how to configure the logon username of a Linux ECS instance as ecs-user or root - Elastic Compute Service

You can log on to specific Linux Elastic Compute Service (ECS) instances as the system user named root or as a regular user named ecs-user. This topic describes how to configure and manage logon usernames, including changing the password for root and deleting a user. This can help you use logon usernames that suit your business requirements and ensure system security and effective permission management.

Important

Using root as the logon username of an ECS instance facilitates O&M operations. However, this may cause security risks because the root user has the highest permissions on the instance. For security reasons, we recommend that you use the regular user ecs-user to log on to an instance using an operating system that supports ecs-user.

Considerations

If you want to use ecs-user to log to on an instance, take note of the following items:

When you remotely log on to the instance, you must use ecs-user instead of root.
If you want to perform critical operations after you log on to the instance as ecs-user, run commands as root by adding sudo before the commands to grant administrative permissions to ecs-user. The critical operations include installing software, restarting services, and attaching disks.
When you reset the logon password of an ECS instance offline in the ECS console, you can reset only the password that you configured when you created the instance. If the logon username of your Linux instance is ecs-user, you can reset only the password of ecs-user. For information about how to reset the logon password of an instance, see Reset the logon password of an instance.

Important

Before you use ecs-user to log on to an instance, make sure that the systems and applications that are relevant to your business do not depend on root.

Operating systems that support ecs-user

For security reasons, Alibaba Cloud provides ecs-user as an alternative username to root that you can use to log on to specific Linux instances. The operating systems that support selecting ecs-user as the username are displayed in the console. You can call the DescribeImages operation to query whether an image supports ecs-user. If the return value of LoginAsNonRootSupported is true, the image supports ecs-user. Otherwise, the image does not support ecs-user.

Note

If you use an operating system that does not support ecs-user as a logon username to create an instance, you can create and use a regular user to log on to the instance. For more information, see the Create and use a regular user to log on to an instance section in this topic.

Configure ecs-user as the logon username of an instance

When you create an instance, replace the operating system of an instance, or re-initialize the system disk of an instance, you can configure ecs-user as the logon username of the instance. The following table describes the related operations.

Scenario	Description
Create an instance on the Custom Launch tab	Configure parameters based on your business requirements. Take note of the following items: In the Image section, select an image version that supports ecs-user. In the Management section, select a logon credential based on your business requirements and select ecs-user as the logon username.
Replace the operating system of an instance	Configure parameters based on your business requirements. Take note of the following items: In the Image section of the Change Operating System page, select an image version that supports ecs-user. In the Security Settings section of the Change Operating System page, select a logon credential based on your business requirements and select ecs-user as the logon username.
Re-initialize a system disk	Configure parameters based on your business requirements. Take note of the following items: Logon Credentials: Select Password or Key Pair based on your business requirements. Username: Select ecs-user.

Use root to log on to an instance after you configure ecs-user

After you configure ecs-user as the logon username of an instance, if specific software or applications require root user permissions to run, you must use root to log on to the instance to meet the running requirements. You can configure a password for the root user in the ECS console or by logging on to the instance. After the password is configured, you can use root to log on to the instance.

Reset the logon password of an instance online in the ECS console

If an instance supports resetting the logon password online, you can reset the password of the root user online.

①: In this section, select Online Reset.
②: In this section, set Logon Username to root and configure a new password for root.
③: In this section, set SSH Password Authentication to Enable. This allows you to connect to the instance by using SSH and log on to the instance by using the configured password.
For more information, see Reset the logon password of an instance.

Log on to an instance to change the logon username

Use ecs-user to log on to the instance.
For more information, see Connect to a Linux instance by using a password or key.
Important
After you configure ecs-user as the logon username of an instance, you cannot use root to log on to the instance. You must use ecs-user and the corresponding password to log on to the instance.
Configure a password or key pair for root based on the logon method of root.
- Configure a password for root to log on to the instance.
  1. Run the following command to configure a password for root:
```
sudo passwd root
```
    Configure the password of root based on the command output.
  2. Allow root to log on to the instance by using the password.
    1. Run the following command to open the /etc/ssh/sshd_config file:
      sudo vi /etc/ssh/sshd_config
    2. In the /etc/ssh/sshd_config file, find the line that starts with PasswordAuthentication, press the I key to enter Insert mode, and then change the line to PasswordAuthentication yes.
      The following figure shows the modified line.
      Note
      If PasswordAuthentication is set to yes, you do not need to modify the file.
    3. After you modify the file, press the Esc key to exit Insert mode. Enter :wq and press the Enter key to save and close the file.
  3. Run the following command to restart the SSH service for the configuration to take effect:
```
sudo systemctl restart sshd
```
    Then, you can use root and the corresponding password to remotely log on to the instance.
- Configure a key pair for root to log on to the instance.
  Save the public key of a key pair to the /root/.ssh/authorized_keys configuration file. This way, you can use root and the key pair to log on to the instance.

Create and use a regular user to log on to an instance

If you use an operating system that does not support ecs-user as a logon username to create an instance, you can create and use a regular user to log on to the instance. The following section describes the operations that you can perform to create a regular user on an instance. You can also create a regular user based on your O&M habits to log on to the instance.

Note

Replace <username> in the following commands with the username that you want to create.

Use root to remotely log on to the instance.
For more information, see Connect to a Linux instance by using a password or key.
Run the following command to create a regular user:
```
useradd <username>
```
Run the following command to change the password for the regular user:
```
passwd <username>
```

Note

You can manage the permissions of the regular user by using the /etc/sudoers file or the /etc/sudoers.d/ directory.
After you log on to the instance by using the created regular user, if you want to perform critical operations (such as installing software, restarting services, or attaching disks), run commands as root by adding sudo before the commands to grant administrative permissions to the regular user.