If you connect to a Linux Elastic Compute Service (ECS) instance by using the key pair-based authentication method from a third-party SSH tool, you can register a temporary public key that is valid for 60 seconds with the instance and use the corresponding private key to connect to the instance within the 60 seconds. Compared with permanent key pairs, temporary key pairs provide higher security in connections. This topic describes how to use Session Manager CLI (ali-instance-cli) to register a temporary public key with an ECS instance and connect to the instance with the corresponding private key instead of a password.
Temporary public keys
Temporary public keys allow you to securely connect to instances without the need to configure key pairs on the instances. Each time you want to connect to an instance over SSH, you can register a temporary public key that is valid for 60 seconds with the instance and then connect to the instance by using the corresponding private key instead of a password.
Temporary public keys are stored in the Cloud Assistant server.
Preparations
Enable Session Manager
Check whether the instance to which you want to connect is in the Running state
Check whether Cloud Assistant Agent is installed on the instance to which you want to connect
Prepare the credentials of the Resource Access Management (RAM) user as whom you want to use Session Manager
1. Install and configure ali-instance-cli
If you already installed and configured ali-instance-cli, skip this step.
1.1 Install ali-instance-cli
Install ali-instance-cli on your computer. The installation operations vary based on the operating system.
Windows
Click here to download ali-instance-cli for Windows and save it to a folder on your computer.
In this example, ali-instance-cli is saved to the C:\Users\test
folder on your computer.
macOS
Run the following command in the macOS terminal to download ali-instance-cli for macOS:
curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli
Run the following command to grant execute permissions on ali-instance-cli:
chmod a+x ali-instance-cli
Linux
Run the following command to install ali-instance-cli for Linux:
curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli
Run the following command to grant execute permissions on ali-instance-cli:
chmod a+x ali-instance-cli
1.2 Configure ali-instance-cli
When you use ali-instance-cli on your computer to connect to an instance, you must configure identity credentials, such as an AccessKey pair. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. For more information, see the Prepare the credentials of the Resource Access Management (RAM) user as whom you want to use Session Manager section of this topic.
Windows
Right-click the Start icon and select Run. In the Run dialog box, enter cmd and press the
Enter
key to open a Command Prompt window.Run the following command to switch to the directory in which ali-instance-cli.exe resides. In this example, the
C:\Users\test
directory is used.cd C:\Users\test
Configure credentials. The following types of credentials are supported:
AccessKey pair
Run the following command and configure the Access Key Id, Access Key Secret, and Region Id parameters as prompted:
ali-instance-cli.exe configure --mode AK
STS token
Run the following command to configure credentials:
ali-instance-cli.exe configure set --mode StsToken --region "<region>" --access-key-id "<ak>" --access-key-secret "<sk>" --sts-token "<sts_token>"
Replace
<region>
,<ak>
,<sk>
, and<sts_token>
with the actual region ID, AccessKey ID, AccessKey secret, andSecurity Token Service (STS) token
.Credentials URI
Run the following command and configure the Credentials URI and Region Id parameters as prompted:
ali-instance-cli.exe configure --mode=CredentialsURI
The following command output indicates that credentials are configured.
macOS or Linux
Go to the directory in which ali-instance-cli resides. In this example, the root directory (
~
) of the current user is used.cd ~
Configure credentials.
AccessKey pair
Run the following command and configure the Access Key Id, Access Key Secret, and Region Id parameters as prompted:
./ali-instance-cli configure --mode AK
STS token
Run the following command to configure credentials:
./ali-instance-cli configure set --mode StsToken --region "<region>" --access-key-id "<ak>" --access-key-secret "<sk>" --sts-token "<sts_token>"
Replace
<region>
,<ak>
,<sk>
, and<sts_token>
with the actual region ID, AccessKey ID, AccessKey secret, andSTS token
.Credentials URI
Run the following command and configure the Credentials URI and Region Id parameters as prompted:
./ali-instance-cli configure --mode=CredentialsURI
The following command output indicates that credentials are configured.
2. Register a temporary public key with the instance to which you want to connect
2.1 Obtain the ID of the instance
Obtain the ID of the instance with which you want to register a temporary public key.
Use the ECS console
|
Use Alibaba Cloud CLI
If you configured Alibaba Cloud CLI, run a command to call the DescribeInstances operation to query the ID of the instance to which you want to connect. For information about the parameters of the DescribeInstances operation, see DescribeInstances.
For example, run the following command to query the ID of an instance named SessionManager-example
that resides in the China (Hangzhou) region:
aliyun ecs DescribeInstances --region cn-hangzhou --RegionId 'cn-hangzhou' --InstanceName 'SessionManager-example'
The value of the InstanceId
parameter in the command output is the ID of the instance.
Call API operations
Call the DescribeInstances operation to query the ID of the instance to which you want to connect. For more information, see DescribeInstances.
2.2 Generate a key pair
Generate a pair of key files on your computer. The public key file is used for the temporary public key in Step 2.3.
Windows computer
Open Command Prompt and run the following command to generate a key pair as prompted.
In this example, the OpenSSH client is used to generate a key pair in the C:\Users\test
directory.
ssh-keygen -t rsa -b 2048 -f id_rsa
-t rsa
: specifies theRivest-Shamir-Adleman (RSA)
key type.-b 2048
: specifies a key length of 2,048 bits.-f id_rsa
: specifies that the key files named id_rsa are generated in the working directory.
After you run the preceding command, you are prompted to enter a passphrase to protect the private key. After you configure a passphrase for the private key, anyone who wants to use the private key must first obtain the passphrase.
If you do not want to configure a passphrase for the private key, you can press the Enter key to skip the passphrase configuration step.
After you run the preceding command, the id_rsa.pub
file, which is the public key file, and the id_rsa
file, which is the private key file, are generated in the working directory of the command line. In this example, the working directory of the command line is C:\Users\test
.
macOS or Linux computer
Open Terminal and run the following command to generate a key pair as prompted.
In this example, the OpenSSH client is used to generate a key pair.
ssh-keygen -t rsa -b 2048 -f id_rsa
-t rsa
: specifies theRSA
key type.-b 2048
: specifies a key length of 2,048 bits.-f id_rsa
: specifies that the key files named id_rsa are generated in the working directory.
After you run the preceding command, you are prompted to enter a passphrase to protect the private key. After you configure a passphrase for the private key, anyone who wants to use the private key must first obtain the passphrase.
If you do not want to configure a passphrase for the private key, you can press the Enter key to skip the passphrase configuration step.
After you run the preceding command, the id_rsa.pub
file, which is the public key file, and the id_rsa
file, which is the private key file, are generated in the working directory of the command line.
2.3 Send the generated public key as a temporary public key to the instance
Windows computer
Open Command Prompt, switch to the directory where ali-instance-cli.exe
resides, and then run the following command to send a temporary public key to register the key with an instance.
In the following command, replace<instance_id>
with the ID of the instance with which you want to register a temporary public key,<public_key_path>
with the path in which the public key file generated in Step 2.2 is stored, and<ecs_username>
with the username to which you want to assign the temporary public key:
ali-instance-cli.exe send_public_key --instance <instance_id> --public-key <public_key_path> --user-name <ecs_username>
For example, to register the temporary public key stored in the C:\Users\test\id_rsa.pub
path on your computer with the instance whose ID is i-bp1******
and assign the key to the ecs-user
user on the instance, run the following command:
ali-instance-cli.exe send_public_key --instance i-bp1****** --public-key C:\Users\test\id_rsa.pub --user-name ecs-user
After the command is successfully run, log on to the instance by using the corresponding private key within 60 seconds.
macOS or Linux computer
Open Terminal, switch to the directory where ali-instance-cli
resides, and then run the following command to send a temporary public key to register the key with an instance.
In the following command, replace<instance_id>
with the ID of the instance with which you want to register a temporary public key,<public_key_path>
with the path in which the public key file generated in Step 2.2 is stored, and<ecs_username>
with the username to which you want to assign the temporary public key:
./ali-instance-cli send_public_key --instance <instance_id> --public-key <public_key_path> --user-name <ecs_username>
For example, to register a temporary public key stored in the ~/id_rsa.pub
path on your computer with the instance whose ID is i-bp1******
and assign the key to the ecs-user
user on the instance, run the following command:
./ali-instance-cli send_public_key --instance i-bp1****** --public-key ~/id_rsa.pub --user-name ecs-user
After the command is successfully run, log on to the instance by using the corresponding private key within 60 seconds.
3. Connect to the instance over SSH
If you are prompted that the specified password or public key is incorrect, check whether the public key has expired. A temporary public key is valid for 60 seconds.
Use an appropriate SSH tool to connect to the instance. Open Command Prompt or Terminal on your computer and run the following command to connect to the instance.
In the following command, replace<private_key_path>
with the path in which the private key file generated in Step 2.2 is stored,<ecs-username>
with the username that you specified for the public key in Step 2.3, and<ecs_ip>
with the public IP address of the instance to which you want to connect.
ssh -i <private_key_path> <ecs-username>@<ecs_ip>
For example, to use the private key file that is stored in the ~/id_rsa
path to connect to the instance whose public IP address is 223.***.***.187
as the ecs-user
user, run the following command:
ssh -i ~/id_rsa ecs-user@223.***.***.187
You can also use the port forwarding feature of ali-instance-cli
to connect to an instance that does not have a public IP address. For more information, see Use the port forwarding feature of Session Manager CLI to connect to an instance without a public IP address.