Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Compute Cloud
  • Getting started
    • Overview
    • Creating a Linux VM
    • Creating a Windows VM
    • Creating instance groups
  • Step-by-step instructions
    • All instructions
    • Creating VMs
      • Creating a Linux VM
      • Creating a Windows VM
      • Creating a VM from a set of disks
      • Creating a VM with disks restored from snapshots
      • Creating a VM from a custom image
      • Creating a preemptible VM
      • Creating a VM with a GPU
    • DSVM
      • Overview
      • Creating a VM from a public DSVM image
    • Placement groups
      • Creating a placement group
      • Deleting a placement group
      • Creating a VM in a placement group
      • Adding a VM to a placement group
      • Removing a VM instance from a placement group
    • Images with pre-installed software
      • Creating a VM from a public image
      • Configuring software
      • Working with a VM based on a public image
      • Getting a list of public images
    • Getting information about a VM
      • Getting information about a VM
      • Viewing serial port output
    • Managing VMs
      • Stopping and starting a VM
      • Attaching a disk to a VM
      • Detaching a disk from a VM
      • Moving a VM to a different availability zone
      • Making a VM's public IP address static
      • Updating a VM
      • Changing VM computing resources
      • Deleting a VM
    • Working on VMs
      • Connecting to a VM via SSH
      • Connecting to a VM via RDP
      • Working with Yandex.Cloud from inside a VM
      • Installing NVIDIA drivers
    • Creating new disks
      • Creating an empty disk
      • Create an empty disk with a large block
    • Disk management
      • Creating a disk snapshot
      • Updating a disk
      • Deleting a disk
      • Deleting a disk snapshot
    • Creating new images
      • Uploading your image
    • Managing images
      • Deleting a disk image
    • Managing the serial console
      • Getting started
      • Connecting to a serial console via SSH
      • Connecting to a serial console via CLI
      • Start your terminal in the Windows SAC
      • Disabling access to the serial console
    • Creating instance groups
      • Creating a fixed-size instance group
      • Creating a fixed-size instance group with a network load balancer
      • Creating an automatically scaled instance group
      • Creating an instance group from Container Optimized Image
    • Getting information about instance groups
      • Getting a list of instance groups
      • Getting information about an instance group
      • Getting a list of instances in a group
    • Managing instance groups
      • Editing an instance group
      • Configuring application health check on the VM
      • Updating a instance group
        • Incremental updates
        • Uninterrupted updates
      • Stopping an instance group
      • Starting an instance group
      • Deleting an instance group
    • Dedicated hosts
      • Creating a VM in a group of dedicated hosts
      • Creating a VM on a dedicated host
  • Yandex Container Optimized Solutions
  • Scenarios
    • Configuring NTP time synchronization
    • Running instance groups with auto scaling
  • Concepts
    • Relationship between resources
    • Virtual machines
      • Overview
      • Platforms
      • vCPU performance levels
      • Graphics accelerators (GPUs)
      • Preemptible VMs
      • Network on a VM
      • Live migration
      • Placement groups
      • Statuses
      • Metadata
    • Disks
      • Overview
      • Disk snapshots
    • Images
    • Instance groups
      • Overview
      • Access
      • Instance template
      • Variables in an instance template
      • Policies
        • Overview
        • Allocation policy
        • Deployment policy
        • Scaling policy
      • Scaling types
      • Auto-healing
      • Updating
        • Overview
        • Allocating instances across zones
        • Deployment algorithm
        • Rules for updating instance groups
      • Statuses
    • Dedicated host
    • Backups
    • Quotas and limits
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
      • From March 1 to May 1, 2019
  • Compute API reference
    • Authentication in the API
    • gRPC
      • Overview
      • DiskPlacementGroupService
      • DiskService
      • DiskTypeService
      • HostGroupService
      • HostTypeService
      • ImageService
      • InstanceService
      • PlacementGroupService
      • SnapshotService
      • ZoneService
      • InstanceGroupService
      • OperationService
    • REST
      • Overview
      • Disk
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • DiskPlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listDisks
        • listOperations
        • update
      • DiskType
        • Overview
        • get
        • list
      • HostGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listHosts
        • listInstances
        • listOperations
        • update
      • HostType
        • Overview
        • get
        • list
      • Image
        • Overview
        • create
        • delete
        • get
        • getLatestByFamily
        • list
        • listOperations
        • update
      • Instance
        • Overview
        • addOneToOneNat
        • attachDisk
        • create
        • delete
        • detachDisk
        • get
        • getSerialPortOutput
        • list
        • listOperations
        • removeOneToOneNat
        • restart
        • start
        • stop
        • update
        • updateMetadata
        • updateNetworkInterface
      • PlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listInstances
        • listOperations
        • update
      • Snapshot
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Zone
        • Overview
        • get
        • list
      • Operation
        • Overview
        • get
      • InstanceGroup
        • Overview
        • createFromYaml
        • update
        • list
        • get
        • delete
        • start
        • stop
        • create
        • listAccessBindings
        • setAccessBindings
        • updateFromYaml
        • listLogRecords
        • listInstances
        • updateAccessBindings
        • listOperations
  • Questions and answers
    • General questions
    • Virtual machines
    • Disks and snapshots
    • Licensing
    • All questions on the same page
  1. Step-by-step instructions
  2. Managing the serial console
  3. Connecting to a serial console via SSH

Connecting to a VM's serial console via SSH

  • Security
  • Connecting to the serial console
  • Disconnecting from the serial console

After enabling access, you can connect to the serial console to work with the VM. Before connecting to the serial console, carefully read the Security.

Security

Warning

Assess the risk of enabling access via the serial console considering the following:

  • The user will be able to manage the VM from the internet even if there is no external IP address.

    To access the VM serial console from the Yandex.Cloud management console, the user must be authenticated in the Yandex.Cloud management console and have the proper rights to the VM. The user can also access the VM serial console from an SSH client application (such as PuTTY) or the YC CLI via SSH key authentication. In this regard, to reduce the risk of web session hijacking, the user needs to carefully monitor the SSH key and end the web session.

  • The session will be simultaneously shared by all users who have access to the serial console.

    Users will be able to see each other's actions when they're watching the serial console's output.

  • A valid session can be exploited by another user.

We recommend using the serial console only when absolutely necessary, grant access to a narrow group of people, and use strong VM passwords.
Make sure you disable access when you finish working with the serial console.

Federated users can only connect to the serial console using the CLI or SSH. These users can't access the serial console from the Yandex.Cloud management console.

For remote access, it is important to ensure protection against MITM attacks. To do that, you can use client/server encryption.

To set up a secure connection:

  • You can download the current SHA256 Fingerprint of the key before each connection to the VM.

    The first time you connect to the VM, the client sends the key fingerprint to the server and awaits a decision on establishing a connection:

    • YES: establish the connection.
    • NO: reject.

    Make sure the fingerprint from the link matches the fingerprint received from the client.

  • You can download the public key of the host before each connection to the serial console.

    Use the received public key when connecting to the serial console.

    Recommended startup options:

    $ ssh -o ControlPath=none -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=yes -o UserKnownHostsFile=./serialssh-knownhosts -p 9600 -i ~/.ssh/<secret key name> <VM ID>.<user name>@serialssh.cloud.yandex.net
    

    The host's public key may be changed in the future.

Check the specified files often. Download these files only via HTTPS after verifying the validity of the https://storage.yandexcloud.net website certificate. If the website cannot securely encrypt your data due to certificate problems, the browser will warn you about that.

Connecting to the serial console

Note

How the serial console works depends on the operating system settings. Yandex Compute Cloud provides a communication channel between the user and COM port on the VM, but it doesn't guarantee that the console works properly on the operating system.

To connect to the VM, you must use its ID. For more information about how to get the ID of a VM, see Getting information about a VM.

Connection command example:

$ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/<private key name> <VM ID>.<username>@serialssh.cloud.yandex.net

Example with yc-user and the virtual machine with the ID fhm0b28lgfp4tkoa3jl6:

$ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/id_rsa fhm0b28lgfp4tkoa3jl6.yc-user@serialssh.cloud.yandex.net

The yc-user user is generated automatically when the VM is being created. Learn more in Creating a VM from a public Linux image.

Troubleshooting

  • If you connect to the serial console and nothing appears on the screen:
    • Press Enter.
    • Restart the VM (for virtual machines created before February 22).
  • If the system requests user data to provide access to the VM, enter the login and password.
  • If you see the error Warning: remote host identification has changed! when connecting to the VM, run ssh-keygen -R <IP address of VM>.

Disconnecting from the serial console

To disconnect from the serial console:

  1. Press Enter.
  2. Enter the following characters in order: ~..
In this article:
  • Security
  • Connecting to the serial console
  • Disconnecting from the serial console
Language / Region
Careers
Privacy policy
Terms of use
Brandbook
© 2021 Yandex.Cloud LLC