how to use the config_ecs_instance_connect plug-in to connect to a Linux instance - Elastic Compute Service

This topic describes how to use the config_ecs_instance_connect plug-in to register a public key with a Linux Elastic Compute Service (ECS) instance and connect to the instance with the key instead of a password.

Usage notes

config_ecs_instance_connect is an Alibaba Cloud plug-in that is used to connect to Linux instances. With this plug-in, you can connect to specific Linux instances in a secure and easy manner without passwords.

You can use the config_ecs_instance_connect plug-in and a common Cloud Assistant command to send an SSH public key to a specific instance for a specific user to use. The public key remains valid for 60 seconds. During these 60 seconds, you can use the SSH public key to connect to the instance as the user without providing a password. This way, risks such as password leaks are prevented.
This connection method is suitable for the following scenarios:
- Connect to multiple instances frequently.
- Connect to instances that contain sensitive data.

Prerequisites

The instance to which you want to connect is in the Running state.
Session Manager is enabled for your account to which the instance belongs. For more information, see Connect to an instance by using Session Manager.
The instance runs a Linux operating system and has Cloud Assistant Agent version 2.2.3.196 or later installed.
For information about how to check the version of Cloud Assistant Agent and how to upgrade Cloud Assistant Agent, see Install Cloud Assistant Agent and Upgrade or disable upgrades for Cloud Assistant Agent.
ali-instance-cli is installed on Session Manager Client. For more information, see Linux and macOS operating systems or Windows operating systems.

Procedure

Run the following command in Session Manager Client to generate a Rivest-Shamir-Adleman (RSA) public key and key file:
```
ssh-keygen -t rsa
```
Press the Enter key as prompted. The following command output indicates that the public key and key file are generated.
Note
The default path of the generated public key is ~/.ssh/id_rsa.pub.
Install and start the config_ecs_instance_connect plug-in.
Install and start the plug-in in the ECS console
To install and start the config_ecs_instance_connect plug-in on an instance, use Cloud Assistant to run the following command on the instance.
For information about how to use Cloud Assistant to run a command on an instance, see Use the immediate execution feature.
```
acs-plugin-manager -e -P config_ecs_instance_connect --params --install
```
Install and start the plug-in by using Alibaba Cloud CLI
Note
In this example, i-bp15vhvt43ciprqkxxxx is used as the instance ID. Replace it with the actual value.
```
aliyun ecs RunCommand --RegionId 'cn-hangzhou' \
 --Type 'RunShellScript' \
 --CommandContent 'acs-plugin-manager -e -P config_ecs_instance_connect --params --install' \
 --InstanceId.1 'i-bp15vhvt43ciprqkxxxx'    
```
Send the public key to the instance to which you want to connect.
Send the public key to the instance by calling an API operation
Call the InvokeCommand operation to run the ACS-ECS-SendSshPublicKey-linux.sh common command to send the SSH public key to the instance.
Take note of the following parameters:
- CommandId: the ID of the command. Set the value to ACS-ECS-SendSshPublicKey-linux.sh.
- Parameters:
  - username: the username to use to connect to the instance. Default value: root.
  - sshpublickey: the SSH public key. This parameter is required. Set the value to the content of the id_rsa.pub file generated in Step 1.
Send the public key to the instance in the ECS console
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Maintenance & Monitoring > Cloud Assistant.
3. Click the Common Commands tab.
4. Enter ACS-ECS-SendSshPublicKey-linux.sh in the search box and press the Enter key.
5. The ACS-ECS-SendSshPublicKey-linux.sh common command is displayed. In the Actions column, click Run.
6. In the Run Command panel, configure parameters.
  - Take note of the following parameters:
    username: the username to use to connect to the instance. Default value: root.
    sshPublicKey: the SSH public key. This parameter is required. Set the value to the content of the id_rsa.pub file generated in Step 1.
  - Select Instance: Select the instance to which you want to connect.
7. Click Run.
Send the public key to the instance by using Alibaba Cloud CLI
Run the ACS-ECS-SendSshPublicKey-linux.sh common command to send the public key to the instance.
Take note of the following parameters:
- CommandId: the ID of the command. Set the value to ACS-ECS-SendSshPublicKey-linux.sh.
- Parameters:
  - username: the username to use to connect to the instance. Default value: root. Set the value to the username that you want to use.
  - sshpublickey: the SSH public key. This parameter is required. Set the value to the content of the id_rsa.pub file generated in Step 1.
Sample request:
```
aliyun ecs InvokeCommand --RegionId 'cn-hangzhou' \
 --CommandId 'ACS-ECS-SendSshPublicKey-linux.sh' \
 --InstanceId.1 'i-bp15vhvt43ciprqkxxxx' \
 --Parameters '{"username":"ecs-user","sshpublickey":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5A0cE4tq7oq6q0NyEp/EuVNY9AGVVC1Kkp9MM2O0P+hXjghPVLk2j8rNue6IPwAcLPKwgwOMbcNKGu6U90Kt8XPE5fOyp1dakqXiG1hZFrNjfqkR7xpceV/N4tQvb5/8DCq98u85qouj/KGIvZ6+BIQKBBh96iy/iHNLVNIS0H7UmBhYM4q9jjnxa+qy1JRCvV5Cc5mRgr87LfXbx+zmNiibFF23R9B9zeY1cS7RKRvzkpUWAN46f0gwY6Lg++wtg6DPWOKQ98P9is5rFpbYLv0xkV9h9vHH95RNNxOf0/RDcD7LbF0Kjz9oHp807pNinO94fvhWe5qZDH4VT**** test@iZnl7ckqcca****"}' 
```
Connect to the instance without providing a password.
You can use the public IP address or ID of the instance to connect to the instance without providing a password.
Note
In the following command, replace ~/.ssh/id_rsa with the actual path of the private key, username with the username that you want to use to connect to the instance, and instance_ip with the public IP address of the instance.
- Use the public IP address of the instance to connect to the instance without providing a password.
```
ssh -i ~/.ssh/id_rsa username@instance_ip 
```
- Use the ID of the instance to connect to the instance without providing a password.
```
ssh -i ~/.ssh/id_rsa username@instance_id 
```

FAQ

Why am I still prompted for a password when I attempt to connect to an instance in password-free mode?

After a public key is registered with an instance, the key remains valid on the instance for only 60 seconds. Check whether your public key is expired.

An error is reported when I install the config_ecs_instance_connect plug-in by using Cloud Assistant or by running a common command. How do I identify the cause of the issue?

You can view logs to identify the cause of the issue.

View the logs of Cloud Assistant Agent in the following path:

/usr/local/share/aliyun-assist/<Version number of Cloud Assistant>/log/aliyun_assist_main.log.*

View the logs of Cloud Assistant plug-ins in the following path:

/usr/local/share/aliyun-assist/<Version number of Cloud Assistant>/log/acs_plugin_manager.log

Elastic Compute Service:Connect to a Linux instance by using the config_ecs_instance_connect plug-in with a public key instead of a password

Usage notes

Prerequisites

Procedure

Install and start the plug-in in the ECS console

Install and start the plug-in by using Alibaba Cloud CLI

Send the public key to the instance by calling an API operation

Send the public key to the instance in the ECS console

Send the public key to the instance by using Alibaba Cloud CLI

FAQ

Why am I still prompted for a password when I attempt to connect to an instance in password-free mode?

An error is reported when I install the config_ecs_instance_connect plug-in by using Cloud Assistant or by running a common command. How do I identify the cause of the issue?

References