Connecting to a VM's serial console via SSH
Assess the risk of enabling access via the serial console considering the following:
The user will be able to manage the VM from the internet even if there is no external IP address.
To access the VM serial console from the Yandex.Cloud management console, the user must be authenticated in the Yandex.Cloud management console and have the proper rights to the VM. The user can also access the VM serial console from an SSH client application (such as PuTTY) or the YC CLI via SSH key authentication. In this regard, to reduce the risk of web session hijacking, the user needs to carefully monitor the SSH key and end the web session.
The session will be simultaneously shared by all users who have access to the serial console.
Users will be able to see each other's actions when they're watching the serial console's output.
A valid session can be exploited by another user.
We recommend using the serial console only when absolutely necessary, grant access to a narrow group of people, and use strong VM passwords.
Make sure you disable access when you finish working with the serial console.
For remote access, it is important to ensure protection against MITM attacks. To do that, you can use client/server encryption.
To set up a secure connection:
You can download the current SHA256 Fingerprint of the key before each connection to the VM.
The first time you connect to the VM, the client sends the key fingerprint to the server and awaits a decision on establishing a connection:
- YES: establish the connection.
- NO: reject.
Make sure the fingerprint from the link matches the fingerprint received from the client.
You can download the public key of the host before each connection to the serial console.
Use the received public key when connecting to the serial console.
Recommended startup options:
$ ssh -o ControlPath=none -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=yes -o UserKnownHostsFile=./serialssh-knownhosts -p 9600 -i ~/.ssh/<secret key name> <VM ID>.<username>@serialssh.cloud.yandex.net
The host's public key may be changed in the future.
Check the specified files often. Download these files only via HTTPS after verifying the validity of the
https://storage.yandexcloud.net website certificate. If the website cannot securely encrypt your data due to certificate problems, the browser will warn you about that.
Connecting to the serial console
How the serial console works depends on the operating system settings. Yandex Compute Cloud provides a communication channel between the user and COM port on the VM, but it doesn't guarantee that the console works properly on the operating system.
To connect to the VM, you must use its ID. For more information about how to get the ID of a VM, see Getting information about a VM.
Connection command example:
$ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/<private key name> <VM ID>.<username>@serialssh.cloud.yandex.net
yc-user and the virtual machine with the ID
$ ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/id_rsa email@example.com
yc-user user is generated automatically when the VM is being created. Learn more in Creating a VM from a public Linux image.
- If you connect to the serial console and nothing appears on the screen:
- Restart the VM (for virtual machines created before February 22).
- If the system requests user data to provide access to the VM, enter the login and password.
- If you see the error
Warning: remote host identification has changed!when connecting to the VM, run
ssh-keygen -R <IP address of VM>.
Disconnecting from the serial console
To disconnect from the serial console:
- Enter the following characters in order: