Configuring OS Login access on an existing VM
To configure OS Login access for an already deployed VM, you can manually install the OS Login agent.
Enabling access via OS Login
Tip
To create VMs with OS Login access and connect to such VMs, enable OS Login at the Yandex Cloud organization level first.
To configure OS Login access for an existing VM:
-
Enable access via OS Login at the organization level.
-
Connect to the VM over SSH.
-
Install the OS Login agent on the VM. Run the command below based on the VM OS:
Note
The Ubuntu 24.04 public comes with the pre-installed OS Login agent, so you do not need to install it manually.
UbuntuCentOS 7Debian 11AlmaLinux 9-
Ubuntu 24.04
curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-24.04/config_oslogin.sh | bash -
Ubuntu 22.04
curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-22.04/config_oslogin.sh | bash -
Ubuntu 20.04
curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-20.04/config_oslogin.sh | bash -
Ubuntu 18.04
curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-18.04/config_oslogin.sh | bash
curl https://storage.yandexcloud.net/oslogin-configs/centos-7/config_oslogin.sh | bashcurl https://storage.yandexcloud.net/oslogin-configs/debian-11/config_oslogin.sh | bashcurl https://storage.yandexcloud.net/oslogin-configs/almalinux-9/config_oslogin.sh | bash -
-
Enable access via OS Login on the VM.
You can now connect to the VM via OS Login using either the YC CLI or a standard SSH client. To connect, you can use an SSH certificate or SSH key, which you first need to add to the profile of a Yandex Cloud Organization user or service account.
Disabling access via OS Login
To access a VM without OS Login, the VM must store the public part of the SSH key. If the VM was created without an SSH key or the key was lost, add an SSH key and a local user to the VM manually before disabling OS Login access.
To get back the ability to connect to the VM over SSH without using OS Login:
-
Disable access via OS Login.
Management consoleCLI- In the management console, select the folder this VM belongs to.
- Select Compute Cloud.
- In the left-hand panel, select Virtual machines and click the name of the VM in question.
- In the top-right corner, click Edit VM.
- Under Access, select SSH key.
- Click Save changes.
Run this command:
yc compute instance update --name <VM_name> \ --folder-id <folder_ID> \ --metadata enable-oslogin=falseMake sure OS Login access is now disabled:
yc compute ssh --name <VM_name> --folder-id <folder_ID>Result:
... username@12.345.***.***: Permission denied (publickey). ... -
Connect to the VM over SSH.
-
Run the following command to delete OS Login packets:
Linuxcurl https://storage.yandexcloud.net/oslogin-configs/common/remove_oslogin.sh | bashWhen deleting, you will be prompted to confirm the deletion of the
cronandunscdpackets. To confirm, typeyand press Enter.
Alert
A user with superuser permissions for a VM can retain access to it even if the roles are revoked. To prevent user access to a VM with old permissions, create a new VM from a clean image.