All Products
Search

This Product

    Simple Application Server:Manage key pairs on Linux simple application servers

    Document Center

    Simple Application Server:Manage key pairs on Linux simple application servers

    Last Updated:Sep 11, 2024

    Alibaba Cloud provides the secure and convenient SSH key pair-based authentication method for logons to simple application servers. The key pairs are used for authentication and encrypted communication over the SSH protocol. An SSH key pair consists of a public key and a private key. Only simple application servers that run Linux support SSH key pairs. You can use SSH key pairs to securely and conveniently log on to your simple application servers. This topic describes how to create, import, bind, unbind, and delete an SSH key pair in the Simple Application Server console.

    Advantages

    SSH key pair-based authentication provides the following advantages over username/password-based authentication:

    • Increased security: SSH key pairs provide higher security and reliability for authentication.

      • SSH key pairs are more secure than regular passwords against brute-force attacks.

      • Private keys cannot be deduced from public keys regardless of whether the public keys are maliciously acquired.

    • Ease of use:

      • If you configure a public key on a Linux instance, you can run an SSH command or use a connection tool to log on to the instance by using the corresponding private key instead of a password.

      • You can log on to multiple Linux instances at the same time by using an SSH key pair. This way, you can manage your instances in a more convenient manner. If you want to batch maintain multiple Linux instances, we recommend that you use the SSH key pair-based authentication method.

    Usage notes

    • Only simple application servers that run Linux support SSH key pairs.

    • You can create a maximum of 10 key pairs in a region for an Alibaba Cloud account.

    • You can create only 2048-bit RSA key pairs in the Simple Application Server console.

    Create or import a key pair

    You can create a key pair in the Simple Application Server console or import an existing key pair. Then, you can bind the key pair to a simple application server and use the key pair to log on to the server.

    1. Log on to the Simple Application Server console.

    2. In the left-side navigation pane, click Key Pair.

    3. On the Key Pair page, click Create Key Pair.

    4. In the Create Key Pair dialog box, follow the on-screen instructions to configure parameters and click Confirm.

      Automatically create a key pair

      The following table describes the parameters that you need to configure.

      Parameter

      Description

      Key Pair Name

      Enter a name for the key pair. The name must be 2 to 64 characters in length and can contain letters, digits, colons (:), underscores (_), and hyphens (-). The name must start with a letter.

      Creation Mode

      Select Auto-Generate Key Pair.

      Important

      • Key pair information is automatically downloaded as a .pem file to your on-premises computer. A key pair can be downloaded only once. No later retrieval is available. Keep the key pair confidential.

      • If no download page appears, check whether a blocking message is displayed in the browser.

      Import an existing key pair

      You can import an existing key pair to the Simple Application Server console. Then, you can bind the key pair to a simple application server and use the key pair to log on to the server. The key pair that you want to import must use a supported encryption method. For more information, see Q2: Which encryption methods must be used by key pairs that I want to import to the Simple Application Server console?

      The following table describes the parameters that you need to configure.

      Parameter

      Description

      Key Pair Name

      Enter a name for the key pair. The name must be 2 to 64 characters in length and can contain letters, digits, colons (:), underscores (_), and hyphens (-). The name must start with a letter.

      Creation Mode

      Select Import Key Pair.

      Public Key Content

      Copy the public key of the key pair that you want to import to the code editor. You can move the pointer over Base64 Preview to view the format of the public key. For information about how to obtain the public key information of the key pair that you want to import, see Q3: How do I view the public key information of a key pair?

    5. In the Create Key Pair dialog box, you can select whether to bind the key pair to a simple application server now.

      You can also bind the key pair after you create the key pair. For more information, see Bind a key pair to a simple application server.

    Bind a key pair to a simple application server

    The simple application server that you want to bind must be in the Running or Stopped state.

    Important

    • You can bind only one key pair to a simple application server in the Simple Application Server console. If a simple application server has a key pair bound, the newly bound key pair overwrites the previously bound key pair.

    • After you bind a key pair to a simple application server, password-based logon is automatically disabled for the root account on the server. To re-enable password-based logon, you must modify the configuration file of the server. For more information, see Re-enable password-based logons.

    • If you want to use multiple key pairs to log on to a simple application server, you can modify the ~/.ssh/authorized_keys file inside the server to add multiple key pairs. For more information, see Q1: How do I use multiple key pairs to log on to a simple application server?

    1. Log on to the Simple Application Server console.

    2. In the left-side navigation pane, click Key Pair.

    3. On the Key Pair page, find the key pair that you want to bind and click Attach Server in the Actions column.

    4. In the Attach Server dialog box, select one or more Linux simple application servers and click the image icon.

    5. Click Confirm.

    6. In the Attach Server dialog box, select whether to restart the server now based on your business requirements.

      • Restart the server now: Click Restart Now. The key pair takes effect after the server is restarted.

        Warning

        The restart operation stops the instance for a short period of time and may interrupt services that are running on the instance. We recommend that you restart the instance during off-peak hours.

      • Restart the server later: Click Postpone Restart. Then, you can restart the server during off-peak hours to allow the key pair to take effect.

    After the key pair takes effect, you can use the key pair to log on to the simple application servers. For more information, see Connect to a Linux server by using a key pair.

    Unbind a key pair

    If you want to change the SSH key pair that is bound to your simple application server or one of your end users no longer needs to access a specific simple application server, you can unbind the SSH key pair from the simple application server to improve the security of the simple application server or restrict access to the specific simple application server.

    Important

    After you create a key pair for a simple application server and restart the server for the key pair to take effect, password-based logon is automatically disabled for the root account on the server. To re-enable password-based logon, you must modify the configuration file of the server. For more information, see Re-enable password-based logons.

    1. Log on to the Simple Application Server console.

    2. In the left-side navigation pane, click Key Pair.

    3. On the Key Pair page, find the key pair that you want to unbind and click Detach Server in the Actions column.

    4. In the Detach Server dialog box, select one or more Linux simple application servers and click the image icon.

    5. Click Confirm.

    6. In the Detach Server dialog box, select whether to restart the server now based on your business requirements.

      • Restart the server now: Click Restart Server. The key pair unbinding operation takes effect after the server is restarted.

        Warning

        The restart operation stops the instance for a short period of time and may interrupt services that are running on the instance. We recommend that you restart the instance during off-peak hours.

      • Restart the server later: Click Postpone Restart. Then, you can restart the server during off-peak hours to allow the key pair unbinding operation to take effect.

    Delete a key pair

    You must unbind a key pair that you no longer use from a simple application server before you can delete the key pair.

    1. Log on to the Simple Application Server console.

    2. In the left-side navigation pane, click Key Pair.

    3. On the Key Pair page, find the key pair that you want to delete and click Delete in the Actions column.

    4. In the Delete Key Pair message, click OK.

    FAQ

    Q1: How do I use multiple key pairs to log on to a simple application server?

    A1: If you want to use multiple key pairs to log on to a simple application server, you can manually modify the ~/.ssh/authorized_keys file inside the simple application server to add multiple key pairs. Procedure:

    1. Use the existing SSH key pair to log on to the Linux simple application server. For more information, see Connect to a Linux server by using a key pair.

    2. Run the following command to open the .ssh/authorized_keys file: 

      sudo vim .ssh/authorized_keys

    3. Press the i key to enter edit mode and add or replace the public key information.

      • You can add and save new public key information below the existing public key information. 

        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCys3aOkFm1Xh8iN0lijeQF5mz9Iw/FV/bUUduZjauiJa1KQJSF4+czKtqMAv38QEspiWStkSfpTn1g9qeUhfxxxxxxxxxx+XjPsf22fRem+v7MHMa7KnZWiHJxO62D4Ihvv2hKfskz8K44xxxxxxxxxx+u17IaL2l2ri8q9YdvVHt0Mw5TpCkERWGoBPE1Y8vxFb97TaE5+zc+2+eff6xxxxxxxxxx/feMeCxpx6Lhc2NEpHIPxMpjOv1IytKiDfWcezA2xxxxxxxxxx/YudCmJ8HTCnLId5LpirbNE4X08Bk7tXZAxxxxxxxxxx/FKB1Cxw1TbGMTfWxxxxxxxxxx imported-openssh-key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdlrdZwV3+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIPxxxxxxxxxxx/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcxxxxxxxxxx/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjxxxxxxxxxx+lHtTGiAIRG1riyNRVC47ZEVCg9iTWWGrWFvxxxxxxxxxx/9H9mPCO1Xt2fxxxxxxxxBtmR imported-openssh-key
        Note

        If the public key file contains information about multiple public keys, you can log on to the Linux instance by using the paired private keys.

      • You can delete existing public key information and then add and save new public key information. 

        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdlrdZwV3+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIP6t0Mk5aPkK/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcV14uAy0yV6/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjGACGcXclex+lHtTGiAIRG1riyNRVC47ZEVCg9iTWWGrWFvVlnI0E3Deb/9H9mPCO1Xt2fxxxxxxxxBtmR imported-openssh-key

    4. After you add or replace the public key information, press the Esc key to exit the edit mode and enter :wq to save the changes.

    5. Use the new SSH key pair to log on to the Linux instance. For more information, see Connect to a Linux instance by using an SSH key pair.

      If you can log on to the Linux instance by using the new private key, the new SSH key pair is added or the old SSH key pair is replaced.

    Q2: Which encryption methods must be used by key pairs that I want to import to the Simple Application Server console?

    A2: Only the key pairs that use one of the following encryption methods can be imported to the Simple Application Server console:

    • rsa

    • dsa

    • ssh-rsa

    • ssh-dss

    • ecdsa

    • ssh-rsa-cert-v00@openssh.com

    • ssh-dss-cert-v00@openssh.com

    • ssh-rsa-cert-v01@openssh.com

    • ssh-dss-cert-v01@openssh.com

    • ecdsa-sha2-nistp256-cert-v01@openssh.com

    • ecdsa-sha2-nistp384-cert-v01@openssh.com

    • ecdsa-sha2-nistp521-cert-v01@openssh.com

    Q3: How do I view the public key information of a key pair?

    A3: To view the public key information of a key pair, perform the following operations:

    On-premises Windows device

    To view public key information, perform the following operations:

    1. Start PuTTYgen.

    2. Click Load.

    3. Select the .ppk or .pem file.

      PuTTYgen displays the public key information.

    On-premises Linux or macOS device

    Run the ssh-keygen command in which the path of the .pem file is specified. 

    ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem

    The following example shows the returned public key information: 

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA****+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIPxxxxxxxxxx/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcxxxxxxxxxxx/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjxxxxxxxxxx+lHtTGiAIRG1riyNRVC47ZEVCxxxxxx

    Within a simple application server

    1. Connect to the Linux simple application server. For more information, see Connect to a Linux server by using a key pair.

    2. Run the following command to view the public key information of an SSH key pair: 

      sudo cat ~/.ssh/authorized_keys
      Note

      The public key information is stored in the ~/.ssh/authorized_keys file. Open the file on the instance to view the public key information.

    Related operations

    You can call API operations to manage key pairs. The API operations include: