Connecting to a VM's serial console via SSH
Serial console access is not secure, so enabling it might allow hackers to access your VM. Disable access after you finish working with the serial console.
For remote access, it is important to ensure protection against MITM attacks. To do that, you can use client/server encryption.
To set up a secure connection:
You can download the current SHA256 Fingerprint of the key before each connection to the VM.
The first time you connect to the VM, the client sends the key fingerprint to the server and awaits a decision on establishing a connection:
- YES: establish the connection.
- NO: reject.
Make sure the fingerprint from the link matches the fingerprint received from the client.
You can download the public key of the host before each connection to the serial console.
Use the received public key when connecting to the serial console.
Recommended startup options:
$ ssh -o ControlPath=none -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=yes -o UserKnownHostsFile=./serialssh-knownhosts -p 9600 -i ~/.ssh/<secret key name> <VM ID>.<user name>@serialssh.cloud.yandex.net
The host's public key may be changed in the future.
Check the specified files often. Download these files only via HTTPS after verifying the validity of the
https://storage.yandexcloud.net website certificate. If the website cannot securely encrypt your data due to certificate problems, the browser will warn you about that.
Connecting to the serial console
How the serial console works depends on the operating system settings. Yandex Compute Cloud provides a communication channel between the user and COM port on the VM, but it doesn't guarantee that the console works properly on the operating system.
To connect to the VM, you must use its ID. For more information about how to get the ID of a VM, see Getting information about a VM.
Connection command example:
$ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/<private key name> <username>@serialssh.cloud.yandex.net
yc-user and the virtual machine with the ID
$ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/id_rsa email@example.com
yc-user user is generated automatically when the VM is being created. Learn more in Creating a VM from a public Linux image.
- If you connect to the serial console and nothing appears on the screen:
- Restart the VM (for virtual machines created before February 22).
- If the system requests user data to provide access to the VM, enter the login and password.
- If you see the error
Warning: remote host identification has changed!when connecting to the VM, run
ssh-keygen -R <IP address of VM>.
Disconnecting from the serial console
To disconnect from the serial console:
- Enter the following characters in order: