Alibaba Cloud provides the secure and convenient SSH key pair-based authentication method for logons to Elastic Compute Service (ECS) instances. The key pairs are used for authentication and encrypted communication over the SSH protocol. An SSH key pair consists of a public key and a private key and can be used only on Linux instances. This meets your business requirements for higher security, convenience, and automation capabilities. With SSH key pairs, you can implement password-free remote logon and perform secure automated operations, such as server configuration and application deployment.
Introduction
An SSH key pair consists of a public key and a private key that are generated based on an encryption algorithm. By default, the keys are encrypted by using the Rivest–Shamir–Adleman (RSA) 2048 algorithm. If you plan to SSH into Linux instances, you must create an SSH key pair. Then, you can specify the SSH key pair when you create a Linux instance, or bind the SSH key pair to an instance after the instance is created. This way, you can use the private key of the key pair to connect to the instance.
After you create an SSH key pair, take note of the following items:
Alibaba Cloud stores the public key of each key pair. After an SSH key pair is bound to a Linux instance, the public key of the key pair is stored in the ~/.ssh/authorized_keys file.
Download and store the private key in a secure location. The private key is unencrypted. It is in the Public-Key Cryptography Standards
(PKCS) #8format and Privacy-Enhanced Mail (PEM) encoded.
Advantages
SSH key pair-based authentication provides the following advantages over username/password-based authentication:
Increased security: SSH key pairs provide higher security and reliability for authentication.
SSH key pairs are more secure than regular passwords against brute-force attacks.
Private keys cannot be deduced from public keys regardless of whether the public keys are maliciously acquired.
Ease of use:
If you configure a public key on a Linux instance, you can run an SSH command or use a connection tool to log on to the instance by using the corresponding private key instead of a password.
You can log on to multiple Linux instances at the same time by using an SSH key pair. This way, you can manage your instances in a more convenient manner. If you want to batch maintain multiple Linux instances, we recommend that you use the SSH key pair-based authentication method.
Limits
SSH key pairs have the following limits:
SSH key pairs are supported only by Linux instances.
You can use SSH key pair-based authentication to log on to a Linux instance as root or ecs-user, who you specify as the logon username when you create the instance. Specific images do not support ecs-user. For information about images that do not support ecs-user, see the instance buy page. For more information, see Connect to a Linux instance by using a password or a key or Connect to a Linux instance by using an SSH key pair.
If you want to log on to a Linux instance by using an SSH key pair as a user that you created on the instance, you must copy the ~/.ssh/authorized_keys file to the. ssh directory of the user. For more information, see Log on to a Linux instance as a user-created user by using an SSH key pair.
If you use an SSH key pair to log on to a Linux instance, the username/password-based authentication method is disabled to increase security.
Only 2048-bit RSA key pairs can be created in the ECS console.
An Alibaba Cloud account can have up to 500 key pairs in a region.
When you bind SSH key pairs to Linux instances in the ECS console, you can bind only a single SSH key pair to a Linux instance.
If a key pair is already bound to the instance, the new key pair replaces the original key pair on the instance.
If you want to use multiple key pairs on a Linux instance, you can modify the ~/.ssh/authorized_keys file on the instance to add the key pairs. For more information, see Add or replace an SSH key pair.
Instances of retired instance types do not support SSH key pairs. For more information, see Retired instance types.
For data security purposes, after you bind or unbind a key pair for the instance that is in the Running (
Running) state, you must restart the instance for the operation to take effect.
Methods for creating SSH key pairs
You can use one of the following methods to create an SSH key pair:
By default, keys are encrypted by using the RSA 2048 algorithm. For more information, see Create an SSH key pair.
ImportantIf you create a key pair in the ECS console, download and store the private key in a secure location. After you bind the key pair to an instance, you cannot log on to the instance if you do not have the private key.
Create an SSH key pair by using a key pair generator and then import the key pair to the ECS console. The imported key pair must support one of the following encryption methods:
rsa
dsa
ssh-rsa
ssh-dss
ecdsa
ssh-rsa-cert-v00@openssh.com
ssh-dss-cert-v00@openssh.com
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com