VM serial console
Warning
When assessing the risks associated with enabling VM access via the serial console, keep in mind the following:
-
The VM will remain manageable over the internet even without an external IP address.
A user who has successfully authenticated in the Yandex Cloud management console and has the required access permissions for the VM will be able to access the serial console.
One can also access the VM serial console via SSH client applications, such as PuTTY, or through the CLI by authenticating with an SSH key. Therefore, make sure to prevent any unauthorized access to your SSH key and always end the web session to reduce interception risks.
-
Your serial console session will simultaneously be shared by all users who have access to the serial console. Users will be able to see each other's actions if concurrently viewing the serial console output.
-
A valid serial console session can be accessed by another user.
We recommend enabling serial console access only when absolutely necessary, granting access permissions to a limited group of trusted users, and using strong VM passwords.
When you are done using the management console, do not forget to ban access to it.
The serial console allows you to access a virtual machine no matter what state its network is in. The serial console operates based on the IPMI interface and uses the Baseboard Management Controller (BMC) of the cloud server hosting the VM instance.
This means you can use the serial console for things like troubleshooting the virtual machine or access to it over SSH or OS Login.
Managing serial console access requires the compute.admin or editor role.
You can connect to the serial console of a Linux VM instance using the management console, standard SSH client, or Yandex Cloud CLI. For more information, see Connecting to a Linux VM serial console.
You can connect to the serial console of a Windows VM instance using the management console or Yandex Cloud CLI. For more information, see Connecting to the serial console of a Windows VM instance.
Access to the VM serial console is disabled by default.
Serial ports
Warning
How a serial console works depends on how the operating system is set up. Yandex Compute Cloud provides a channel between the user and the virtual machine's COM port and does not guarantee the stability of the console's operation from the OS side.
You can use the serial console for connection to Compute Cloud VM instances via different serial ports (COM ports): COM1, COM2, COM3, or COM4.
The default, the serial ports used for the purpose are COM1 (Linux) and COM2 (Windows). To use a different port, configure it manually on your VM instance OS side.
Security when using SSH
Note
You can only connect to a VM serial console over SSH using a passwordless key. Attempting to use a password will terminate the connection.
For remote access, it is important to ensure protection against MITM attacks. You can achieve this using client/server encryption.
A secure connection can be established using the following methods:
-
Before each connection to the VM, you can download the current SHA256 fingerprint of the SSH key.
The first time you connect to a VM, the client shows the SSH key fingerprint and awaits confirmation to establish a connection:
YES: Establish a connection.NO: Reject.
Make sure the fingerprint from the link matches the fingerprint given by the client.
-
Before each connection to the serial console, you can download the host's public SSH key (file named
serialssh-knownhosts) and use it to connect.Recommended startup options:
ssh \ -o ControlPath=none \ -o IdentitiesOnly=yes \ -o CheckHostIP=no \ -o StrictHostKeyChecking=yes \ -o UserKnownHostsFile=./serialssh-knownhosts \ -p 9600 \ -i ~/.ssh/<private_SSH_key_name> \ <VM_ID>.<username>@serialssh.cloud.yandex.netThe host's public SSH key can be changed later on.
Check the specified files often. Download them only via HTTPS but first make sure that the https://storage.yandexcloud.net website has a valid certificate. If the website cannot guarantee secure encryption of your data due to certificate issues, your browser will display a warning.