Connect to a Linux instance with OpenSSH or Xshell

更新时间:
复制 MD 格式

If your local device runs macOS or Windows 10/11, you can use the built-in OpenSSH command-line tool to connect to a Linux instance. On a Windows device, you can also use the Xshell client. Both methods support user authentication with a password or a key pair.

Important

We recommend that you use Workbench to connect to your instances on Alibaba Cloud. This browser-based tool supports password-free logon and is more convenient than using OpenSSH or Xshell.

Applicability

Method 1: Use OpenSSH client (command line)

OpenSSH is the standard SSH client built into macOS and modern Windows operating systems. You can use OpenSSH to quickly connect to your instance from the command line.

Before you begin

  • Instance public IP address: In the ECS console - Instances, find the target instance and go to its details page. In the Configuration Information section, find the Public IP Address.

  • Instance logon credentials: Set a password or bind a key pair to the instance.

  • Configure a security group: Add an inbound rule to the instance's security group to allow SSH access on port 22 from your local IP address.

Procedure

Windows 10/11

Password

  1. Open PowerShell.

    Press Win+R, enter powershell, and then press Enter to open the PowerShell command-line interface.

  2. Start the remote connection.

    ssh <username>@<instance_public_ip_address>
    Example: ssh root@47.98.xxx.xxx
  3. (First-time connection only) Verify the host key fingerprint.

    When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.

    This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.

    After you confirm that the host fingerprint is correct, enter yes and press Enter.

    The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
    ED25519 key fingerprint is SHA256:AbCdEf123456...
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? 
  4. Enter the password to access the instance.

    When you enter the password, no characters appear on the screen. This is normal. Press Enter after you finish typing.

    After the password is authenticated, you will see a welcome message similar to the one below, and the command prompt changes to the [<username>@<hostname> ~]$ format. This indicates that you have successfully logged in to the ECS instance.

    Welcome to Alibaba Cloud Elastic Compute Service !
    
    [root@Connect-Instance-Example ~]#

Key pair

  1. Open PowerShell.

    Press Win+R, enter powershell, and then press Enter to open the PowerShell command-line interface.

  2. Start the remote connection.

    ssh -i /path/to/private_key.pem <username>@<instance_public_ip_address>
    Example: ssh -i /path/to/private_key.pem root@47.98.xxx.xxx. In this command, /path/to/private_key.pem is the path to your private key file, such as C:\Users\Administrator\Downloads\private_key.pem.
  3. (First-time connection only) Verify the host key fingerprint.

    When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.

    This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.

    After you confirm that the host fingerprint is correct, enter yes and press Enter.

    The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
    ED25519 key fingerprint is SHA256:AbCdEf123456...
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? 
  4. Authenticate with the key and log on to the instance.

    After the key is authenticated successfully, you will see a welcome message similar to the one below, and the command prompt changes to the format [<instance_login_name>@<hostname> ~]$. This indicates that you have successfully logged on to the ECS instance.

    Welcome to Alibaba Cloud Elastic Compute Service !
    
    [root@Connect-Instance-Example ~]#

macOS

Password

  1. Open the Terminal app.

  2. Start the remote connection.

    ssh <username>@<instance_public_ip_address>
    Example: ssh root@47.98.xxx.xxx
  3. (First-time connection only) Verify the host key fingerprint.

    When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.

    This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.

    If the host fingerprint is correct, enter yes and press Enter.

    The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
    ED25519 key fingerprint is SHA256:AbCdEf123456...
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? 
  4. Enter the password to access the instance.

    When you enter the password, no characters appear on the screen. This is normal. Press Enter after you finish typing.

    After the password is verified, a login welcome message is displayed (the content varies depending on the operating system image) and the command prompt changes to [<instance login name>@<hostname> ~]$. This indicates that you have successfully logged in to the ECS instance.

    Welcome to Alibaba Cloud Elastic Compute Service !
    
    [root@Connect-Instance-Example ~]#

Key pair

  1. Open the Terminal app.

  2. Start the remote connection.

    # chmod 400: Sets read-only permissions for the owner of the private key file. This is a security requirement of the SSH client.
    chmod 400 /path/to/private_key.pem
    ssh -i /path/to/private_key.pem <username>@<instance_public_ip_address>
    Example: ssh -i /path/to/private_key.pem root@47.98.xxx.xxx. In this command, /path/to/private_key.pem is the path to your private key file.
  3. (First-time connection only) Verify the host key fingerprint.

    When you connect to a new ECS instance for the first time, a message similar to the following appears, asking you to verify the host key fingerprint.

    This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.

    After you confirm that the host fingerprint is correct, enter yes and press Enter.

    The authenticity of host '47.98.xxx.xxx (47.98.xxx.xxx)' can't be established.
    ED25519 key fingerprint is SHA256:AbCdEf123456...
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? 
  4. Authenticate with the key and log on to the instance.

    After the key is authenticated, you will see a welcome message similar to the one below, and the command prompt will change to [<username>@<hostname> ~]$. This indicates that you have successfully logged in to the ECS instance.

    Welcome to Alibaba Cloud Elastic Compute Service !
    
    [root@Connect-Instance-Example ~]#

Method 2: Use Xshell client (Windows only)

Xshell is an SSH client for Windows that lets you remotely log on to and manage Linux servers.

Before you begin

  • Download and install Xshell: Visit the official Xshell website to download and install the latest client.

  • Instance public IP address: In the ECS console - Instances, find the target instance and go to its details page. In the Configuration Information section, find the Public IP Address.

  • Instance logon credentials: Set a password or bind a key pair to the instance.

  • Configure a security group: Add an inbound rule to the instance's security group to allow SSH access on port 22 from your local IP address.

Procedure

  1. Start Xshell and create a new session.

    1. Open the Xshell application.

    2. In the Sessions window that appears, click New Resources. Alternatively, select File > New Resources from the menu bar.

  2. Configure the connection settings.

    In the left-side navigation pane, click Connection and configure the following parameters:

    • Name: Enter a descriptive name for the session, such as My-Web-Server.

    • Protocol: Keep the default value, SSH.

    • Host: Enter the public IP address of the instance.

    • Port number: Keep the default value, 22.

  3. Configure user authentication.

    In the left-side navigation pane, click User authentication.

    Password

    1. Method: Select Password.

    2. User Name: Enter the server's logon username, such as root.

    3. Password: Enter the logon password.

    Key pair

    1. Username: Enter the server's logon username, such as root.

    2. Method: Select Public key and perform the following steps to configure the user key:

      1. Click Settings....

      2. In the pop-up window, select the Key file option, click ... next to User key, click Import..., and select your locally stored .pem private key file.

      3. After the key is imported, select the key and click OK.

      4. (Optional) If the key file is protected by a password, enter the Password.

  4. Connect to the server.

    After completing the preceding configurations, click Connect.

  5. (First-time connection only) Verify the host key fingerprint.

    When you connect to a new ECS instance for the first time, Xshell displays an SSH security warning window that shows the host key fingerprint.

    This is a security mechanism of SSH. To ensure security, obtain the host key fingerprint of the instance and compare it with the one displayed. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.

    After confirming that the host key fingerprint is correct, click Accept and Save. This warning is no longer displayed for subsequent connections.

  6. Log on to the server.

    When the command prompt appears, you have successfully connected to the instance.

    Welcome to Alibaba Cloud Elastic Compute Service !
    
    [root@Connect-Instance-Example ~]#

Security best practices

To enhance the security of your remote connection in a production environment, follow these best practices.

  • Verify host key fingerprint

    When you connect to an instance for the first time, you should verify the host key fingerprint of the instance to confirm that you are connecting to the intended instance and not an attacker's server.

  • Disable password logon and use key pairs

    Key pair authentication is significantly more secure than password authentication and can reduce the risk of brute-force attacks. Perform the following steps:

    1. Bind a key pair to your instance.

    2. Disable password logon: Log on to the instance, edit the /etc/ssh/sshd_config configuration file, find PasswordAuthentication, and set it to PasswordAuthentication no. Restart the SSH service for the configuration to take effect.

  • Change the default SSH port

    Change the default SSH port from 22 to a non-standard port, such as 2222, to reduce exposure to automated scans.

    1. Allow traffic on the new port: In the instance's security group, add an inbound rule to allow traffic on the new port, such as 2222.

    2. Modify the SSH service port: Log on to the instance, edit the /etc/ssh/sshd_config configuration file, and change #Port 22 to Port 2222. Restart the SSH service for the changes to take effect.

    3. Connect by using the new port: When you run the ssh command, use the -p option to specify the SSH service port. For example: ssh -p 2222 username@instance_ip.

  • Allow trusted IP addresses

    Modify security group rules to allow SSH access only from your local IP address or other trusted IP addresses. This blocks unknown hosts from accessing the instance.

FAQ

  • Security group rule for port 22

    In the security group of the instance, add a security group rule with the following settings:

    Action

    Protocol

    Source

    Destination

    Allow

    Custom TCP

    Enter the public IP address of your local client.

    Important

    If you use 0.0.0.0/0, it means that any IP address can access the remote service port. This poses a security risk. Use this value with caution.

    SSH(22)

    If you changed the SSH port of the instance, set this parameter to the new port number.
  • Host key fingerprint verification

    When you connect to an instance for the first time, you are prompted to verify the host key fingerprint. Use one of the following methods to confirm the fingerprint:

    Console

    1. Go to the ECS console - Instances page. In the upper-left corner, select a region and resource group.

    2. Find the instance, click image > Obtain Instance System Logs, and then find BEGIN SSH HOST KEY FINGERPRINTS. All host fingerprints are displayed.

      image

      Carefully check whether the fingerprint displayed by your local client, such as SHA256:****** in the preceding example, exactly matches one of the fingerprints displayed in the logs. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.

      If you cannot find BEGIN SSH HOST KEY FINGERPRINTS, log on to the instance to view its host fingerprint.

    Instance

    Log on to the instance by using Workbench and run the following command to view the host key fingerprints:

    for f in /etc/ssh/ssh_host_*_key.pub; do ssh-keygen -l -f "$f"; done

    Sample output:

    1024 SHA256:9C******co root@Connect-Instance-Example (DSA)
    256 SHA256:u6******SU root@Connect-Instance-Example (ECDSA)
    256 SHA256:iQ******jg root@Connect-Instance-Example (ED25519)
    3072 SHA256:8R******64 root@Connect-Instance-Example (RSA)

    Carefully check whether the fingerprint displayed by your local client, such as SHA256:****** in the preceding example, exactly matches one of the fingerprints displayed in the output. If they do not match, you may be under a man-in-the-middle attack. Switch to a secure network and try to connect again.

  • Simplify connections with an SSH config file

    Entering the full ssh -i /path/to/key.pem username@instance_ip command for each connection is tedious. You can simplify the connection command by creating and configuring a local SSH config file to set an alias for the server.

    1. Find or create the config file.

      Windows 10/11

      The default path for the config file is C:\Users\YourUsername\.ssh\config. If the file does not exist, you must create it manually.

      Replace YourUsername with your current Windows username.

      macOS

      The default path of the config file is ~/.ssh/config. If the file does not exist, you need to create it manually.

    2. Edit the config file and add instance information.

      Use a text editor to open the config file and add a configuration similar to the following. Each Host configuration block corresponds to a server instance.

      # Configure an alias "web-server" for the web server.
      Host web-server
          HostName        47.98.xxx.xxx
          User            root
          Port            22
          # (Optional) If you use a key pair to log on, specify the path to the private key. Ignore this parameter if you log on with a password.
          IdentityFile    /path/to/your/private_key.pem
      
      # You can add more configurations for other servers.
      Host other-server
          HostName        8.123.xxx.xxx
          User            ecs-user
          Port            2222
          IdentityFile    ~/.ssh/another_key.pem

      Parameter description:

      • Host: The alias of the server. You can specify a custom alias.

      • HostName: The public IP address of the instance.

      • User: The logon username.

      • Port: The SSH port number. The default value is 22.

      • IdentityFile: The absolute path to the private key file.

    3. Use an alias to quickly connect to an instance.

      After you save the config file, you can directly use an alias to connect to the instance.

      # Connect by using the alias. SSH automatically reads the IP address, username, and key information from the config file.
      ssh web-server
  • A Connection timed out error is reported, or the connection times out?

    This error indicates that the client failed to connect to the server. To troubleshoot the error, perform the following checks in order:

    1. Check whether the public IP address is correct.

    2. Check whether the security group allows traffic on the required port.

    3. Check whether the instance is in the Running state.

    4. Use the ECS console - Self-service Troubleshooting tool to diagnose issues.

  • The password is correct, but an error is returnedPermission denied, please try again

    This error indicates that the server rejected the password. To troubleshoot the error, perform the following checks:

    1. In the console, reset the password and try again.

    2. Use the ECS console - Self-service Troubleshooting tool to diagnose issues.

  • Why do I receive the Permission denied (publickey) error when I log on by using a key pair?

    This error indicates that the server rejected the key. To troubleshoot the error, perform the following checks:

    1. In the console, bind the key pair again and retry the connection.

    2. Check whether the path to the private key file is correct and whether the private key matches the key pair that is bound to the instance.

    3. On macOS, verify that the permissions for the private key file are 400 or 600.

    4. Use the ECS console - Self-service Troubleshooting tool to diagnose issues.

  • When you log in to an instance over SSH, the following message is displayedWARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

    This is a security feature of SSH. After you connect to an instance for the first time, SSH remembers the host key fingerprint. If the fingerprint is inconsistent during a subsequent connection, SSH reports this error. This may occur if you have replaced the system disk, reinstalled the operating system, or deleted the host key files from the instance's operating system.

    Solution: Verify the host key fingerprint of the instance. If the fingerprint is correct, run the following command to delete the outdated host key fingerprint stored on your local device.

    ssh-keygen -R <instance_public_ip_address>