This topic describes how to register public keys to connect to Elastic Compute Service (ECS) instances without passwords by using the send_public_key subcommand of ali-instance-cli.

Prerequisites

Background information

You can run the send_public_key subcommand of ali-instance-cli to send an SSH public key to the instance to which you want to connect for the use of specified users. The SSH public key remains valid for 60 seconds. During these 60 seconds, you can use the SSH public key to connect to the instance as the specified users without a password.

Session management clients support Linux, macOS, and Windows operating systems, but are used differently on each operating system. For more information, see the following sections in this topic:

Linux or macOS operating systems

  1. Log on to a session management client.
  2. Install ali-instance-cli on the session management client.
    Run one of the following commands to install ali-instance-cli based on the operating system.
    • For a Linux operating system, run the following command:
      curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli
      chmod a+x ali-instance-cli
    • For a macOS operating system, run the following command:
      curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli
      chmod a+x ali-instance-cli
  3. Optional: Create a file named config and add configurations to the file.
    If you want to use the ID of the instance to connect to the instance, perform this step.
    1. Create the .ssh directory in the current working directory. In this example, /home/test is used as the working directory.
      mkdir .ssh
    2. Switch to the .ssh directory.
      cd .ssh
    3. Create and open the config file.
      vim config
    4. Press the I key to enter the edit mode.
    5. Add the following content to the config file.
      Note Replace ali-instance-cli in the following command with the absolute path of ali-instance-cli. In this example, /home/test/ali-instance-cli is used.
      host i-*
          ProxyCommand sh -c "ali-instance-cli ssh -i '%h' --port  '%p'" 
    6. Press the Esc key to exit the edit mode.
    7. Enter :wq and press the Enter key to save and close the file.
    8. Grant the execute permissions on the config file.
      chmod 755 config
  4. Configure an AccessKey pair or an STS token.
    For information about how to obtain an AccessKey pair or STS token, see Obtain an AccessKey pair or What is STS?
    1. Switch to the test directory.
      cd /home/test
    2. Configure an authentication method.

      The following authentication methods are supported:

      • AccessKey pair-based authentication
        Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted:
        ./ali-instance-cli configure --mode AK
      • STS token-based authentication
        Note Replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token.
        ./ali-instance-cli configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"
      A command output similar to the following one indicates that the AccessKey pair-based authentication method is configured. Authentication method configured
  5. Run the following command on the session management client to generate a Rivest-Shamir-Adleman (RSA) public key and key file:
    ssh-keygen -t rsa
    Press the Enter key as prompted. A command output similar to the following one indicates that the public key and key file are generated. Generate a public key
    Note The default path of the generated public key is ~/.ssh/id_rsa.pub.
  6. Run the following command in the session management client to send the public key to the instance:
    ./ali-instance-cli send_public_key --instance <instance-id> --public-key "<Content or path of the public key file>" --user-name testuser
    Note The --user-name parameter specifies the username of the specified public key. In this example, --user-name is set to testuser. If you do not specify a username, the parameter is set to root by default. If you specify a username, make sure that the specified username exists in the instance.
  7. Run one of the following SSH commands to connect to an instance without a password.

    You can use the public IP address or ID of the instance to connect to the instance without a password.

    • Use the public IP address of the instance.
      ssh -i ~/.ssh/id_rsa testuser@instance_ip
      Note In actual scenarios, replace ~/.ssh/id_rsa with the actual path of your public key, instance_ip with the public IP address of the instance to which you want to connect, and testuser with the username that you want to use to connect to the instance.
    • Use the ID of the instance.
      ssh -i ~/.ssh/id_rsa testuser@instance_id
      Note In actual scenarios, replace ~/.ssh/id_rsa with the actual path of your public key, instance_id with the ID of the instance to which you want to connect, and testuser with the username that you want to use to connect to the instance.
    A command output similar to the following one indicates that you are connected to the instance over SSH by using session management. Instance connected

Windows operating systems

Before you use a session management client that runs a Windows operating system to connect to an ECS instance, make sure that OpenSSH is installed on the client.For more information, see Use Cloud Assistant to install OpenSSH on an ECS Windows instance.

  1. Log on to a session management client.
  2. Download ali-instance-cli to the session management client.
    • Use the OpenSSH client to download ali-instance-cli.
      Invoke-WebRequest -Uri "https://aliyun-client-assist.oss-cn-beijing.aliyuncs.com/session-manager/windows/ali-instance-cli.exe" -OutFile <destination>
      Note Replace <destination> with the path to which ali-instance-cli is downloaded.
    • Use a browser to download ali-instance-cli.

      Download and save ali-instance-cli.exe for Windows to a folder on the local computer. In this example, C:\Users\test is used.

  3. Optional: Create a file named config and add configurations to the file.
    If you want to use the ID of the instance to connect to the instance, perform this step.
    1. In the C:\Users\<Username> folder, create a folder named .ssh.
      Note Replace C:\Users\<Username> with the actual folder. In this example, C:\Users\test is used.
    2. In the .ssh folder, create a file named config.
    3. Add the following content to the config file.

      Replace ali-instance-cli.exe with the absolute path of the ali-instance-cli.exe file. In this example, C:\Users\test\ali-instance-cli.exe is used.

      host i-*
          ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "ali-instance-cli.exe ssh -i '%h' --port  '%p'"
  4. Configure an AccessKey pair or a STS token.
    For information about how to obtain an AccessKey pair and STS token, see Obtain an AccessKey pair and What is STS?
    1. Choose Start > Run, enter cmd, and then press the Enter key to open the Command Prompt window.
    2. Switch to the test directory.
      cd C:\Users\test
    3. Configure an authentication method.

      The following authentication methods are supported:

      • AccessKey pair-based authentication
        Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted:
        .\ali-instance-cli.exe configure --mode AK
      • STS token-based authentication
        Note Replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token.
        .\ali-instance-cli.exe configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"

      A command output similar to the following one indicates that the AccessKey pair-based authentication method is configured.

      Authentication method configured
  5. Run the following command on the session management client to generate a RSA public key and key file:
    ssh-keygen -t rsa
    Press the Enter key as prompted. A command output similar to the following one indicates that the public key and key file are generated. Generate the private key
    Note The default path of the generated public key is C:\Users\Administrator/.ssh/id_rsa.pub.
  6. Run the following command in the session management client to send the public key to the instance:
    .\ali-instance-cli.exe send_public_key --instance <instance-id> --public-key "<Content or path of the public key file>" --user-name testuser
    Note The --user-name parameter specifies the username of the specified public key. In this example, --user-name is set to testuser. If you do not specify a username, the parameter is set to root by default. If you specify a username, make sure that the specified username exists in the instance.
  7. Run one of the following SSH commands to connect to an instance without a password.
    • Use the public IP address of the instance.
      ssh -i ~/.ssh/id_rsa testuser@instance_ip
      Note In actual scenarios, replace ~/.ssh/id_rsa with the actual path of your public key, instance_ip with the public IP address of the instance to which you want to connect, and testuser with the username that you want to use to connect to the instance.
    • Use the ID of the instance.
      ssh -i ~/.ssh/id_rsa testuser@instance_id
      Note In actual scenarios, replace ~/.ssh/id_rsa with the actual path of your public key, instance_id with the ID of the instance to which you want to connect, and testuser with the username that you want to use to connect to the instance.
    A command output similar to the following one indicates that you are connected to the instance over SSH by using session management. Instance connected