Bind a key pair to an instance for password-free logon over SSH - Elastic Compute Service

If you bind a key pair to an Elastic Compute Service (ECS) instance in the ECS console, you must restart the instance for the configuration to take effect. However, this may affect business continuity. This topic describes how to bind a key pair to an ECS instance without the need to restart the instance. You can use the key pair to connect to the instance over SSH without the need to provide a password.

Procedure overview

To bind a key pair to an ECS instance without the need to restart the instance for password-free logon over SSH, perform the following steps:

Generate a key pair. The private key is used as the credential for subsequent logon. You must store the private key in a secure location. The public key is stored on the ECS instance to which the key pair is bound.
Bind the public key to an ECS instance. In this step, connect to an ECS instance by using a reliable connection method and add the public key of the key pair to the instance. This step mainly involves the ~/.ssh/authorized_keys configuration file.
Enable SSH public key authentication. After you bind the public key of the key pair to the ECS instance, you must enable SSH public key authentication on the instance. This step mainly involves the /etc/ssh/sshd_config configuration file.
Connect to the ECS instance by using SSH key pair-based authentication. After you perform the preceding steps, you can connect to the instance by using SSH key pair-based authentication to check whether the configurations are correct.

Step 1: Generate a key pair

You can use multiple methods to generate a key pair. The steps to generate a key pair vary based on the tool that you use. In this example, the ssh-keygen command is used to generate a key pair. Run the following command in the CLI to generate a key pair.

Note

You can also create a key pair in the ECS console. After you create a key pair, the private key of the key pair is automatically downloaded. In this case, you must use a tool to obtain the public key information. For more information, see the Create a key pair and View public key information sections of the "Manage SSH key pairs" topic.

ssh-keygen -t rsa -b 2048 -f id_rsa

-t rsa: specifies the Rivest-Shamir-Adleman (RSA) key type.
-b 2048: specifies a key length of 2,048 bits.
-f id_rsa: specifies a file name and the storage location for the generated key pair.

Important

After you run the preceding command, you are prompted to enter a passphrase to protect the private key. After you configure a passphrase for the private key, anyone who wants to use the private key must first obtain the passphrase.

If you do not want to configure a passphrase for the private key, you can press the Enter key to skip the passphrase configuration step.

After the preceding command is run, a pair of key files are generated in the directory where the command is run. The key files are named id_rsa.pub for the public key and id_rsa for the private key. You must store the private key in a secure location and make sure that the private key remains confidential.

Step 2: Bind the public key to an ECS instance

After you bind the public key of a key pair to an ECS instance, you can use the corresponding private key as a credential to connect to the instance.

Select an appropriate method to connect to an ECS instance. For more information, see the Connect to a Linux ECS instance by using SSH or Connect to a Windows or Linux ECS instance without a password by using Session Manager section of the "Methods for connecting to an ECS instance" topic.
Configure the public key in the ~/.ssh/authorized_keys file.
Before you perform this step, you must identify the user identity that you use to connect to the Linux ECS instance. For example, if you connect to the instance as the ecs-user user, configure the public key for the ecs-user user.
Configure the public key for the root user
1. Create the authorized_keys configuration file.
  The public key of the root user is stored in the /root/.ssh/authorized_keys configuration file. If the configuration file does not exist, run the following commands to create the .ssh folder and the authorized_keys configuration file:
```
sudo mkdir /root/.ssh
sudo touch /root/.ssh/authorized_keys
```
2. Copy the public key information generated in Step 1 to the /root/.ssh/authorized_keys configuration file.
  You can use the Vim editor to edit the file. For more information, see Vim editor.
3. Change the permissions on the configuration file.
  If you grant excessive permissions on the configuration file, you may be unable to connect to the ECS instance over SSH. Grant the following permissions on the configuration file:
```
sudo chmod 700 /root/.ssh
sudo chmod 600 /root/.ssh/authorized_keys
```
Configure the public key for a non-root user
If you want to bind a key pair to a non-root system user, perform the following steps:
1. Create the authorized_keys configuration file.
  Find the /home/<username>/.ssh/authorized_keys configuration file. Replace <username> with the name of the user to which you want to bind the key pair.
  For example, if you want to bind the key pair to the ecs-user user, you must modify the /home/ecs-user/.ssh/authorized_keys configuration file.
  If the configuration file does not exist, run the following commands to create the configuration file in the home directory of the user to which you want to bind the key pair.
  Replace <username> with the name of the user to which you want to bind the key pair.
```
sudo mkdir /home/<username>/.ssh
sudo touch /home/<username>/.ssh/authorized_keys
```
2. Copy the public key generated in Step 1 to the /home/<username>/.ssh/authorized_keys configuration file. The file supports multiple lines. If you want to bind multiple key pairs, you can add multiple lines and add a public key in each line.
  You can use the Vim editor to edit the file. For more information, see Vim editor.
3. Change the permissions on the configuration file.
  If you grant excessive permissions on the configuration file, you may be unable to connect to the ECS instance over SSH. Grant the following permissions on the configuration file.
  Replace <username> with the name of the user to which you want to bind the key pair.
```
sudo chmod 700 /home/<username>/.ssh
sudo chmod 600 /home/<username>/.ssh/authorized_keys
```

Step 3: Enable SSH public key authentication

After you bind a public key to an ECS instance, you must enable SSH public key authentication. Otherwise, you cannot use the key pair to connect to the instance.

Set the PubkeyAuthentication parameter in the /etc/ssh/sshd_config SSH configuration file to yes, which indicates that SSH public key authentication is enabled.
Important
You can use the Vim editor to edit the file. For more information, see Vim editor. Before you modify the configuration file, we recommend that you back up the file to prevent SSH service startup failures caused by accidental operations.
Restart the SSH service for the configuration to take effect.
In this example, Alibaba Cloud Linux 3 is used. Run the following command to restart the SSH service.
In specific operating systems including Ubuntu and Debian, the SSH service is named ssh instead of sshd. Specify the service name in the following command based on the operating system.
```
sudo systemctl restart sshd
```
Important
If you connect to an ECS instance over SSH, your connection may be interrupted when you restart the SSH service. After the SSH service is restarted, you can reconnect to the instance.

Step 4: Connect to the ECS instance by using SSH key pair-based authentication without the need to provide a password

After you configure a key pair for a Linux ECS instance, you can connect to the instance by using SSH key pair-based authentication. The steps vary based on the tool that you use. This section describes how to connect to a Linux instance by using SSH key pair-based authentication in the CLI or by using Workbench.

CLI

After you complete the preceding configurations, run the following command in the CLI to connect to the Linux instance:

ssh -i <identity_file_path> -p <ssh_port> <username>@<server_ip>

Take note of the following parameters:

<identity_file_path>: the location of the private key file.
<ssh_port>: the port of the SSH service. Default value: 22.
<username>: the user identity used to connect to the instance.
<server_ip>: the IP address of the instance. If you want to connect to an ECS instance from an on-premises machine, you must specify the public IP address of the instance. If you want to connect to an ECS instance from another ECS instance over the internal network, you can use the private IP address of the instance to which you want to connect.

Workbench

When you use Workbench to connect to a Linux instance over SSH by using the public IP address or private IP address of the instance, you can use SSH key pair-based authentication. For more information, see Connect to a Linux instance by using Workbench with an SSH key pair in a VPC.

Related operations

Bind multiple key pairs (public keys) to the same user

The .ssh/authorized_keys file in the home directory of a user on an ECS instance supports multiple lines. Add one public key in each line to allow the same user to connect to the ECS instance by using multiple key pairs.

Unbind a key pair (public key) from an ECS instance

You can delete a specific public key entry by editing the .ssh/authorized_keys file in the home directory of a user on an ECS instance. After you delete the public key entry, you cannot use the corresponding private key to connect to the ECS instance as the user.

Simplify the ssh command by modifying the `~/.ssh/config` configuration file

If you frequently connect to a number of ECS instances, you can modify the ~/.ssh/config configuration file of each instance to simplify the ssh command so that you do not need to enter the full command every time you connect to the instances. The following section describes the configuration method.

Effect

Before simplification:

ssh -i <identity_file_path> -p <ssh_port> <username>@<server_ip>

After simplification:

ssh <server_name>

Procedure
1. Edit or create the ~/.ssh/config configuration file on an ECS instance.
2. Add the following content to the configuration file:
```
Host <server_name>
  HostName: <server_ip>
  User <username>
  IdentityFile <identity_file_path>
  Port <ssh_port>
```
  Take note of the following parameters in the configuration file:
  - <server_name>: the custom alias of the instance.
  - <server_ip>: the IP address of the instance.
  - <username>: the user identity used to connect to the instance.
  - <identity_file_path>: the location of the private key file.
  - <ssh_port>: the port of the SSH service. Default value: 22.
3. Run the simplified command. Replace <server_name> with the alias that you specified for the instance in the ~/.ssh/config configuration file.
```
ssh <server_name>
```