An SSH key pair is a pair of cryptographic keys -- a public key and a private key -- used for authentication within the SSH protocol. Instead of entering a password each time you connect, the server verifies your identity by matching your private key against the public key stored on the instance. SSH key pairs are supported only on Linux instances in Simple Application Server.
This topic explains how to create, import, attach, detach, and delete key pairs in the Simple Application Server console.
How SSH key pairs work
An SSH key pair consists of two related keys:
Public key: Stored on the instance. It can be shared freely and does not need to be kept secret.
Private key: Stored on your local machine. You must keep it confidential. Anyone who holds the private key can log on to instances that trust the corresponding public key.
When you connect to an instance, the SSH client uses your private key to prove your identity. The instance checks the signature against the public key in its ~/.ssh/authorized_keys file. If the keys match, the connection is established without a password.
Advantages over password-based authentication
SSH key pair-based authentication offers the following benefits compared to password-based authentication:
Benefit | Description |
Stronger security | SSH key pairs are resistant to brute-force attacks. Private keys cannot be deduced from public keys, even if a public key is exposed. |
Convenience | After you configure a public key on a Linux instance, you can log on by using the corresponding private key instead of a password. You can also use a single key pair to log on to multiple Linux instances simultaneously, which simplifies bulk management. |
Before you begin
Before you create or import an SSH key pair, note the following constraints:
SSH key pairs are supported only on Simple Application Server instances that run Linux.
You can create a maximum of 10 key pairs per region for each Alibaba Cloud account.
The console supports creating only RSA 2048-bit key pairs. If you need a key pair that uses a different algorithm, create it locally and import the public key. For supported encryption methods, see Supported encryption methods for import.
Check whether you already have a key pair
Before you create a new key pair, check whether a usable key pair already exists on your local machine.
On macOS or Linux, run the following command in a terminal:
ls -la ~/.ssh/Look for files named id_rsa and id_rsa.pub (or similar). The .pub file is the public key.
On Windows, check the following default directory:
C:\Users\<your-username>\.ssh\If you find an existing key pair, you can import its public key into the Simple Application Server console instead of creating a new one.
Create a key pair
You can create a key pair in the console or generate one locally and import the public key. After you create or import a key pair, you can attach it to a Simple Application Server instance.
Auto-generate a key pair in the console
Go to the Key Pair page in the Simple Application Server console.
On the Key Pairs page, click Create Key Pair.
In the Create Key Pair dialog box, configure the following parameters and click Confirm.
ImportantThe private key is automatically downloaded as a
.pemfile to your local machine. This is your only opportunity to download the private key. Store it in a secure location because it cannot be retrieved later.If a download dialog box does not appear, check the download page of your browser for blocked downloads.
Parameter
Description
Key Pair Name
Enter a custom name for the key pair. The name must be 2 to 64 characters in length, start with a letter or a Chinese character, and can contain digits, colons (:), underscores (_), and hyphens (-).
Creation Mode
Select Auto-Generate Key Pair.
In the Create Key Pair dialog box, you can select whether to attach the key pair to an instance immediately. You can also attach the key pair later. For more information, see Attach a key pair to an instance.
Import an existing key pair
If you already have a key pair, you can import its public key into the console. This lets you use your existing key pair to log on to Simple Application Server instances. The imported key pair must use a supported encryption method.
Go to the Key Pair page in the Simple Application Server console.
On the Key Pairs page, click Create Key Pair.
In the Create Key Pair dialog box, configure the following parameters and click Confirm.
Parameter
Description
Key Pair Name
Enter a custom name for the key pair. The name must be 2 to 64 characters in length, start with a letter or a Chinese character, and can contain digits, colons (:), underscores (_), and hyphens (-).
Creation Mode
Select Import Key Pair.
Public Key Content
Paste the public key content into the code editor. You can hover over Base64 Preview to view the expected format. For instructions on obtaining your public key, see View public key information.
In the Create Key Pair dialog box, you can select whether to attach the key pair to an instance immediately. You can also attach the key pair later. For more information, see Attach a key pair to an instance.
Generate a key pair locally with ssh-keygen
If you prefer to generate a key pair on your local machine rather than in the console, you can use the ssh-keygen command and then import the public key.
On macOS or Linux, open a terminal and run:
ssh-keygen -t rsa -b 2048When prompted:
Enter file in which to save the key: Press Enter to accept the default location (
~/.ssh/id_rsa), or specify a custom path.Enter passphrase: Enter a passphrase for additional security, or press Enter to skip.
After the key pair is generated, import the public key (the .pub file) into the console by following the steps in Import an existing key pair.
On Windows, you can use the same command in Windows Terminal, PowerShell, or Command Prompt if OpenSSH is installed. Alternatively, use PuTTYgen to generate a key pair.
The console supports only RSA 2048-bit key pairs for auto-generation, but you can import key pairs that use other supported algorithms. For the full list, see Supported encryption methods for import.
Attach a key pair to an instance
After you create or import a key pair, attach it to a Simple Application Server instance so that you can use the key pair to log on.
The instance must be in the Running or Stopped state.
You can attach only one key pair to a Simple Application Server instance through the console. If you attach a new key pair to an instance that already has one, the new key pair replaces the existing one.
After you attach a key pair to a Simple Application Server instance, password-based logon is automatically disabled for the
rootuser on the server. To re-enable password-based logon, you must modify the configuration file of the server. For more information, see Connect to a Linux server.To use multiple key pairs on one instance, you can manually edit the
~/.ssh/authorized_keysfile. For more information, see Use multiple key pairs on one instance.
Go to the Key Pair page in the Simple Application Server console.
On the Key Pairs page, find the target key pair and click Attach Instance in the Actions column.
In the Attach Server dialog box, select one or more Linux Simple Application Server instances and click the transfer icon.
Click Confirm.
In the Attach Instance dialog box, choose whether to restart the instance immediately:
Restart the instance now: Click Restart Instance Now. The key pair takes effect after the instance restarts.
WarningThe restart operation stops the instance for a short period of time and may interrupt services that are running on the instance. We recommend that you restart the instance during off-peak hours.
Restart later: Click Postpone Restart. Restart the instance manually during off-peak hours for the key pair to take effect.
After the key pair takes effect, you can use it to log on to the instance. For more information, see Remotely connect to a Linux server.
Detach a key pair from an instance
To replace a key pair or revoke a user's access to an instance, you can detach the SSH key pair.
After you attach a key pair to a Simple Application Server instance and restart the instance for the key pair to take effect, password-based logon is automatically disabled for the root user on the server. To re-enable password-based logon, you must modify the configuration file of the server. For more information, see Connect to a Linux server.
Go to the Key Pair page in the Simple Application Server console.
On the Key Pairs page, find the target key pair and click Detach Instance in the Actions column.
In the Detach Instance dialog box, select one or more Linux Simple Application Server instances and click the transfer icon.
Click Confirm.
In the Detach Instance dialog box, choose whether to restart the instance immediately:
Restart the instance now: Click Restart Detached Instance. The detachment takes effect after the instance restarts.
WarningThe restart operation stops the instance for a short period of time and may interrupt services that are running on the instance. We recommend that you restart the instance during off-peak hours.
Restart later: Click Postpone Restart. Restart the instance manually during off-peak hours for the detachment to take effect.
Delete a key pair
If a key pair is no longer in use, you must first detach it from all instances and then delete it.
Go to the Key Pair page in the Simple Application Server console.
On the Key Pairs page, find the key pair that you want to delete and click Delete in the Actions column.
In the Delete Key Pair dialog box, click OK.
Use multiple key pairs on one instance
The console allows you to attach only one key pair to an instance at a time. To use multiple key pairs, you can manually edit the ~/.ssh/authorized_keys file on the instance.
Connect to the Linux instance by using an existing SSH key pair.
ImportantThe key pair is attached to the root user, so you must be logged on as the root user.
Open the
authorized_keysfile:sudo vim .ssh/authorized_keysPress the
ikey to enter edit mode. Then add or replace public keys:To add a new key pair: Paste the new public key on a new line below the existing public key. ``
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCys3aOkFm1Xh8iN0lijeQF5mz9Iw/FV/bUUduZjauiJa1KQJSF4+czKtqMAv38QEspiWStkSfpTn1g9qeUhfxxxxxxxxxx+XjPsf22fRem+v7MHMa7KnZWiHJxO62D4Ihvv2hKfskz8K44xxxxxxxxxx+u17IaL2l2ri8q9YdvVHt0Mw5TpCkERWGoBPE1Y8vxFb97TaE5+zc+2+eff6xxxxxxxxxx/feMeCxpx6Lhc2NEpHIPxMpjOv1IytKiDfWcezA2xxxxxxxxxx/YudCmJ8HTCnLId5LpirbNE4X08Bk7tXZAxxxxxxxxxx/FKB1Cxw1TbGMTfWxxxxxxxxxx imported-openssh-key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdlrdZwV3+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIPxxxxxxxxxxx/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcxxxxxxxxxx/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjxxxxxxxxxx+lHtTGiAIRG1riyNRVC47ZEVCg9iTWWGrWFvxxxxxxxxxx/9H9mPCO1Xt2fxxxxxxxxBtmR imported-openssh-key`> <b>Note</b> > > When theauthorized_keys` file contains multiple public keys, you can log on to the instance by using any of the corresponding private keys.To replace an existing key pair: Delete the current public key content and paste the new public key. ``
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdlrdZwV3+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIP6t0Mk5aPkK/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcV14uAy0yV6/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjGACGcXclex+lHtTGiAIRG1riyNRVC47ZEVCg9iTWWGrWFvVlnI0E3Deb/9H9mPCO1Xt2fxxxxxxxxBtmR imported-openssh-key``
Press the Esc key to exit edit mode, then enter
:wqto save the changes.Use the new SSH key pair to log on to the instance. For more information, see Connect to a Linux instance using OpenSSH or Xshell.
If you can successfully log on with the new private key, the key pair has been added or replaced.
Related operations
You can also manage key pairs by calling API operations:
API | Description |
Create an instance key pair. | |
Import a key pair. | |
Query information about instance key pairs. | |
Delete an instance key pair. |