Connecting to a Linux VM via SSH
To connect to a VM over SSH, you need a key pair: the public key resides on the VM, and the private one is kept by the user. This method is more secure than connecting with login and password.
To enable another user to connect to your VM, add an SSH key for them by following this guide.
Note
When creating a VM accessible via OS Login, specify SSH keys in the metadata. This way, you will be able to connect to the VM via SSH even if you disable OS Login access for it.
To connect to a Linux VM via SSH:
- Create an SSH key pair.
- Copy the public key to the SSH key field on the VM creation page.
- Connect to the VM.
Creating an SSH key pair
-
Open the terminal.
-
Use the
ssh-keygen
command to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"
You can specify an empty string in the
-C
parameter to avoid adding a comment, or you may not specify the-C
parameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pub
extension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519
name in the following directory:/home/<username>/.ssh
. If there is already an SSH key namedid_ed25519
in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
If you do not have OpenSSH
-
Run
cmd.exe
orpowershell.exe
(make sure to update PowerShell before doing so). -
Use the
ssh-keygen
command to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"
You can specify an empty string in the
-C
parameter to avoid adding a comment, or you may not specify the-C
parameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pub
extension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519
name in the following directory:C:\Users\<username>/.ssh
. If there is already an SSH key namedid_ed25519
in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
Create keys using the PuTTY app:
-
Download
and install PuTTY. -
Make sure the directory where you installed PuTTY is included in
PATH
:- Right-click My computer. Click Properties.
- In the window that opens, select Additional system parameters, then Environment variables (located in the lower part of the window).
- Under System variables, find
PATH
and click Edit. - In the Variable value field, append the path to the directory where you installed PuTTY.
-
Launch the PuTTYgen app.
-
Select EdDSA as the pair type to generate. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Click Save public key and save the public key in the following file:
<key_name>.pub
.
Warning
Save the private key in a secure location, as you will not be able to connect to the VM without it.
Copying a public key to the clipboard
The previously created public key has the following format:
<key_type> <public_key_body> <optional_comment>
Example:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5ABFLIFyapYheN7OZNhTaNqEHefjmU5mtzK********+gRPCz user@Desktop
Tip
The <optional_comment>
section is not used when connecting via SSH, so you can skip copying it.
Open the <key_name>.pub
file using any text editor, such as Notepad, and copy the key from it. The key must be written as a single line (without returns or line breaks).
You can also copy the key using the command line:
In the terminal, use one of the following methods to copy the key:
-
Manually. To do this, output the file contents to the screen:
cat <key_file_path>/<key_name>.pub
The public key will be shown on the screen. Copy it to the clipboard.
-
Use the appropriate command:
-
For Linux:
cat <key_file_path>/<key_name>.pub | xclip -selection clipboard
. -
For macOS:
cat <key_file_path>/<key_name>.pub | pbcopy
.
The above-mentioned commands copy the entire content of the file, including the optional comment.
-
-
Run
cmd.exe
orpowershell.exe
. -
Use one of the following methods to copy the key:
-
Manually. To do this, output the file contents to the screen:
type <key_file_path>\<key_name>.pub
The public key will be shown on the screen. Copy it to the clipboard.
-
Use the appropriate command:
type <key_file_path>\<key_name>.pub | clip
The above-mentioned command copies the entire content of the file, including the optional comment.
-
After that, paste the public key into the SSH key field when creating a new VM in the management console
Connecting to a VM
You can connect to a VM with the RUNNING
status over SSH. Some time may be required to initialize all the services after the VM starts. If there is a connection error, retry after a few minutes.
VM security groups must allow incoming TCP traffic to port 22.
To connect, specify the VM's public IP address. You can find out the public IP address in the management console: on the VM page, go to the Network section and find the Public IPv4 address field. If you created a VM with an internal IP address only, bind it to a public IP address.
You can also use the internal IP addresses and FQDNs to establish an SSH connection between the VMs on a single cloud network in Yandex Cloud.
In the terminal, run this command:
ssh <username>@<VM_public_IP_address>
Where <username>
is the VM account username. If you created the VM via the CLI, yc-user
is the default user.
If you have multiple private keys, specify the one you need:
ssh -i <key_path/key_file_name> <username>@<VM_public_IP_address>
If this is your first time connecting to the VM, you will see an unknown host warning:
The authenticity of host '51.250.83.243 (51.250.83.243)' can't be established.
ED25519 key fingerprint is SHA256:6Mjv93NJDCaf/vu3NYwiLQK4tKI+4cfLtkd********.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Type yes
in the terminal and press Enter.
Make sure the Windows account has read permissions for the folder containing the keys.
To connect to the VM, execute the following command in the command line:
ssh <username>@<VM_public_IP_address>
Where <username>
is the VM account username. If you created the VM via the CLI, yc-user
is the default user.
If you have multiple private keys, specify the one you need:
ssh -i <key_path\key_file_name> <username>@<VM_public_IP_address>
If this is your first time connecting to the VM, you will see an unknown host warning:
The authenticity of host '89.169.132.223 (89.169.132.223)' can't be established.
ECDSA key fingerprint is SHA256:DfjfFB+in0q0MGi0HnqLNMdHssLfm1yRanB********.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Type yes
in the command line and press Enter.
Establish a connection using the PuTTY app:
- Run the Pageant application.
- Right-click the pageant icon in the task bar.
- In the context menu, select Add key.
- Select a PuTTY-generated private key in
.ppk
format. If a password is set for the key, enter it.
- Run PuTTY.
-
In the Host Name (or IP address) field, enter the public IP address of the VM you want to connect to. Set the port to
22
and connection type to SSH. -
In the tree on the left, select Connection → SSH → Auth.
-
Set the Allow agent forwarding option.
-
In the tree on the left, select Connection → SSH → Auth → Credentials.
-
In the Private key file for authentication field, select the file with the private key.
-
Go back to the Sessions menu. In the Saved sessions field, enter any session name and click Save. The session settings are saved under the specified name. You can use this session profile to connect using Pageant.
-
Click Open. If this is the first time you connect to a VM, you might see a warning about an unknown host:
Click Accept. A terminal window will open prompting you to enter the username of the user on whose behalf the connection is being established. Type the username that you specified when creating the VM and press Enter. If you created the VM via the CLI,
yc-user
is the default user.If all the settings are correct, the connection with the server will be established.
-
If you saved the session profile in PuTTY, you can use Pageant to establish a connection in the future:
- Right-click the pageant icon in the task bar.
- Select the Saved sessions menu item.
- In the saved sessions list, select the session you need.
For more information on how to solve connection issues, see FAQ.
Adding SSH keys for other users
You can add SSH keys for another VM user. To do this, create a new user and add a file with the authorized keys for this user.
To create multiple users with keys at the same time, use metadata.
To configure users from within the VM, follow these steps:
-
Connect to the VM under the username you specified when creating the VM in the management console.
Note
To get information about a VM with user metadata, run the command:
yc compute instance get --full <VM_name>
-
Create a new user named
testuser
and specifybash
as the default wrapper for this user:sudo useradd -m -d /home/testuser -s /bin/bash testuser
-
Switch to the new user:
sudo su - testuser
-
Create the
.ssh
folder in the new user's home directory:mkdir .ssh
-
In the
.ssh
folder, create a file namedauthorized_keys
:touch .ssh/authorized_keys
-
Add the public key of the new user to the
authorized_keys
file:echo "<public_key>" >> /home/testuser/.ssh/authorized_keys
-
Change the access permissions to the
authorized_keys
file and the.ssh
folder:chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
-
Disconnect from the VM using the
exit
command. -
Check the connection for the new user:
ssh testuser@<VM_public_IP_address>