Connecting to a Linux VM via SSH
The recommended method for connecting to a virtual machine over SSH is based on using a key pair: the public key is placed on the virtual machine, and the private key is stored on the user's device. Connecting with a key pair is more secure than connecting with a username and password.
Note
SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex.Cloud.
Creating an SSH key pair
Prepare the keys for use with your virtual machines. To do this:
-
Open the terminal.
-
Use the
ssh-keygen
command to create a new key:ssh-keygen -t rsa -b 2048
After the command runs, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa
. Keys are created in the~./ssh
directory.The public part of the key will be saved in a file with the name
<key name>.pub
. Copy the key string to the public key field when creating a new virtual machine via the management console.
-
Run
cmd.exe
orpowershell.exe
. -
Use the
ssh-keygen
command to create a new key. Run the command:ssh-keygen -t rsa -b 2048
After the command runs, you will be asked to specify the names of files where the keys will be saved and enter the password for the private key. The default name is
id_rsa
. Keys are created in theC:\Users\<user name>\.ssh\
directory.The public part of the key will be saved in a file with the name
<key name>.pub
. Open the file using Notepad or another text editor and copy the key string to the public key field when creating a new virtual machine via the management console.
To create keys for Windows, use the PuTTY application.
-
Download and install PuTTY.
-
Make sure that the directory where you installed PuTTY is included in
PATH
:- Right-click on My computer. Click Properties.
- In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
- Under System variables, find
PATH
and click Edit. - In the Variable value field, append the path to the directory where you installed PuTTY.
-
Launch the PuTTYgen app.
-
Select RSA for the type of pair to generate and set the length to
2048
. Click Generate and move the cursor in the field above it until key creation is complete. -
In the Key passphrase field, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Never share it with anyone and do not tell anyone the passphrase for it.
-
Save the key in a text file in a single line. To do this, copy the public key from the text field to a text file with the name
id_rsa.pub
. -
When creating a virtual machine via the management console, specify the public key. To do this, open the
id_rsa.pub
file in Notepad and copy the key value to the SSH key field.
Connecting to a VM
You can connect to a VM using the SSH protocol when it is running (the VM's status is RUNNING
). You can use the ssh
tool in Linux/macOS/Windows 10 or PuTTY in Windows 7/8.
To connect to the VM, specify its public address. You can find out the public IP address in the management console. On the VM's page, go to the Network section and find the Public IPv4 field. If you created a VM with only an internal address, you need to create a new VM with a public address to make it accessible over the internet.
You can also use the internal IP addresses and FQDNs to establish an SSH connection between the VMs on a single Yandex.Cloud cloud network.
In the terminal, run the command:
ssh <username>@<VM_public_IP_address>
If you have multiple private keys, specify the one you need:
ssh -i <key_path/key_file_name> <username>@<VM_public_IP_address>
If this is the first time you connect to a VM, you'll see a warning about an unknown host:
The authenticity of host '130.193.40.101 (130.193.40.101)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHkGgpLELJ8.
Are you sure you want to continue connecting (yes/no)?
Type yes
in the terminal and press Enter
.
From the command line, run:
ssh <username>@<VM_public_IP_address>
If you have multiple private keys, specify the one you need:
ssh -i <key_path\key_file_name> <username>@<VM_public_IP_address>
If this is the first time you connect to a VM, you'll see a warning about an unknown host:
The authenticity of host '130.193.40.101 (130.193.40.101)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHkGgpLELJ8.
Are you sure you want to continue connecting (yes/no)?
Type yes
in the command prompt and press Enter
.
In Windows, a connection is established using the PuTTY application.
- Run the Pageant application.
- Right-click on the Pageant icon in the task bar.
- In the context menu, select Add key.
- Select a PuTTY-generated private key in the
.ppk
format. If a password is set for the key, enter it.
- Run PuTTY.
-
In the Host Name (or IP address) field, enter the public IP address of the VM you want to connect to. Specify port
22
and SSH as the connection type. -
In the tree on the left, select Connection - SSH - Auth.
-
Set the Allow agent forwarding option.
-
In the Private key file for authentication field, select the file with the private key.
-
Go back to the Sessions menu. In the Saved sessions field, enter any session name and click Save. The session settings are saved under the specified name. You can use this session profile to connect using Pageant.
-
Click Open. If this is the first time you connect to a VM, you might see a warning about an unknown host:
Click Yes. A terminal window opens suggesting that you enter the login of the user on whose behalf the connection is being established. Type the user name that you specified when creating the VM and press
Enter
. If everything is configured correctly, the connection with the server will be established.
-
If you saved the session profile in PuTTY, you can use Pageant to establish a connection in the future:
- Right-click on the Pageant icon in the task bar.
- Select the Saved sessions menu item.
- In the saved sessions list, select the necessary session.
Adding SSH keys for other users
You can add SSH keys for another VM user. To do this, create a new user and add a file with the authorized keys for this user.
-
Log in to the VM under the username that you specified when creating the VM in the management console. If the VM is created via the CLI, the default
yc-user
user will be used.Note
To get information about a VM with user metadata, run the command:
yc compute instance get --full <VM-name>
-
Create a new user and specify a default
bash
wrapper for this user:sudo useradd -m -d /home/testuser -s /bin/bash testuser
-
Switch to the new user:
sudo su - testuser
-
Create the
.ssh
folder in the new user's home directory:mkdir .ssh
-
In the
.ssh
folder, create theauthorized_keys
file:touch .ssh/authorized_keys
-
Add the new user's public key to the
authorized_keys
file:echo "<public_key>" > /home/testuser/.ssh/authorized_keys
-
Change the access rights
authorized_keys
to the file and.ssh
folder:chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
-
Disconnect from the VM using the
exit
command. -
Restart the VM.
-
Check the connection for the new user:
ssh testuser@<VM-public-IP>