Connecting to a VM's serial console via SSH
Alert
You can only connect to a VM's serial console via SSH using a non-password-protected key. Otherwise, the connection will be terminated after you enter a password.
After enabling access, you can connect to the serial console to interact with the VM. Before connecting to the serial console, carefully read the Security section.
Security
Warning
When assessing the risk of enabling access via the serial console, consider the following:
-
The VM can still be managed from the internet even if there is no external IP address.
To access the VM serial console from the Yandex Cloud management console, a user must be authenticated in the Yandex Cloud management console and have the proper permissions to the VM. One can access the VM serial console from an SSH client application, such as PuTTY, or the YC CLI via SSH key authentication. To reduce the risk of web session hijacking, you should closely monitor your SSH key and make sure you terminate the web session. -
The session will be simultaneously shared by all users who have access to the serial console.
Users will be able to see each other's actions if concurrently watching the serial console's output. -
A valid session can be exploited by another user.
We recommend using the serial console only when absolutely necessary, grant access to a narrow group of people, and use strong VM passwords.
Make sure you disable access after you finish using the serial console.
For remote access, it is important to ensure protection against MITM attacks
To set up a secure connection:
-
You can download the current SHA256 fingerprint
of the SSH key before each connection to the VM.The first time you connect to the VM, the client sends the SSH key fingerprint to the server and awaits a decision on establishing a connection:
YES
: Establish the connection.NO
: Reject.
Make sure the fingerprint from the link matches the fingerprint received from the client.
-
You can download the public SSH key
of the host before each connection to the serial console.Use the public SSH key you receive when connecting to the serial console.
Recommended startup options:
ssh -o ControlPath=none -o IdentitiesOnly=yes -o CheckHostIP=no -o StrictHostKeyChecking=yes -o UserKnownHostsFile=./serialssh-knownhosts -p 9600 -i ~/.ssh/<private_SSH_key_name> <VM_ID>.<username>@serialssh.cloud.yandex.net
The host's public SSH key may be changed in the future.
Check the specified files often. Download these files only via HTTPS after verifying the validity of the https://storage.yandexcloud.net
website certificate. If the website cannot securely encrypt your data due to certificate problems, the browser will warn you about that.
Connecting to the serial console
Note
How the serial console works depends on the operating system settings. Compute Cloud provides a communication channel between the user and COM port on the VM, but it does not guarantee that the console works properly on the OS.
Run this command:
ssh -t -p 9600 -o IdentitiesOnly=yes -i <private_SSH_key_path> <VM_ID>.<username>@serialssh.cloud.yandex.net
Where:
private_SSH_key_path
: Path to the private part of the SSH key created when creating the VM.VM_ID
: VM ID. For information about how to get a VM's ID, see Getting information about a VM.username
: Administrator name specified when creating the VM.
Connection command example:
ssh -t -p 9600 -o IdentitiesOnly=yes -i ~/.ssh/id_ed25519 fhm0b28lgfp4********.yc-user@serialssh.cloud.yandex.net
You can also connect to the serial console using SSH keys for other users.
Troubleshooting
- If you connect to the serial console and nothing appears on the screen:
- Press Enter.
- Restart the VM (for VMs created before February 22, 2019).
- If the OS requests user credentials to provide access to the VM, enter the login and password.
- On a Linux VM, set a user password first. Run the
sudo passwd <username>
command. For more information, see Getting started with the serial console. - On a Windows VM, enter your username, domain (VM name), and password. For more information, see Starting your terminal in the Windows serial console (SAC).
- On a Linux VM, set a user password first. Run the
- If you see the
Warning: remote host identification has changed!
error when connecting, run thessh-keygen -R <VM_IP_address>
command.
Disconnecting from the serial console
To disconnect from the serial console:
- Press Enter.
- Enter the following characters in order:
~.
.