All Products
Search

This Product

    Elastic Compute Service:Register a public key and connect to an instance with the key by using ali-instance-cli

    Document Center

    Elastic Compute Service:Register a public key and connect to an instance with the key by using ali-instance-cli

    Last Updated:Sep 14, 2023

    This topic describes how to run the send_public_key subcommand of ali-instance-cli to register a public key and connect to an Elastic Compute Service (ECS) instance with the key instead of a password.

    Prerequisites

    Background information

    You can run the send_public_key subcommand of ali-instance-cli to send an SSH public key to an instance for use by specified users. The SSH public key remains valid for 60 seconds. During these 60 seconds, you can use the SSH public key to connect to the instance as the specified users without a password.

    Session Manager Client supports Linux, macOS, and Windows operating systems and is used differently on these operating systems. For more information, see the following sections in this topic:

    Linux or macOS operating systems

    Note

    In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.

    1. Log on to Session Manager Client.

    2. Install ali-instance-cli on Session Manager Client.

      Run one of the following commands to install ali-instance-cli based on the operating system.

      • For a Linux operating system, run the following command:

        curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli
chmod a+x ali-instance-cli

      • For a macOS operating system, run the following command:

        curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli
chmod a+x ali-instance-cli

    3. (Optional) Create a file named config and add configurations to the file.

      If you want to use the ID of an instance to connect to the instance, perform this step.

      1. Create the .ssh directory in the current working directory. In this example, /home/test is used as the working directory. 

        mkdir .ssh

      2. Switch to the .ssh directory. 

        cd .ssh

      3. Create and open the config file. 

        vim config

      4. Press the I key to enter Insert mode.

      5. Add content to the config file.

        Note

        Replace ali-instance-cli in the following command with the absolute path of the ali-instance-cli file. In this example, /home/test/ali-instance-cli is used. 

        host i-*
    ProxyCommand sh -c "ali-instance-cli ssh -i '%h' --port  '%p'"

      6. Press the Esc key to exit Insert mode.

      7. Enter :wq and press the Enter key to save and exit the file.

      8. Grant the execute permissions on the config file. 

        chmod 755 config

    4. Configure an AccessKey pair or a Security Token Service (STS) token.

      For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?

      1. Switch to the test directory. 

        cd /home/test

      2. Configure the authentication method.

        The following authentication methods are supported:

        • AccessKey pair-based authentication

          Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted: 

          ./ali-instance-cli configure --mode AK

        • STS token-based authentication

          Note

          In the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token. 

          ./ali-instance-cli configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"

        A command output similar to the following one indicates that the authentication method is configured.AK.png

    5. Run the following command in Session Manager Client to generate an RSA public key and key file: 

      ssh-keygen -t rsa

      Press the Enter key as prompted. A command output similar to the following one indicates that the public key and key file are generated.生成公钥

      Note

      The default path of the generated public key is ~/.ssh/id_rsa.pub.

    6. Run the following command in Session Manager Client to send the public key to the instance to which you want to connect: 

      ./ali-instance-cli send_public_key --instance <instance-id> --public-key "<On-premises public key file or the path of the on-premises public key file>" --user-name testuser
      Note

      The --user-name parameter specifies the username of the specified public key. In this example, --user-name is set to testuser. If you do not specify a username, the parameter is set to root by default. If you specify a username, make sure that the specified username exists in the instance.

    7. Run one of the following SSH commands to connect to the instance with the public key instead of a password.

      You can use the public IP address or ID of the instance to connect to the instance with the public key instead of a password.

      • Use the public IP address of the instance to connect to the instance. 

        ssh -i ~/.ssh/id_rsa testuser@instance_ip
        Note

        Replace ~/.ssh/id_rsa with the actual key file path, instance_ip with the IP address of the instance that you want to connect to, and testuser with the username that you use for the connection.

      • Use the ID of the instance to connect to the instance. 

        ssh -i ~/.ssh/id_rsa testuser@instance_id
        Note

        Replace ~/.ssh/id_rsa with the actual key file path, instance_id with the ID of the instance that you want to connect to, and testuser with the username that you use for the connection.

      The following command output indicates that you are connected to the instance over SSH by using Session Manager.连接实例

    Windows operating systems

    Before you use Session Manager Client on your Windows computer to connect to an instance, make sure that OpenSSH is installed on the computer. For information about how to install OpenSSH on a Windows operating system, see Use the Cloud Assistant Agent to install OpenSSH on a Windows ECS instance.

    Note

    In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.

    1. Log on to Session Manager Client.

    2. Download and install ali-instance-cli on Session Manager Client.

      Run one of the following commands to install ali-instance-cli based on the operating system.

      • Use the OpenSSH client to download ali-instance-cli. 

        Invoke-WebRequest -Uri "https://aliyun-client-assist.oss-cn-beijing.aliyuncs.com/session-manager/windows/ali-instance-cli.exe" -OutFile <destination>
        Note

        Replace <destination> with the path to which ali-instance-cli is downloaded.

      • Use a browser to download ali-instance-cli.

        Download and save ali-instance-cli.exe for Windows to a directory on your computer. In this example, the C:\Users\test directory is used.

    3. (Optional) Create a file named config and add configurations to the file.

      If you want to use the ID of the instance to connect to the instance, perform this step.

      1. In the C:\Users\<Username> directory, create a folder named .ssh.

        Note

        Replace C:\Users\<Username> with the actual directory. In this example, C:\Users\test is used.

        1. In the lower-left corner of the desktop, click the win2016 搜索.png icon and enter Windows PowerShell.

        2. Click Windows PowerShell.

        3. In the C:\Users\username directory, run the mkdir .ssh command to create a folder named .ssh.

      2. In the .ssh folder, create a file named config.

        Important

        The config file name cannot include an extension.

      3. Add content to the config file.

        Replace ali-instance-cli.exe in the following command with the absolute path of the ali-instance-cli file. In this example, C:\Users\test\ali-instance-cli.exe is used. 

        host i-*
    ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "ali-instance-cli.exe ssh -i '%h' --port  '%p'"

    4. Configure an AccessKey pair or a STS token.

      For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?

      1. Choose Start > Run to open the Run dialog box. Enter cmd and press the Enter to open the command prompt window.

      2. Switch to the test directory. 

        cd C:\Users\test

      3. Configure the authentication method.

        The following authentication methods are supported:

        • AccessKey pair-based authentication

          Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted: 

          .\ali-instance-cli.exe configure --mode AK

        • STS token-based authentication

          Note

          In the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token. 

          .\ali-instance-cli.exe configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"

        A command output similar to the following one indicates that the authentication method is configured.

        windows AK(新).png

    5. Run the following command in Session Manager Client to generate an RSA public key and key file: 

      ssh-keygen -t rsa

      Press the Enter key as prompted. A command output similar to the following one indicates that the public key and key file are generated.生成密钥

      Note

      The default path of the generated public key is C:\Users\Administrator/.ssh/id_rsa.pub.

    6. Run the following command in Session Manager Client to send the public key to the instance to which you want to connect: 

      ./ali-instance-cli send_public_key --instance <instance-id> --public-key "<On-premises public key file or the path of the on-premises public key file>" --user-name testuser
      Note

      The --user-name parameter specifies the username of the specified public key. In this example, --user-name is set to testuser. If you do not specify a username, the parameter is set to root by default. If you specify a username, make sure that the specified username exists in the instance.

    7. Run one of the following SSH commands to connect to the instance with the public key instead of a password.

      • Use the public IP address of the instance to connect to the instance. 

        ssh -i ~/.ssh/id_rsa testuser@instance_ip
        Note

        Replace ~/.ssh/id_rsa with the actual key file path, instance_ip with the IP address of the instance that you want to connect to, and testuser with the username that you use for the connection.

      • Use the ID of the instance to connect to the instance. 

        ssh -i ~/.ssh/id_rsa testuser@instance_id
        Note

        Replace ~/.ssh/id_rsa with the actual key file path, instance_id with the ID of the instance that you want to connect to, and testuser with the username that you use for the connection.

      The following command output indicates that you are connected to the instance over SSH by using Session Manager.连接实例

    FAQ

    Why am I still prompted for a password when I attempt to connect to an instance in password-free mode?

    A public key is valid for only 60 seconds after it is registered with an instance. Check whether your public key is expired.