Working with a VM created from a public image
Connecting to a VM
You can connect to a virtual machine via SSH using an SSH key pair, via OS Login, or via the serial console.
Connecting via SSH
This method for connecting to a VM uses an SSH key pair: the public key resides on the VM, while the private one is kept by the user. Connecting with a key pair is more secure than with a username and password.
Note
SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.
Creating an SSH key pair
-
Open the terminal.
-
Use the
ssh-keygencommand to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"You can specify an empty string in the
-Cparameter to avoid adding a comment, or you may not specify the-Cparameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pubextension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519name in the following directory:/home/<username>/.ssh. If there is already an SSH key namedid_ed25519in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
If you do not have OpenSSH installed yet, follow this guide to install it.
-
Run
cmd.exeorpowershell.exe(make sure to update PowerShell before doing so). -
Use the
ssh-keygencommand to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"You can specify an empty string in the
-Cparameter to avoid adding a comment, or you may not specify the-Cparameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pubextension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519name in the following folder:C:\Users\<username>/.ssh. If there is already an SSH key namedid_ed25519in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
Create keys using the PuTTY app:
-
Download and install PuTTY.
-
Add the folder with PuTTY to the
PATHvariable:- Click Start and type Change system environment variables in the Windows search bar.
- Click Environment Variables... at the bottom right.
- In the window that opens, find the
PATHparameter and click Edit. - Add your folder path to the list.
- Click OK.
-
Launch the PuTTYgen app.
-
Select EdDSA as the pair type to generate. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Click Save public key and save the public key to a file named
<key_name>.pub.
Connecting using an SSH key pair
After the VM starts (its status is RUNNING), you can connect to it over SSH. To do this, use ssh in Linux, macOS, and Windows 10/11, or PuTTY in Windows 7/8.
To connect, specify the VM address. This can be either its IP address or FQDN. You can also connect from another Yandex Cloud VM using FQDN if this VM is connected to the same virtual network. You can find out the IP address in the management console by going to the Network section on the VM's page.
Connecting via OS Login
OS Login is used to provide users with SSH access to VMs using IAM. To access a VM via OS Login, enable OS Login access at the organization level.
To connect to a VM via OS Login, users must have the compute.osLogin or compute.osAdminLogin role and the VM must support OS Login at the OS level. You can create a new VM with OS Login support or set up access via OS Login for an existing VM.
To connect to a VM via OS Login, specify the VM name or ID.
If a VM has OS Login access enabled, you cannot use a standard SSH client to connect to that VM with an SSH key.
Passwords for pre-installed software
In addition to OS distributions, Cloud Marketplace offers public images with pre-installed software. To get passwords to configure the pre-installed software in such images:
-
Connect to the VM.
-
You can find passwords for pre-installed software in the
/root/default_passwords.txtfile. Only a superuser has read and write permissions for the file. Get a list of passwords using this command:sudo cat /root/default_passwords.txt
If a public VM image has no pre-installed software, there will be no password file provided.
Using SSL
To use SSL, generate an SSL certificate and configure the web server to use it.
To create an SSL certificate, use Yandex Certificate Manager. You can export the certificate and use it on the web server.
Filtering network traffic
On VMs created from public images, only the ports required for configuring and running pre-installed software are open.
You can view a list of open ports for a particular VM when connecting to it using an SSH key pair. To open additional ports, use iptables.
At the cloud network level, security groups are used to filter the network traffic. To allow specific traffic for a VM at the network level, configure a security group and link it to the VM.
Installing updates
VMs created from public images do not feature automatic updates for their operating system or software. You can update them manually.