Elastic Compute Service:Manage SSH key pairs

What is an SSH key pair?

An SSH key pair is a credential used to connect to an ECS instance over SSH. An SSH key pair consists of a public key and a private key. The public key is automatically stored on the instance. You must securely keep the private key on your on-premises computer. Keys must be used in pairs. The public key is used to encrypt data and the private key is used to decrypt data. Data encrypted by using the public key can only be decrypted by using the private key.

Benefits of SSH key pair-based authentication

• Security and reliability

  The security strength of SSH key pairs is higher than that of regular passwords. The difficulty of reverse-engineering a private key from a public key is extremely high, which eliminates the threat of brute-force cracking.

• Convenience

  • You can use an SSH key pair to connect to an instance by using SSH commands or related tools, which is password free.

  • You can connect to multiple Linux instances at the same time by using an SSH key pair, which is a recommended logon method that allows you to batch manage Linux instances in a more convenient manner.

How SSH key pairs work

The following figure shows the simplified SSH key pair-based authentication process. The client initiates a logon request to the server. Upon receipt of the request, the server encrypts a random string by using the public key and replies the client with the encrypted string. Then, the client decrypts the string by using the private key and returns the string to the server. The server authenticates the client by checking whether the two strings are consistent.

View all key pairs

• View all key pairs in the ECS console

  You can manage key pairs on the Key Pairs page in the ECS console, as shown in the following figure. Perform the following steps to go to the Key Pairs page. On the Key Pairs page, you can view information about all key pairs in the current region and manage key pairs.

  Log on to the ECS console. In the left-side navigation pane, choose Network & Security > Key Pairs. In the top navigation bar, select the region and resource group to which the resource belongs.

• View all key pairs by calling an API operation

  To query all key pairs in a specific region, call the DescribeKeyPairs operation. For more information, see DescribeKeyPairs.

Create a key pair

• Create a key pair in the ECS console

  Important

  • You can create a key pair in the ECS console. After you create a key pair, the private key of the key pair is automatically downloaded. You must securely store and ensure the confidentiality of the private key. ECS stores the public key, but not the private key. To connect to an ECS instance to which an SSH key pair is bound, you must provide the private key.

  • You can have up to 500 SSH key pairs in a region.

  Perform the following steps to automatically create a key pair in the ECS console:

  On the Key Pairs page, click Create SSH Key Pair. In the Create SSH Key Pair dialog box, configure the following parameters: Name: The name of the key pair must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), hyphens (-), and colons (:). The name cannot start with a special character or a digit. Creation Type: Select Auto-create. The system automatically creates a key pair. The private key is automatically downloaded after the key pair is created. The private key can be downloaded only once. You must securely store the private key file. Resource Group: You can assign the key pair to a resource group to facilitate management. For more information, see Resource groups. Tags: You can add one or more tags to a key pair to facilitate resource search and aggregation. For more information, see Tags. Click OK. After the key pair is created, your browser downloads the private key file (<Key pair name>.pem) to your computer.

• Create a key pair by calling an API operation

  You can call the CreateKeyPair operation to create an SSH key pair. For more information, see CreateKeyPair .

View public key information

To view information about the public key of a key pair, perform the following steps to obtain the public key from the private key.

ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA****+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIPxxxxxxxxxx/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcxxxxxxxxxxx/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjxxxxxxxxxx+lHtTGiAIRG1riyNRVC47ZEVCxxxxxx

Import a key pair by importing the public key of the key pair

• Supported methods for encrypting key pairs

  Public keys that you want to import to ECS must be encoded in Base64 and support one of the following encryption methods:

  rsa dsa ssh-rsa ssh-dss ecdsa

  ssh-rsa-cert-v00@openssh.com ssh-dss-cert-v00@openssh.com ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com

  ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com

• Import a key pair in the ECS console

  Perform the following steps to automatically create a key pair in the ECS console.

  On the Key Pairs page, click Create SSH Key Pair. In the Create SSH Key Pair dialog box, configure the following parameters: Name: The name of the key pair must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), hyphens (-), and colons (:). The name cannot start with a special character or a digit. Creation Type: Select Import. If you select this option, you must provide the public key file. Public Key: Enter the content of the public key file that you want to import. Resource Group: You can add the key pair to a resource group to facilitate management. For more information, see Resource groups. Tags: You can add one or more tags to a key pair to facilitate resource search and aggregation. For more information, see Tags. Click OK.

• Import a key pair by calling an API operation

  You can call the ImportKeyPair operation to import an existing key pair by importing the public key of the key pair. For more information, see ImportKeyPair.

Bind a key pair to instances

You can bind an SSH key pair to an ECS instance when or after you create the ECS instance. You can use SSH key pairs to securely connect to ECS instances and manage multi-user access, which facilitates automated and batch operations.

• Considerations

  • You can perform the operations in this section to bind a key pair only to the initial logon user of an ECS instance. The initial logon user of the instance is the logon user whom you selected when you created the instance. For more information about how to bind a key pair to another user, see Bind a key pair to an instance for password-free logon over SSH.

  • You must restart an instance after you bind a key pair to the instance for the binding to take effect. To prevent the instance restart from affecting your business, you can perform the operations described in Bind a key pair to an instance for password-free logon over SSH to bind the key pair to the instance.

  • In the ECS console, you can bind only one SSH key pair to an instance and bind the same SSH key pair to multiple instances. If you bind an SSH key pair to an instance to which another SSH key pair was bound, the new key pair replaces the original key pair.

  • The binding changes the logon method. If SSH password-based logon is used for an ECS instance before you bind a key pair to the instance, SSH password-based logon is disabled after you bind a key pair to the instance.

• Bind a key pair in the ECS console

  Perform the following steps to bind a key pair to instances in the ECS console:

  Find the SSH key pair that you want to bind and click Bind in the Actions column. In the Select ECS Instance column, select the instances to which you want to bind the SSH key pair and click the > icon to move the instances to the Selected column. Click Next. Note You cannot select Windows instances. An SSH key pair can be bound to Linux instances, not Windows instances. Select a method to restart the instances as prompted, or wait for an appropriate time to restart the instances. After the instances are restarted, the new key pair can take effect.

• Bind a key pair by calling an API operation

  You can call the AttachKeyPair operation to bind a key pair to Linux instances. For information, see AttachKeyPair.

Unbind a key pair from an instance

If you no longer require an SSH key pair, you can unbind the SSH key pair from the related ECS instances to improve the instance security or restrict access permissions. For example, you can unbind an SSH key pair if the SSH key pair has expired or is rotated or a user no longer needs to access an ECS instance to which the SSH key pair is bound.

• Unbind a key pair in the ECS console

  Perform the following steps to unbind a key pair from instances in the ECS console:

  Find the SSH key pair that you want to unbind and click Unbind in the Actions column. In the Select ECS Instance column, select the instances from which you want to unbind the SSH key pair and click the > icon to move the instances to the Selected column. Click Next. Select a method to restart the instances as prompted, or wait for an appropriate time to restart the instances. After the instances are restarted, the key pair is unbound from the instances.

• Unbind a key pair by calling an API operation

  You can call the DetachKeyPair operation to unbind an SSH key pair from Linux instances. For more information, see DetachKeyPair.

Delete a key pair

• Delete a key pair in the ECS console

  To delete a key pair in the ECS console, perform the following steps:

  On the Key Pairs page, find the SSH key pair that you want to delete and click Delete in the Actions column. Delete the key pair as prompted.

• Delete a key pair by calling an API operation

  You can call the DeleteKeyPairs operation to delete an SSH key pair. For more information, see DeleteKeyPairs.