You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes your instance to security risks. Proceed with caution.
  • If you want to connect to a Linux instance that resides in the classic network over the Internet, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internet Ingress tab. The following table describes the parameters that must be configured for the rule.
    ActionPriorityProtocol TypePortAuthorization Object
    Allow1Custom TCP
    • If port 22 is opened by default on the Linux instance, select SSH (22).
    • If you have manually opened other ports on the Linux instance, enter a corresponding port range.
    		If you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an EIP that is associated with the instance.
    Important You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes your instance to security risks. Proceed with caution.
  • If you want to connect to a Linux instance that resides in the classic network over the internal network, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters that must be configured for the rule.
    ActionPriorityProtocol TypePortAuthorization Object
    Allow1Custom TCP
    • If port 22 is opened by default on the Linux instance, select SSH (22).
    • If you have manually opened other ports on the Linux instance, enter a corresponding port range.
    		If you want to connect to the instance by using its internal IP address, specify 11.195.184.0/24 and 11.246.55.0/24161.117.90.22.
    Important High security risks may arise if you specify 0.0.0.0/0 as the authorization object. We recommend that you do not specify 0.0.0.0/0.