Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Compute Cloud
    • All guides
      • Connecting to a VM via SSH
      • Exchanging files with VMs
      • Connecting to a VM via RDP
      • Connecting to a VM via PowerShell
        • Creating a VM with OS Login support
        • Configuring OS Login on an existing VM
        • Exporting an SSH certificate
        • Connecting to a VM via OS Login
      • Using Yandex Cloud from within a VM
      • Installing NVIDIA drivers
      • Recovering access to a VM
    • Viewing operations with resources
  • Yandex Container Solution
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Enabling access via OS Login
  • Disabling access via OS Login
  1. Step-by-step guides
  2. Using a VM
  3. OS Login
  4. Configuring OS Login on an existing VM

Configuring OS Login access on an existing VM

Written by
Yandex Cloud
Updated at March 6, 2025
  • Enabling access via OS Login
  • Disabling access via OS Login

To configure OS Login access for an already deployed VM, you can manually install the OS Login agent.

Enabling access via OS LoginEnabling access via OS Login

Tip

To create VMs with OS Login access and connect to such VMs, enable OS Login at the Yandex Cloud organization level first.

To configure OS Login access for an existing VM:

  1. Enable access via OS Login at the organization level.

  2. Connect to the VM over SSH.

  3. Install the OS Login agent on the VM. Run the command below based on the VM OS:

    Note

    The Ubuntu 24.04 public comes with the pre-installed OS Login agent, so you do not need to install it manually.

    Ubuntu
    CentOS 7
    Debian 11
    AlmaLinux 9
    • Ubuntu 24.04

      curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-24.04/config_oslogin.sh | bash
      
    • Ubuntu 22.04

      curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-22.04/config_oslogin.sh | bash
      
    • Ubuntu 20.04

      curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-20.04/config_oslogin.sh | bash
      
    • Ubuntu 18.04

      curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-18.04/config_oslogin.sh | bash
      
    curl https://storage.yandexcloud.net/oslogin-configs/centos-7/config_oslogin.sh | bash
    
    curl https://storage.yandexcloud.net/oslogin-configs/debian-11/config_oslogin.sh | bash
    
    curl https://storage.yandexcloud.net/oslogin-configs/almalinux-9/config_oslogin.sh | bash
    
  4. Enable access via OS Login on the VM.

You can now connect to the VM via OS Login using either the YC CLI or a standard SSH client. To connect, you can use an SSH certificate or SSH key, which you first need to add to the profile of a Yandex Cloud Organization user or service account.

Disabling access via OS LoginDisabling access via OS Login

To access a VM without OS Login, the VM must store the public part of the SSH key. If the VM was created without an SSH key or the key was lost, add an SSH key and a local user to the VM manually before disabling OS Login access.

To get back the ability to connect to the VM over SSH without using OS Login:

  1. Disable access via OS Login.

    Management console
    CLI
    1. In the management console, select the folder this VM belongs to.
    2. Select Compute Cloud.
    3. In the left-hand panel, select Virtual machines and click the name of the VM in question.
    4. In the top-right corner, click Edit VM.
    5. Under Access, select SSH key.
    6. Click Save changes.

    Run this command:

    yc compute instance update --name <VM_name> \
    --folder-id <folder_ID> \
    --metadata enable-oslogin=false
    

    Make sure OS Login access is now disabled:

    yc compute ssh --name <VM_name> --folder-id <folder_ID>
    

    Result:

    ...
    username@12.345.***.***: Permission denied (publickey).
    ...
    
  2. Connect to the VM over SSH.

  3. Run the following command to delete OS Login packets:

    Linux
    curl https://storage.yandexcloud.net/oslogin-configs/common/remove_oslogin.sh | bash
    

    When deleting, you will be prompted to confirm the deletion of the cron and unscd packets. To confirm, type y and press Enter.

Alert

A user with superuser permissions for a VM can retain access to it even if the roles are revoked. To prevent user access to a VM with old permissions, create a new VM from a clean image.

Was the article helpful?

Previous
Creating a VM with OS Login support
Next
Exporting an SSH certificate
Yandex project
© 2025 Yandex.Cloud LLC