Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Compute Cloud
  • Getting started
    • Overview
    • Creating a Linux VM
    • Creating a Windows VM
    • Creating instance groups
  • Step-by-step instructions
    • All instructions
    • Creating VMs
      • Creating a Linux VM
      • Creating a Windows VM
      • Creating a VM from a set of disks
      • Creating a VM with disks restored from snapshots
      • Creating a VM from a custom image
      • Creating a preemptible VM
      • Creating a VM with a GPU
    • DSVM
      • Overview
      • Creating a VM from a public DSVM image
    • Placement groups
      • Creating a placement group
      • Deleting a placement group
      • Creating a VM in a placement group
      • Adding a VM to a placement group
      • Removing a VM instance from a placement group
    • Images with pre-installed software
      • Creating a VM from a public image
      • Configuring software
      • Working with a VM based on a public image
      • Getting a list of public images
    • Getting information about a VM
      • Getting information about a VM
      • Viewing serial port output
    • Managing VMs
      • Stopping and starting a VM
      • Attaching a disk to a VM
      • Detaching a disk from a VM
      • Moving a VM to a different availability zone
      • Making a VM's public IP address static
      • Updating a VM
      • Changing VM computing resources
      • Deleting a VM
    • Working on VMs
      • Connecting to a VM via SSH
      • Connecting to a VM via RDP
      • Working with Yandex.Cloud from inside a VM
      • Installing NVIDIA drivers
    • Creating new disks
      • Creating an empty disk
      • Create an empty disk with a large block
    • Disk management
      • Creating a disk snapshot
      • Updating a disk
      • Deleting a disk
      • Deleting a disk snapshot
    • Creating new images
      • Uploading your image
    • Managing images
      • Deleting a disk image
    • Managing the serial console
      • Getting started
      • Connecting to a serial console via SSH
      • Connecting to a serial console via CLI
      • Start your terminal in the Windows SAC
      • Disabling access to the serial console
    • Creating instance groups
      • Creating a fixed-size instance group
      • Creating a fixed-size instance group with a network load balancer
      • Creating an automatically scaled instance group
      • Creating an instance group from Container Optimized Image
    • Getting information about instance groups
      • Getting a list of instance groups
      • Getting information about an instance group
      • Getting a list of instances in a group
    • Managing instance groups
      • Editing an instance group
      • Configuring application health check on the VM
      • Updating a instance group
        • Incremental updates
        • Uninterrupted updates
      • Stopping an instance group
      • Starting an instance group
      • Deleting an instance group
    • Dedicated hosts
      • Creating a VM in a group of dedicated hosts
      • Creating a VM on a dedicated host
  • Yandex Container Optimized Solutions
  • Scenarios
    • Configuring NTP time synchronization
    • Running instance groups with auto scaling
  • Concepts
    • Relationship between resources
    • Virtual machines
      • Overview
      • Platforms
      • vCPU performance levels
      • Graphics accelerators (GPUs)
      • Preemptible VMs
      • Network on a VM
      • Live migration
      • Placement groups
      • Statuses
      • Metadata
    • Disks
      • Overview
      • Disk snapshots
    • Images
    • Instance groups
      • Overview
      • Access
      • Instance template
      • Variables in an instance template
      • Policies
        • Overview
        • Allocation policy
        • Deployment policy
        • Scaling policy
      • Scaling types
      • Auto-healing
      • Updating
        • Overview
        • Allocating instances across zones
        • Deployment algorithm
        • Rules for updating instance groups
      • Statuses
    • Dedicated host
    • Backups
    • Quotas and limits
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
      • From March 1 to May 1, 2019
  • Compute API reference
    • Authentication in the API
    • gRPC
      • Overview
      • DiskPlacementGroupService
      • DiskService
      • DiskTypeService
      • HostGroupService
      • HostTypeService
      • ImageService
      • InstanceService
      • PlacementGroupService
      • SnapshotService
      • ZoneService
      • InstanceGroupService
      • OperationService
    • REST
      • Overview
      • Disk
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • DiskPlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listDisks
        • listOperations
        • update
      • DiskType
        • Overview
        • get
        • list
      • HostGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listHosts
        • listInstances
        • listOperations
        • update
      • HostType
        • Overview
        • get
        • list
      • Image
        • Overview
        • create
        • delete
        • get
        • getLatestByFamily
        • list
        • listOperations
        • update
      • Instance
        • Overview
        • addOneToOneNat
        • attachDisk
        • create
        • delete
        • detachDisk
        • get
        • getSerialPortOutput
        • list
        • listOperations
        • removeOneToOneNat
        • restart
        • start
        • stop
        • update
        • updateMetadata
        • updateNetworkInterface
      • PlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listInstances
        • listOperations
        • update
      • Snapshot
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Zone
        • Overview
        • get
        • list
      • Operation
        • Overview
        • get
      • InstanceGroup
        • Overview
        • createFromYaml
        • update
        • list
        • get
        • delete
        • start
        • stop
        • create
        • listAccessBindings
        • setAccessBindings
        • updateFromYaml
        • listLogRecords
        • listInstances
        • updateAccessBindings
        • listOperations
  • Questions and answers
    • General questions
    • Virtual machines
    • Disks and snapshots
    • Licensing
    • All questions on the same page
  1. Step-by-step instructions
  2. Working on VMs
  3. Connecting to a VM via SSH

Connecting to a Linux VM via SSH

  • Creating an SSH key pair
  • Connecting to a VM
  • Adding SSH keys for other users

The recommended method for connecting to a virtual machine over SSH is based on using a key pair: the public key is placed on the virtual machine, and the private key is stored on the user's device. Connecting with a key pair is more secure than connecting with a username and password.

Note

SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex.Cloud.

Creating an SSH key pair

Prepare the keys for use with your virtual machines. To do this:

Linux/MacOS
Windows 10
Windows 7/8
  1. Open the terminal.

  2. Use the ssh-keygen command to create a new key:

    ssh-keygen -t rsa -b 2048
    

    After the command runs, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_rsa. Keys are created in the ~./ssh directory.

    The public part of the key will be saved in a file with the name <key name>.pub. Copy the key string to the public key field when creating a new virtual machine via the management console.

  1. Run cmd.exe or powershell.exe.

  2. Use the ssh-keygen command to create a new key. Run the command:

    ssh-keygen -t rsa -b 2048
    

    After the command runs, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is id_rsa. Keys are created in the C:\Users\<user name>\.ssh\ directory.

    The public part of the key will be saved in a file with the name <key name>.pub. Open the file using Notepad or another text editor and copy the key string to the public key field when creating a new virtual machine via the management console.

To create keys for Windows, use the PuTTY application.

  1. Download and install PuTTY.

  2. Make sure that the directory where you installed PuTTY is included in PATH:

    1. Right-click on My computer. Click Properties.
    2. In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
    3. Under System variables, find PATH and click Edit.
    4. In the Variable value field, append the path to the directory where you installed PuTTY.
  3. Launch the PuTTYgen app.

  4. Select RSA for the type of pair to generate and set the length to 2048. Click Generate and move the cursor in the field above it until key creation is complete.

    ssh_generate_key

  5. In the Key passphrase field, enter a strong password. Enter it again in the field below.

  6. Click Save private key and save the private key. Never share it with anyone and do not tell anyone the passphrase for it.

  7. Save the key in a text file in a single line. To do this, copy the public key from the text field to a text file with the name id_rsa.pub.

  8. When creating a virtual machine via the management console, specify the public key. To do this, open the id_rsa.pub file in Notepad and copy the key value to the SSH key field.

Connecting to a VM

You can connect to a VM using the SSH protocol when it is running (the VM's status is RUNNING). You can use the ssh tool in Linux/macOS/Windows 10 or PuTTY in Windows 7/8.

To connect to the VM, specify its public address. You can find out the public IP address in the management console. On the VM's page, go to the Network section and find the Public IPv4 field. If you created a VM with only an internal address, you need to create a new VM with a public address to make it accessible over the internet.

You can also use the internal IP addresses and FQDNs to establish an SSH connection between the VMs on a single Yandex.Cloud cloud network.

Linux/macOS
Windows 10
Windows 7/8

In the terminal, run the command:

ssh <username>@<VM_public_IP_address>

If you have multiple private keys, specify the one you need:

ssh -i <key_path/key_file_name> <username>@<VM_public_IP_address>

If this is the first time you connect to a VM, you'll see a warning about an unknown host:

The authenticity of host '130.193.40.101 (130.193.40.101)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHkGgpLELJ8.
Are you sure you want to continue connecting (yes/no)?

Type yes in the terminal and press Enter.

From the command line, run:

ssh <username>@<VM_public_IP_address>

If you have multiple private keys, specify the one you need:

ssh -i <key_path\key_file_name> <username>@<VM_public_IP_address>

If this is the first time you connect to a VM, you'll see a warning about an unknown host:

The authenticity of host '130.193.40.101 (130.193.40.101)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHkGgpLELJ8.
Are you sure you want to continue connecting (yes/no)?

Type yes in the command prompt and press Enter.

In Windows, a connection is established using the PuTTY application.

  1. Run the Pageant application.
    1. Right-click on the Pageant icon in the task bar.
    2. In the context menu, select Add key.
    3. Select a PuTTY-generated private key in the .ppk format. If a password is set for the key, enter it.
  2. Run PuTTY.
    1. In the Host Name (or IP address) field, enter the public IP address of the VM you want to connect to. Specify port 22 and SSH as the connection type.

      ssh_add_ip

    2. In the tree on the left, select Connection - SSH - Auth.

    3. Set the Allow agent forwarding option.

    4. In the Private key file for authentication field, select the file with the private key.

      ssh_choose_private_key

    5. Go back to the Sessions menu. In the Saved sessions field, enter any session name and click Save. The session settings are saved under the specified name. You can use this session profile to connect using Pageant.

      ssh_save_session

    6. Click Open. If this is the first time you connect to a VM, you might see a warning about an unknown host:

      ssh_unknown_host_warning

      Click Yes. A terminal window opens suggesting that you enter the login of the user on whose behalf the connection is being established. Type the user name that you specified when creating the VM and press Enter. If everything is configured correctly, the connection with the server will be established.

      ssh_login

If you saved the session profile in PuTTY, you can use Pageant to establish a connection in the future:

  1. Right-click on the Pageant icon in the task bar.
  2. Select the Saved sessions menu item.
  3. In the saved sessions list, select the necessary session.

Adding SSH keys for other users

You can add SSH keys for another VM user. To do this, create a new user and add a file with the authorized keys for this user.

  1. Log in to the VM under the username that you specified when creating the VM in the management console. If the VM is created via the CLI, the default yc-user user will be used.

    Note

    To get information about a VM with user metadata, run the command:

    yc compute instance get --full <VM-name>
    
  2. Create a new user and specify a default bash wrapper for this user:

    sudo useradd -m -d /home/testuser -s /bin/bash testuser
    
  3. Switch to the new user:

    sudo su - testuser
    
  4. Create the .ssh folder in the new user's home directory:

    mkdir .ssh
    
  5. In the .ssh folder, create the authorized_keys file:

    touch .ssh/authorized_keys
    
  6. Add the new user's public key to the authorized_keys file:

    echo "<public_key>" > /home/testuser/.ssh/authorized_keys
    
  7. Change the access rights authorized_keys to the file and .ssh folder:

    chmod 700 ~/.ssh
    chmod 600 ~/.ssh/authorized_keys
    
  8. Disconnect from the VM using the exit command.

  9. Restart the VM.

  10. Check the connection for the new user:

    ssh testuser@<VM-public-IP>
    

What's next

  • Learn how to work with Yandex.Cloud from inside a VM
In this article:
  • Creating an SSH key pair
  • Connecting to a VM
  • Adding SSH keys for other users
Language / Region
Careers
Privacy policy
Terms of use
Brandbook
© 2021 Yandex.Cloud LLC