If your local device runs macOS or Windows 10/11, you can use the built-in OpenSSH command-line tool to connect to a Linux instance. On a Windows device, you can also use the Xshell client. Both methods support user authentication with a password or a key pair.
We recommend that you use Workbench to connect to your instances on Alibaba Cloud. This browser-based tool supports password-free logon and is more convenient than using OpenSSH or Xshell.
Applicability
-
The instance must run the Linux operating system.
-
The instance must have a static public IP address or an elastic IP address (EIP).
Method 1: Use OpenSSH client (command line)
OpenSSH is the standard SSH client built into macOS and modern Windows operating systems. You can use OpenSSH to quickly connect to your instance from the command line.
Before you begin
-
Instance public IP address: In the ECS console - Instances, find the target instance and go to its details page. In the Configuration Information section, find the Public IP Address.
-
Instance logon credentials: Set a password or bind a key pair to the instance.
-
Configure a security group: Add an inbound rule to the instance's security group to allow SSH access on port 22 from your local IP address.
Procedure
Windows 10/11
Password
-
Open PowerShell.
Press
Win+R, enterpowershell, and then pressEnterto open the PowerShell command-line interface. -
Start the remote connection.
ssh <username>@<instance_public_ip_address>Example:
ssh root@47.98.xxx.xxx -
(First-time connection only) Verify the host key fingerprint.
When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.
This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.
After you confirm that the host fingerprint is correct, enter
yesand press Enter.The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established. ED25519 key fingerprint is SHA256:AbCdEf123456... This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? -
Enter the password to access the instance.
When you enter the password, no characters appear on the screen. This is normal. Press Enter after you finish typing.
After the password is authenticated, you will see a welcome message similar to the one below, and the command prompt changes to the
[<username>@<hostname> ~]$format. This indicates that you have successfully logged in to the ECS instance.Welcome to Alibaba Cloud Elastic Compute Service ! [root@Connect-Instance-Example ~]#
Key pair
-
Open PowerShell.
Press
Win+R, enterpowershell, and then pressEnterto open the PowerShell command-line interface. -
Start the remote connection.
ssh -i /path/to/private_key.pem <username>@<instance_public_ip_address>Example:
ssh -i /path/to/private_key.pem root@47.98.xxx.xxx. In this command,/path/to/private_key.pemis the path to your private key file, such asC:\Users\Administrator\Downloads\private_key.pem. -
(First-time connection only) Verify the host key fingerprint.
When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.
This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.
After you confirm that the host fingerprint is correct, enter
yesand press Enter.The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established. ED25519 key fingerprint is SHA256:AbCdEf123456... This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? -
Authenticate with the key and log on to the instance.
After the key is authenticated successfully, you will see a welcome message similar to the one below, and the command prompt changes to the format
[<instance_login_name>@<hostname> ~]$. This indicates that you have successfully logged on to the ECS instance.Welcome to Alibaba Cloud Elastic Compute Service ! [root@Connect-Instance-Example ~]#
macOS
Password
-
Open the Terminal app.
-
Start the remote connection.
ssh <username>@<instance_public_ip_address>Example:
ssh root@47.98.xxx.xxx -
(First-time connection only) Verify the host key fingerprint.
When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.
This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.
If the host fingerprint is correct, enter
yesand press Enter.The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established. ED25519 key fingerprint is SHA256:AbCdEf123456... This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? -
Enter the password to access the instance.
When you enter the password, no characters appear on the screen. This is normal. Press Enter after you finish typing.
After the password is verified, a login welcome message is displayed (the content varies depending on the operating system image) and the command prompt changes to
[<instance login name>@<hostname> ~]$. This indicates that you have successfully logged in to the ECS instance.Welcome to Alibaba Cloud Elastic Compute Service ! [root@Connect-Instance-Example ~]#
Key pair
-
Open the Terminal app.
-
Start the remote connection.
# chmod 400: Sets read-only permissions for the owner of the private key file. This is a security requirement of the SSH client. chmod 400 /path/to/private_key.pem ssh -i /path/to/private_key.pem <username>@<instance_public_ip_address>Example:
ssh -i /path/to/private_key.pem root@47.98.xxx.xxx. In this command,/path/to/private_key.pemis the path to your private key file. -
(First-time connection only) Verify the host key fingerprint.
When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.
This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.
After you confirm that the host fingerprint is correct, enter
yesand press Enter.The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established. ED25519 key fingerprint is SHA256:AbCdEf123456... This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? -
Authenticate with the key and log on to the instance.
After the key is authenticated, you will see a welcome message similar to the one below, and the command prompt will change to
[<username>@<hostname> ~]$. This indicates that you have successfully logged in to the ECS instance.Welcome to Alibaba Cloud Elastic Compute Service ! [root@Connect-Instance-Example ~]#
Method 2: Use Xshell client (Windows only)
Xshell is an SSH client for Windows that lets you remotely log on to and manage Linux servers.
Before you begin
-
Download and install Xshell: Visit the official Xshell website to download and install the latest client.
-
Instance public IP address: In the ECS console - Instances, find the target instance and go to its details page. In the Configuration Information section, find the Public IP Address.
-
Instance logon credentials: Set a password or bind a key pair to the instance.
-
Configure a security group: Add an inbound rule to the instance's security group to allow SSH access on port 22 from your local IP address.
Procedure
-
Start Xshell and create a new session.
-
Open the Xshell application.
-
In the Sessions window that appears, click New Resources. Alternatively, select from the menu bar.
-
-
Configure the connection settings.
In the left-side navigation pane, click Connection and configure the following parameters:
-
Name: Enter a descriptive name for the session, such as My-Web-Server.
-
Protocol: Keep the default value, SSH.
-
Host: Enter the public IP address of the instance.
-
Port number: Keep the default value, 22.
-
-
Configure user authentication.
In the left-side navigation pane, click User authentication.
Password
-
Method: Select Password.
-
User Name: Enter the server's logon username, such as root.
-
Password: Enter the logon password.
Key pair
-
Username: Enter the server's logon username, such as root.
-
Method: Select Public key and perform the following steps to configure the user key:
-
Click Settings....
-
In the pop-up window, select the Key file option, click ... next to User key, click Import..., and select your locally stored
.pemprivate key file. -
After the key is imported, select the key and click OK.
-
(Optional) If the key file is protected by a password, enter the Password.
-
-
-
Connect to the server.
After completing the preceding configurations, click Connect.
-
(First-time connection only) Verify the host key fingerprint.
When you connect to a new ECS instance for the first time, Xshell displays an SSH security warning window that shows the host key fingerprint.
This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.
After confirming that the host key fingerprint is correct, click Accept and Save. This warning is no longer displayed for subsequent connections.
-
Log on to the server.
When the command prompt appears, you have successfully connected to the instance.
Welcome to Alibaba Cloud Elastic Compute Service ! [root@Connect-Instance-Example ~]#
Security best practices
To enhance the security of your remote connection in a production environment, follow these best practices.
-
Verify host key fingerprint
When you connect to an instance for the first time, you should verify the host key fingerprint of the instance to confirm that you are connecting to the intended instance and not an attacker's server.
-
Disable password logon and use key pairs
Key pair authentication is significantly more secure than password authentication and can reduce the risk of brute-force attacks. Perform the following steps:
-
Bind a key pair to your instance.
-
Disable password logon: Log on to the instance, edit the
/etc/ssh/sshd_configconfiguration file, findPasswordAuthentication, and set it toPasswordAuthentication no. Restart the SSH service for the configuration to take effect.
-
-
Change the default SSH port
Change the default SSH port from 22 to a non-standard port, such as 2222, to reduce exposure to automated scans.
-
Allow traffic on the new port: In the instance's security group, add an inbound rule to allow traffic on the new port, such as 2222.
-
Modify the SSH service port: Log on to the instance, edit the
/etc/ssh/sshd_configconfiguration file, and change#Port 22toPort 2222. Restart the SSH service for the changes to take effect. -
Connect by using the new port: When you run the ssh command, use the
-poption to specify the SSH service port. For example:ssh -p 2222 username@instance_ip.
-
-
Allow trusted IP addresses
Modify security group rules to allow SSH access only from your local IP address or other trusted IP addresses. This blocks unknown hosts from accessing the instance.
FAQ
-
Security group rule for port 22
In the security group of the instance, add a security group rule with the following settings:
Action
Protocol
Source
Destination
Allow
Custom TCP
Enter the public IP address of your local client.
ImportantIf you use
0.0.0.0/0, it means that any IP address can access the remote service port. This poses a security risk. Use this value with caution.SSH(22)
If you changed the SSH port of the instance, set this parameter to the new port number.
-
Host key fingerprint verification
When you connect to an instance for the first time, you are prompted to verify the host key fingerprint. Use one of the following methods to confirm the fingerprint:
Console
-
Go to the ECS console - Instances page. In the upper-left corner, select a region and resource group.
-
Find the instance, click , and then find
BEGIN SSH HOST KEY FINGERPRINTS. All host fingerprints are displayed.
Carefully check whether the fingerprint displayed by your local client, such as SHA256:****** in the preceding example, exactly matches one of the fingerprints displayed in the logs. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.
If you cannot find
BEGIN SSH HOST KEY FINGERPRINTS, log on to the instance to view its host fingerprint.
Instance
Log on to the instance by using Workbench and run the following command to view the host key fingerprints:
for f in /etc/ssh/ssh_host_*_key.pub; do ssh-keygen -l -f "$f"; doneSample output:
1024 SHA256:9C******co root@Connect-Instance-Example (DSA) 256 SHA256:u6******SU root@Connect-Instance-Example (ECDSA) 256 SHA256:iQ******jg root@Connect-Instance-Example (ED25519) 3072 SHA256:8R******64 root@Connect-Instance-Example (RSA)Carefully check whether the fingerprint displayed by your local client, such as SHA256:****** in the preceding example, exactly matches one of the fingerprints displayed in the output. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.
-
-
Simplify connections with an SSH config file
Entering the full
ssh -i /path/to/key.pem username@instance_ipcommand for each connection is tedious. You can simplify the connection command by creating and configuring a local SSHconfigfile to set an alias for the server.-
Find or create the config file.
Windows 10/11
The default path for the
configfile isC:\Users\YourUsername\.ssh\config. If the file does not exist, you must create it manually.Replace
YourUsernamewith your current Windows username.macOS
The default path of the
configfile is~/.ssh/config. If the file does not exist, you need to create it manually. -
Edit the config file and add instance information.
Use a text editor to open the
configfile and add a configuration similar to the following. EachHostconfiguration block corresponds to a server instance.# Configure an alias "web-server" for the web server. Host web-server HostName 47.98.xxx.xxx User root Port 22 # (Optional) If you use a key pair to log on, specify the path to the private key. Ignore this parameter if you log on with a password. IdentityFile /path/to/your/private_key.pem # You can add more configurations for other servers. Host other-server HostName 8.123.xxx.xxx User ecs-user Port 2222 IdentityFile ~/.ssh/another_key.pemParameter description:
-
Host: The alias of the server. You can specify a custom alias.
-
HostName: The public IP address of the instance.
-
User: The logon username.
-
Port: The SSH port number. The default value is 22.
-
IdentityFile: The absolute path to the private key file.
-
-
Use an alias to quickly connect to an instance.
After you save the
configfile, you can directly use an alias to connect to the instance.# Connect by using the alias. SSH automatically reads the IP address, username, and key information from the config file. ssh web-server
-
-
A
Connection timed outerror is reported, or the connection times out?This error indicates that the client failed to connect to the server. To troubleshoot the error, perform the following checks in order:
-
Check whether the public IP address is correct.
-
Check whether the security group allows traffic on the required port.
-
Check whether the instance is in the Running state.
-
Use the ECS console - Self-service Troubleshooting tool to diagnose issues.
-
-
The password is correct, but an error is returned
Permission denied, please try againThis error indicates that the server rejected the password. To troubleshoot the error, perform the following checks:
-
In the console, reset the password and try again.
-
Use the ECS console - Self-service Troubleshooting tool to diagnose issues.
-
-
Why do I receive the
Permission denied (publickey)error when I log on by using a key pair?This error indicates that the server rejected the key. To troubleshoot the error, perform the following checks:
-
In the console, bind the key pair again and retry the connection.
-
Check whether the path to the private key file is correct and whether the private key matches the key pair that is bound to the instance.
-
On macOS, verify that the permissions for the private key file are
400or600. -
Use the ECS console - Self-service Troubleshooting tool to diagnose issues.
-
-
When you log in to an instance over SSH, the following message is displayed
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!This is a security feature of SSH. After you connect to an instance for the first time, SSH remembers the host key fingerprint. If the fingerprint is inconsistent during a subsequent connection, SSH reports this error. This may occur if you have replaced the system disk, reinstalled the operating system, or deleted the host key files from the instance's operating system.
Solution: Verify the host key fingerprint of the instance. If the fingerprint is correct, run the following command to delete the outdated host key fingerprint stored on your local device.
ssh-keygen -R <instance_public_ip_address>