Connecting to a VM's serial console via SSH

After enabling access, you can connect to the serial console to interact with the VM. Before connecting to the serial console, carefully read the section Security.

Security

Important

Enabled access to the serial console is not secure: hackers may get access to your VM. Disable access after you finish working with the serial console. In metadata, set the parameter serial-port-enable=0.

For remote access, it is important to ensure protection against MITM attacks. To do that, you can use client/server encryption.

Set up a secure connection in one of the following ways:

  • You can download the current SHA256 Fingerprint of the key before each connection to the VM.

    The first time you connect to the VM, the client sends the key fingerprint to the server and awaits a decision on establishing a connection:

    • YES: establish the connection.
    • NO: reject.

    Make sure the fingerprint from the link matches the fingerprint received from the client.

  • You can download the public key of the host before each connection to the serial console.

    Use the received public key when connecting to the serial console.

    Recommended startup options:

    $ ssh -o ControlPath=none -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=yes -o UserKnownHostsFile=./serialssh-knownhosts -p 9600 -i ~/.ssh/<secret key name> <VM ID>.<user name>@serialssh.cloud.yandex.net
    

    The host's public key may be changed in the future.

Check the specified files often. Download these files only via HTTPS after verifying the validity of the https://storage.yandexcloud.net website certificate. If the website cannot securely encrypt your data due to certificate problems, the browser will warn you about that.

Connecting to a serial console

To connect to the serial console:

If you don't have the Yandex.Cloud command line interface yet, install it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id flag.

  1. Get a list of VMs in the default folder:

    $ yc compute instance list
    +----------------------+-----------------+---------------+---------+----------------------+
    |          ID          |       NAME      |    ZONE ID    | STATUS  |     DESCRIPTION      |
    +----------------------+-----------------+---------------+---------+----------------------+
    | fhm0b28lgfp4tkoa3jl6 | first-instance  | ru-central1-a | RUNNING | my first vm via CLI  |
    | fhm9gk85nj7gcoji2f8s | second-instance | ru-central1-a | RUNNING | my second vm via CLI |
    +----------------------+-----------------+---------------+---------+----------------------+
    
  2. Select the ID of the appropriate VM (for example, fhm0b28lgfp4tkoa3jl6).

  3. Connect to the serial console:

    $ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/<secret key name> <VM ID>.<user name>@serialssh.cloud.yandex.net
    

    Example for yc-user:

    $ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/id_rsa fhm0b28lgfp4tkoa3jl6.yc-user@serialssh.cloud.yandex.net
    

Access to the serial console is provided to users with serial-port-enable=1 parameter in metadata and SSH key authentication configured:

  • If nothing appears on the screen after you connect to the serial console, press Enter. If the problem persists, restart the VM.
  • If the system requests user data to provide access to the VM, enter the login and password.
  • If you see the error Warning: remote host identification has changed! when connecting to the VM, run ssh-keygen -R <IP address of VM>.

Disconnecting from the serial console

To disconnect from the serial console:

  1. Press Enter.
  2. Sequentially enter the characters: ~..