This topic describes how to run the send_public_key subcommand of ali-instance-cli to register a public key and connect to an Elastic Compute Service (ECS) instance with the key instead of a password.
Prerequisites
The ECS instance that you want to connect runs a Linux operating system and has Cloud Assistant Agent version 2.2.3.256 or later installed. For more information, see Install Cloud Assistant Agent and Upgrade or disable upgrades for the Cloud Assistant Agent.
Session Manager is enabled for the account to which the instance belongs. For more information, see Connect to an instance by using Session Manager.
Background information
You can run the send_public_key subcommand of ali-instance-cli to send an SSH public key to an instance for use by specified users. The SSH public key remains valid for 60 seconds. During these 60 seconds, you can use the SSH public key to connect to the instance as the specified users without a password.
Session Manager Client supports Linux, macOS, and Windows operating systems and is used differently on these operating systems. For more information, see the following sections in this topic:
Linux or macOS operating systems
In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.
Log on to Session Manager Client.
Install ali-instance-cli on Session Manager Client.
Run one of the following commands to install ali-instance-cli based on the operating system.
For a Linux operating system, run the following command:
curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli chmod a+x ali-instance-cli
For a macOS operating system, run the following command:
curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli chmod a+x ali-instance-cli
(Optional) Create a file named
config
and add configurations to the file.If you want to use the ID of an instance to connect to the instance, perform this step.
Create the
.ssh
directory in the current working directory. In this example, /home/test is used as the working directory.mkdir .ssh
Switch to the
.ssh
directory.cd .ssh
Create and open the
config
file.vim config
Press the
I
key to enter Insert mode.Add content to the
config
file.NoteReplace ali-instance-cli in the following command with the absolute path of the ali-instance-cli file. In this example,
/home/test/ali-instance-cli
is used.host i-* ProxyCommand sh -c "ali-instance-cli ssh -i '%h' --port '%p'"
Press the
Esc
key to exit Insert mode.Enter
:wq
and press theEnter
key to save and exit the file.Grant the execute permissions on the
config
file.chmod 755 config
Configure an AccessKey pair or a Security Token Service (STS) token.
For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?
Switch to the test directory.
cd /home/test
Configure the authentication method.
The following authentication methods are supported:
AccessKey pair-based authentication
Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted:
./ali-instance-cli configure --mode AK
STS token-based authentication
NoteIn the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token.
./ali-instance-cli configure set --mode StsToken --region "region" --access-key-id "ak" --access-key-secret "sk" --sts-token "token"
A command output similar to the following one indicates that the authentication method is configured.
Run the following command in Session Manager Client to generate an RSA public key and key file:
ssh-keygen -t rsa
Press the Enter key as prompted. A command output similar to the following one indicates that the public key and key file are generated.
NoteThe default path of the generated public key is ~/.ssh/id_rsa.pub.
Run the following command in Session Manager Client to send the public key to the instance to which you want to connect:
./ali-instance-cli send_public_key --instance <instance-id> --public-key "<On-premises public key file or the path of the on-premises public key file>" --user-name testuser
NoteThe --user-name parameter specifies the username of the specified public key. In this example, --user-name is set to testuser. If you do not specify a username, the parameter is set to root by default. If you specify a username, make sure that the specified username exists in the instance.
Run one of the following SSH commands to connect to the instance with the public key instead of a password.
You can use the public IP address or ID of the instance to connect to the instance with the public key instead of a password.
Use the public IP address of the instance to connect to the instance.
ssh -i ~/.ssh/id_rsa testuser@instance_ip
NoteReplace ~/.ssh/id_rsa with the actual key file path, instance_ip with the IP address of the instance that you want to connect to, and testuser with the username that you use for the connection.
Use the ID of the instance to connect to the instance.
ssh -i ~/.ssh/id_rsa testuser@instance_id
NoteReplace ~/.ssh/id_rsa with the actual key file path, instance_id with the ID of the instance that you want to connect to, and testuser with the username that you use for the connection.
The following command output indicates that you are connected to the instance over SSH by using Session Manager.
Windows operating systems
Before you use Session Manager Client on your Windows computer to connect to an instance, make sure that OpenSSH is installed on the computer. For information about how to install OpenSSH on a Windows operating system, see Use the Cloud Assistant Agent to install OpenSSH on a Windows ECS instance.
In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.
Log on to Session Manager Client.
Download and install ali-instance-cli on Session Manager Client.
Run one of the following commands to install ali-instance-cli based on the operating system.
Use the OpenSSH client to download ali-instance-cli.
Invoke-WebRequest -Uri "https://aliyun-client-assist.oss-cn-beijing.aliyuncs.com/session-manager/windows/ali-instance-cli.exe" -OutFile <destination>
NoteReplace <destination> with the path to which ali-instance-cli is downloaded.
Use a browser to download ali-instance-cli.
Download and save ali-instance-cli.exe for Windows to a directory on your computer. In this example, the
C:\Users\test
directory is used.
(Optional) Create a file named
config
and add configurations to the file.If you want to use the ID of the instance to connect to the instance, perform this step.
In the C:\Users\<Username> directory, create a folder named
.ssh
.NoteReplace C:\Users\<Username> with the actual directory. In this example,
C:\Users\test
is used.In the lower-left corner of the desktop, click the icon and enter
Windows PowerShell
.Click Windows PowerShell.
In the C:\Users\username directory, run the
mkdir .ssh
command to create a folder named.ssh
.
In the
.ssh
folder, create a file namedconfig
.ImportantThe
config
file name cannot include an extension.Add content to the
config
file.Replace ali-instance-cli.exe in the following command with the absolute path of the ali-instance-cli file. In this example,
C:\Users\test\ali-instance-cli.exe
is used.host i-* ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "ali-instance-cli.exe ssh -i '%h' --port '%p'"
Configure an AccessKey pair or a STS token.
For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?
Choose
to open the Run dialog box. Enter cmd and press theEnter
to open the command prompt window.Switch to the test directory.
cd C:\Users\test
Configure the authentication method.
The following authentication methods are supported:
AccessKey pair-based authentication
Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted:
.\ali-instance-cli.exe configure --mode AK
STS token-based authentication
NoteIn the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token.
.\ali-instance-cli.exe configure set --mode StsToken --region "region" --access-key-id "ak" --access-key-secret "sk" --sts-token "token"
A command output similar to the following one indicates that the authentication method is configured.
Run the following command in Session Manager Client to generate an RSA public key and key file:
ssh-keygen -t rsa
Press the Enter key as prompted. A command output similar to the following one indicates that the public key and key file are generated.
NoteThe default path of the generated public key is C:\Users\Administrator/.ssh/id_rsa.pub.
Run the following command in Session Manager Client to send the public key to the instance to which you want to connect:
./ali-instance-cli send_public_key --instance <instance-id> --public-key "<On-premises public key file or the path of the on-premises public key file>" --user-name testuser
NoteThe --user-name parameter specifies the username of the specified public key. In this example, --user-name is set to testuser. If you do not specify a username, the parameter is set to root by default. If you specify a username, make sure that the specified username exists in the instance.
Run one of the following SSH commands to connect to the instance with the public key instead of a password.
Use the public IP address of the instance to connect to the instance.
ssh -i ~/.ssh/id_rsa testuser@instance_ip
NoteReplace ~/.ssh/id_rsa with the actual key file path, instance_ip with the IP address of the instance that you want to connect to, and testuser with the username that you use for the connection.
Use the ID of the instance to connect to the instance.
ssh -i ~/.ssh/id_rsa testuser@instance_id
NoteReplace ~/.ssh/id_rsa with the actual key file path, instance_id with the ID of the instance that you want to connect to, and testuser with the username that you use for the connection.
The following command output indicates that you are connected to the instance over SSH by using Session Manager.
FAQ
Why am I still prompted for a password when I attempt to connect to an instance in password-free mode?
A public key is valid for only 60 seconds after it is registered with an instance. Check whether your public key is expired.