Working with a VM from a public image
Connecting to a VM
You can connect to a virtual machine via SSH using an SSH key pair, via OS Login, or via the serial console.
Connecting via SSH
This method for connecting to a virtual machine uses an SSH key pair: the public key resides on the VM, while the private one is kept by the user. Connecting with a key pair is more secure than with a username and password.
Note
SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.
Creating an SSH key pair
-
Open the terminal.
-
Use the
ssh-keygen
command to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"
You can specify an empty string in the
-C
parameter to avoid adding a comment, or you may not specify the-C
parameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pub
extension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519
name in the following directory:/home/<username>/.ssh
. If there is already an SSH key namedid_ed25519
in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
If you do not have OpenSSH
-
Run
cmd.exe
orpowershell.exe
(make sure to update PowerShell before doing so). -
Use the
ssh-keygen
command to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"
You can specify an empty string in the
-C
parameter to avoid adding a comment, or you may not specify the-C
parameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pub
extension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519
name in the following directory:C:\Users\<username>/.ssh
. If there is already an SSH key namedid_ed25519
in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
Create keys using the PuTTY app:
-
Download
and install PuTTY. -
Make sure the directory where you installed PuTTY is included in
PATH
:- Right-click My computer. Click Properties.
- In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
- Under System variables, find
PATH
and click Edit. - In the Variable value field, append the path to the directory where you installed PuTTY.
-
Launch the PuTTYgen app.
-
Select EdDSA as the pair type to generate. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Click Save public key and save the public key in the following file:
<key_name>.pub
.
Connecting using an SSH key pair
After the VM starts (its status is RUNNING
), you can connect to it over SSH. To do this, use ssh
in Linux, macOS, and Windows 10/11, or PuTTY
To connect, specify the VM address. This can be either its IP address or FQDN. You can also connect from another Yandex Cloud VM using FQDN if this VM is connected to the same virtual network. You can find out the IP address in the management console
Connecting via OS Login
OS Login is used to provide users with SSH access to VMs using IAM. To access a VM via OS Login, enable OS Login access at the organization level.
To connect to a VM via OS Login, users must have the compute.osLogin
or compute.osAdminLogin
role and the VM must support OS Login at the OS level. You can create a new VM with OS Login support or set up access via OS Login for an existing VM.
To connect to a VM via OS Login, specify the VM name or ID.
If a VM has OS Login access enabled, you cannot use a standard SSH client to connect to that VM with an SSH key.
Passwords for pre-installed software
In addition to operating system distributions, there are public images with pre-installed software available in Cloud Marketplace. To get passwords to configure the pre-installed software in such images:
-
Connect to the VM.
-
You can find passwords for pre-installed software in the
/root/default_passwords.txt
file. Only a superuser has read and write access to the file. Get a list of passwords using this command:sudo cat /root/default_passwords.txt
If a public VM image has no pre-installed software, there will be no passwords file provided.
Using SSL
To use SSL, generate an SSL certificate yourself and configure the web server to use it.
To create an SSL certificate, you can use Yandex Certificate Manager. You can export the certificate and use it on the web server.
Filtering network traffic
On public image-based VMs, only those ports are open which are required for the configuration and operation of the pre-installed software.
You can view a list of open ports for a particular VM when connecting to it using an SSH key pair. To open additional ports, use iptables
.
At the cloud network level, security groups are used to filter the network traffic. To allow specific traffic for a virtual machine at the network level, configure a security group and associate it with the VM.
Install updates
On public image-based VMs, the OS and software are not updated automatically. You can update them on your own.