This topic describes how to use the config_ecs_instance_connect plug-in to connect
to an Elastic Compute Service (ECS) instance that runs a Linux operating system.
Prerequisites
- The session management feature is enabled for the ECS instance to which you want to
connect in your Alibaba Cloud account. For more information, see Connect to an instance by using session management.
- The Cloud Assistant client is installed on the ECS instance, and the version of the
client supports session management. If an instance runs a Linux operating system,
the installed client version must be 2.2.3.196 or later. If an instance runs a Windows
operating system, the installed client version must be 2.1.3.196 or later. For more
information, see Install the Cloud Assistant client.
- The ECS instance runs a Linux operating system.
Background information
You can use the config_ecs_instance_connect plug-in and a common Cloud Assistant command
to send an SSH public key to a specified instance for a specified user to use. The
SSH public key is stored on the instance for 60 seconds. During these 60 seconds,
you can use the SSH public key to log on to the instance as the specified user without
a password.
Procedure
- Run the following command on a session management client to generate a Rivest-Shamir-Adleman
(RSA) public key and key file:
ssh-keygen -t rsa
Press the Enter key as prompted. A command output similar to the following one indicates
that the public key and key file are generated.

Note The default path of the generated public key is ~/.ssh/id_rsa.pub.
- Use Cloud Assistant to run the following command to install and enable the config_ecs_instance_connect
plug-in on the instance to which you want to connect.
For more information, see
Run a command.
acs-plugin-manager -e -P config_ecs_instance_connect --params --install
- Send the SSH public key to the instance.
You can use one of the following methods to send the SSH public key to the instance:
- Call API operations.
- Call the DescribeCommands operation to query the common Cloud Assistant command named
ACS-ECS-SendSshPublicKey-linux.sh
. import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.IAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.exceptions.ServerException;
import com.aliyuncs.profile.DefaultProfile;
import com.google.gson.Gson;
import java.util.*;
import com.aliyuncs.ecs.model.v20140526.*;
public class DescribeCommands {
public static void main(String[] args) {
DefaultProfile profile = DefaultProfile.getProfile("cn-beijing", "<accessKeyId>", "<accessSecret>");
IAcsClient client = new DefaultAcsClient(profile);
DescribeCommandsRequest request = new DescribeCommandsRequest();
request.setRegionId("cn-beijing");
request.setProvider("AlibabaCloud");
request.setName("ACS-ECS-SendSshPublicKey-linux.sh");
try {
DescribeCommandsResponse response = client.getAcsResponse(request);
System.out.println(new Gson().toJson(response));
} catch (ServerException e) {
e.printStackTrace();
} catch (ClientException e) {
System.out.println("ErrCode:" + e.getErrCode());
System.out.println("ErrMsg:" + e.getErrMsg());
System.out.println("RequestId:" + e.getRequestId());
}
}
}
In the response, find the array in which the Latest
value is true
and obtain the CommandId
value.
{
"TotalCount": 1,
"PageSize": 10,
"RequestId": "8D7DC6FF-6849-5927-XXXX-FBE1027FEFDE",
"PageNumber": 1,
"Commands": {
"Command": [
{
"Description": "Sends SSH public keys.",
"Category": "Alibaba Cloud-ECS-Application Installation",
"ParameterNames": {
"ParameterName": [
"username",
"sshpublickey"
]
},
"Timeout": 60,
"Provider": "AlibabaCloud.ECS.Applications",
"Name": "ACS-ECS-SendSshPublicKey-linux.sh",
"WorkingDir": "",
"CommandContent": "c2VuZF9zc2hfcHVibGljX2tleSAtLXVzZXJuYW1lIHt7dXNlcm5hbWV9fSAtLXNzaC1wdWJsaWMta2V5IHt7c3NoUHVibGljS2V5****",
"Type": "RunShellScript",
"Version": 1,
"InvokeTimes": 40,
"CreationTime": "2022-04-13T07:28Z",
"Latest": true,
"EnableParameter": true,
"CommandId": "c-xxxxxx"
}
]
}
}
- Call the InvokeCommand operation to send the SSH public key to the instance to which
you want to connect.
Take note of the following parameters. For more information about the parameters of
the InvokeCommand operation, see
InvokeCommand.
- CommandId: the ID of the command. Set the value to the CommandId value obtained in
the previous step.
- username: the username used to connect to the instance. Default value: root.
- sshpublickey: required. The content of the SSH public key. Set the value to the content
of the id_rsa.pub file generated in Step 1.
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.IAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.exceptions.ServerException;
import com.aliyuncs.profile.DefaultProfile;
import com.google.gson.Gson;
import java.util.*;
import com.aliyuncs.ecs.model.v20140526.*;
public class InvokeCommand {
public static void main(String[] args) {
DefaultProfile profile = DefaultProfile.getProfile("cn-beijing", "<accessKeyId>", "<accessSecret>");
IAcsClient client = new DefaultAcsClient(profile);
InvokeCommandRequest request = new InvokeCommandRequest();
request.setRegionId("cn-beijing");
request.setCommandId("c-xxxxxx");
List<String> instanceIdList = new ArrayList<String>();
instanceIdList.add("i-xxxxxx");
request.setInstanceIds(instanceIdList);
request.setParameters("{\"username\":\"root\", \"sshpublickey\":\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDftEm8H5A19FXv5SCVzHqmS9vg+8B4wsp9M/U/vKwPMlM0fJr8Z52ErGnEnpFA24hLSf/Ffpht19tp+QtsYhVcg xxx\"}");
try {
InvokeCommandResponse response = client.getAcsResponse(request);
System.out.println(new Gson().toJson(response));
} catch (ServerException e) {
e.printStackTrace();
} catch (ClientException e) {
System.out.println("ErrCode:" + e.getErrCode());
System.out.println("ErrMsg:" + e.getErrMsg());
System.out.println("RequestId:" + e.getRequestId());
}
}
}
- Use Cloud Assistant.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Click the Common Commands tab.
- Find ACS-ECS-SendSshPublicKey-linux.sh in the Command Name/ID column and click Create Task in the Actions column.
- In the Create Task panel, configure parameters.
- Take note of the following parameters:
- username: the username used to connect to the instance. Default value: root.
- sshpublickey: required. The content of the SSH public key. Set the value to the content of the
id_rsa.pub file generated in Step 1.
- Select Instances: Select the instance to which you want to connect.

- Click Create Task.
- Connect to the instance without a password.
You can use the public IP address or ID of the instance to connect to the instance
without a password.
FAQ
When I attempt to connect to the instance in password-free mode, why am I still prompted
for a password?
A public key remains valid for only 60 seconds after it is registered with an instance.
Check whether your public key has expired.
An error is reported when I install the config_ecs_instance_connect plug-in by using
Cloud Assistant or use the common Cloud Assistant command. How do I identify the issue?
You can view logs to identify the issue.