All Products
Search

This Product

    Elastic Compute Service:Connect to an instance over SSH by using ali-instance-cli

    Document Center

    Elastic Compute Service:Connect to an instance over SSH by using ali-instance-cli

    Last Updated:Jan 30, 2024

    Session Manager is a feature provided by Cloud Assistant that allows you to connect to Elastic Compute Service (ECS) instances in a secure and convenient manner. ali-instance-cli is a CLI tool provided by Session Manager. This topic describes how to use ali-instance-cli to connect to an ECS instance over SSH.

    Prerequisites

    • Cloud Assistant Agent is installed on the instance to which you want to connect. If the instance is a Windows instance, the installed Cloud Assistant Agent version must be 2.1.3.256 or later. If the instance is a Linux instance, the installed Cloud Assistant Agent version must be 2.2.3.256 or later. For information about how to install Cloud Assistant Agent, see Install Cloud Assistant Agent.

    • Session Manager is enabled. For information about how to enable Session Manager, see Connect to an instance by using Session Manager.

    Background information

    When you use ali-instance-cli to connect to an ECS instance over SSH, you need to only provide the ID and password of the instance and do not need to provide the public IP address or port number of the instance. Compared with SSH or Virtual Network Computing (VNC), Session Manager makes your connections to instances more secure and convenient. For more information about Session Manager, see Session Manager.

    Linux and macOS operating systems

    Note

    In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.

    1. Log on to Session Manager Client.

    2. Install ali-instance-cli on Session Manager Client.

      Run one of the following commands based on the operating system to install ali-instance-cli.

      • Linux

        curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli
chmod a+x ali-instance-cli

      • macOS:

        curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli
chmod a+x ali-instance-cli

    3. Create a file named config and add configurations to the file.

      1. Create the .ssh directory in the working directory. In this example, /home/test is used as the working directory. 

        mkdir .ssh

      2. Switch to the .ssh directory. 

        cd .ssh

      3. Create and open the config file. 

        vim config

      4. Press the I key to enter Insert mode.

      5. Add content to the config file.

        Note

        Replace ali-instance-cli in the following command with the absolute path of the ali-instance-cli file. In this example, /home/test/ali-instance-cli is used. 

        host i-*
    ProxyCommand sh -c "ali-instance-cli ssh -i '%h' --port  '%p'"

      6. Press the Esc key to exit Insert mode.

      7. Enter :wq and press the Enter key to save and exit the file.

      8. Grant the execute permissions on the config file. 

        chmod 755 config

    4. Configure an AccessKey pair, a Security Token Service (STS) token, or CredentialsURI.

      For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?

      1. Switch to the test directory. 

        cd /home/test

      2. Configure an authentication method.

        The following authentication methods are supported:

        • AccessKey pair-based authentication

          Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted: 

          ./ali-instance-cli configure --mode AK

        • STS token-based authentication

          Note

          In the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token. 

          ./ali-instance-cli configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"

        • CredentialsURI-based authentication

          Run the following command and specify CredentialsURI and RegionID as prompted.

          Note

          Set the CredentialsURI value to the IP address of the authentication server that you configure. 

          ./ali-instance-cli configure --mode=CredentialsURI

        The following command output indicates that the AccessKey pair-based authentication method is configured.鉴权成功.png

    5. Run an SSH command to connect to an instance.

      You can use a username-password pair or a key pair to connect to the instance.

      Note

      Replace user and aliyun instance id with the actual username and ID of the instance.

      • Password-based authentication

        ssh user@aliyun instance id

      • Key-based authentication

        ssh -i key.pem user@aliyun instance id

      The following command output indicates that you are connected to the instance over SSH by using Session Manager.连接实例

    Windows operating systems

    Before you use Session Manager Client on your Windows computer to connect to an instance, make sure that OpenSSH is installed on the computer. For information about how to install OpenSSH on a Windows operating system, see Use the Cloud Assistant Agent to install OpenSSH on a Windows ECS instance.

    Note

    In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.

    1. Log on to Session Manager Client.

      For more information, see Connection method overview.

    2. Download ali-instance-cli on Session Manager Client.

      Download and save ali-instance-cli.exe for Windows to a directory on your computer. In this example, the C:\Users\test directory is used.

    3. Create a file named config and add configurations to the file.

      1. In the C:\Users\<Username> directory, create a folder named .ssh.

        Note

        Replace C:\Users\<Username> with the actual directory. In this example, C:\Users\test is used.

        1. In the lower-left corner of the desktop, click the win2016 搜索.png icon and enter Windows PowerShell.

        2. Click Windows PowerShell.

        3. In the C:\Users\username directory, run the mkdir .ssh command to create a folder named .ssh.

      2. In the .ssh folder, create a file named config.

        Important

        The config file name cannot include an extension.

      3. Add content to the config file.

        Replace ali-instance-cli.exe in the following command with the absolute path of the ali-instance-cli file. In this example, C:\Users\test\ali-instance-cli.exe is used. 

        host i-*
    ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "ali-instance-cli.exe ssh -i '%h' --port  '%p'"

    4. Configure an AccessKey pair or an STS token.

      For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?

      1. Choose Start > Run to open the Run dialog box. Enter cmd and press the Enter to open the command prompt window.

      2. Switch to the test directory. 

        cd C:\Users\test

      3. Configure an authentication method.

        The following authentication methods are supported:

        • AccessKey pair-based authentication

          Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted: 

          ali-instance-cli.exe configure --mode AK

        • STS token-based authentication

          Note

          In the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token. 

          ali-instance-cli.exe configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"

        • CredentialsURI-based authentication

          Run the following command and specify CredentialsURI and RegionID as prompted: 

          ali-instance-cli.exe configure --mode=CredentialsURI

        The following command output indicates that the AccessKey pair-based authentication method is configured.

        windows AK.png

    5. Run an SSH command to connect to an instance.

      You can use a username-password pair or a key pair to connect to the instance.

      Note

      Replace user and aliyun instance id with the actual username and ID of the instance.

      • Password-based authentication

        ssh user@aliyun instance id

      • Key-based authentication

        ssh -i key.pem user@aliyun instance id

      The following command output indicates that you are connected to the instance over SSH by using Session Manager.

      链接实例

    FAQ

    If an error occurs when you use Session Manager Client, you can view logs to identify and analyze the issue.

    • View the log generated at the current time for Session Manager Client. Example: /home/test/log/aliyun_ecs_session_log.2022XXXX.

    • View the logs of Cloud Assistant Agent in one of the following directories based on the operating system.

      • Linux

        /usr/local/share/aliyun-assist/<Version number of Cloud Assistant>/log/

      • Windows

        C:\ProgramData\aliyun\assist\<Version number of Cloud Assistant>\log

    If Session Manager is not enabled when you use Session Manager Client to connect to an instance, the ssh_exchange_identification: Connection closed by remote host error message appears. Additionally, the session manager is disabled, please enable first entry appears in the Session Manager Client log. You can enable Session Manager in the ECS console. For more information, see Connect to an instance by using Session Manager.