This topic describes how to use the config_ecs_instance_connect plug-in to connect to an Elastic Compute Service (ECS) instance that runs a Linux operating system.

Prerequisites

  • Session Manager is enabled for the ECS instance to which you want to connect in your Alibaba Cloud account. For more information, see Connect to an instance by using Session Manager.
  • The Cloud Assistant client is installed on the ECS instance, and the version of the client supports Session Manager. If the instance runs a Linux operating system, the installed client version must be 2.2.3.196 or later. If the instance runs a Windows operating system, the installed client version must be 2.1.3.196 or later. For more information, see Install the Cloud Assistant client.
  • The ECS instance runs a Linux operating system.

Background information

You can use the config_ecs_instance_connect plug-in and a common Cloud Assistant command to send an SSH public key to a specified instance for a specified user to use. The SSH public key is stored on the instance for 60 seconds. During these 60 seconds, you can use the SSH public key to log on to the instance as the specified user without a password.

Procedure

  1. Run the following command on Session Manager Client to generate a Rivest-Shamir-Adleman (RSA) public key and key file:
    ssh-keygen -t rsa
    Press the Enter key as prompted. A command output similar to the following one indicates that the public key and key file are generated. Generate a public key
    Note The default path of the generated public key is ~/.ssh/id_rsa.pub.
  2. Use Cloud Assistant to run the following command to install and enable the config_ecs_instance_connect plug-in on the instance to which you want to connect.
    For more information, see Run a command.
    acs-plugin-manager -e -P config_ecs_instance_connect --params --install
  3. Send the SSH public key to the instance.
    You can use one of the following methods to send the SSH public key to the instance:
    • Call an API operation.

      Call the InvokeCommand operation to run the common command named ACS-ECS-SendSshPublicKey-linux.sh to send the public key to the instance.

      Take note of the following parameters. For more information about the parameters of the InvokeCommand operation, see InvokeCommand.
      • CommandId: the ID of the command. Set the value to ACS-ECS-SendSshPublicKey-linux.sh.
      • username: the username used to connect to the instance. Default value: root.
      • sshpublickey: required. The content of the SSH public key. Set the value to the content of the id_rsa.pub file generated in Step 1.
      import com.aliyuncs.DefaultAcsClient;
      import com.aliyuncs.IAcsClient;
      import com.aliyuncs.exceptions.ClientException;
      import com.aliyuncs.exceptions.ServerException;
      import com.aliyuncs.profile.DefaultProfile;
      import com.google.gson.Gson;
      import java.util.*;
      import com.aliyuncs.ecs.model.v20140526.*;
      
      public class InvokeCommand {
      
          public static void main(String[] args) {
              DefaultProfile profile = DefaultProfile.getProfile("cn-beijing", "<accessKeyId>", "<accessSecret>");
              IAcsClient client = new DefaultAcsClient(profile);
      
              InvokeCommandRequest request = new InvokeCommandRequest();
              request.setRegionId("cn-beijing");
              request.setCommandId("ACS-ECS-SendSshPublicKey-linux.sh");
      
              List<String> instanceIdList = new ArrayList<String>();
              instanceIdList.add("i-xxxxxx");
              request.setInstanceIds(instanceIdList);
              request.setParameters("{\"username\":\"root\", \"sshpublickey\":\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDftEm8H5A19FXv5SCVzHqmS9vg+8B4wsp9M/U/vKwPMlM0fJr8Z52ErGnEnpFA24hLSf/Ffpht19tp+QtsYhVcg xxx\"}");
      
              try {
                  InvokeCommandResponse response = client.getAcsResponse(request);
                  System.out.println(new Gson().toJson(response));
              } catch (ServerException e) {
                  e.printStackTrace();
              } catch (ClientException e) {
                  System.out.println("ErrCode:" + e.getErrCode());
                  System.out.println("ErrMsg:" + e.getErrMsg());
                  System.out.println("RequestId:" + e.getRequestId());
              }
      
          }
      }
    • Use Cloud Assistant.
      1. Log on to the ECS console.
      2. In the left-side navigation pane, choose Maintenance & Monitoring > ECS Cloud Assistant.
      3. Click the Common Commands tab.
      4. Find ACS-ECS-SendSshPublicKey-linux.sh in the Command Name/ID column and click Create Task in the Actions column.
      5. In the Create Task panel, configure parameters.
        • Take note of the following parameters:
          • username: the username used to connect to the instance. Default value: root.
          • sshpublickey: required. The content of the SSH public key. Set the value to the content of the id_rsa.pub file generated in Step 1.
        • Select Instances: Select the instance to which you want to connect.
        Run a command
      6. Click Create Task.
  4. Connect to the instance without a password.
    You can use the public IP address or ID of the instance to connect to the instance without a password.
    • Connect to the instance by using its public IP address without a password.
      ssh -i ~/.ssh/id_rsa username@instance_ip 
      Note In the preceding command, replace ~/.ssh/id_rsa with the actual path of the private key, username with the username that you want to use to connect to the instance, and instance_ip with the public IP address of the instance.
    • Connect to the instance by using its ID without a password.
      ssh -i ~/.ssh/id_rsa username@instance_id 
      Note
      • Make sure that ali-instance-cli is installed on Session Manager Client. For more information, see Linux and macOS operating systems or Windows operating systems.
      • In the preceding command, replace ~/.ssh/id_rsa with the actual path of the private key, username with the username that you wan to use to connect to the instance, and instance_id with the ID of the instance.

FAQ

When I attempt to connect to the instance in password-free mode, why am I still prompted for a password?

A public key remains valid for only 60 seconds after it is registered with an instance. Check whether your public key has expired.

An error is reported when I install the config_ecs_instance_connect plug-in by using Cloud Assistant or by running a common Cloud Assistant command. How do I identify the issue?

You can view logs to identify the issue.
  • View logs of the Cloud Assistant client in the following path:
    /usr/local/share/aliyun-assist/<Version number of Cloud Assistant>/log/aliyun_assist_main.log.*
  • View acs_plugin_manager logs in the following path:
    /usr/local/share/aliyun-assist/<Version number of Cloud Assistant>/log/acs_plugin_manager.log