Connecting to a VM's serial console via CLI
After enabling access, you can connect to the serial console to interact with the VM.
Warning
When assessing the risk of enabling access via the serial console, consider the following:
-
The VM can still be managed from the internet even if there is no external IP address.
To access the VM serial console from the Yandex Cloud management console, a user must be authenticated in the Yandex Cloud management console and have the proper permissions to the VM. One can access the VM serial console from an SSH client application, such as PuTTY, or the YC CLI via SSH key authentication. To reduce the risk of web session hijacking, you should closely monitor your SSH key and make sure you terminate the web session. -
The session will be simultaneously shared by all users who have access to the serial console.
Users will be able to see each other's actions if concurrently watching the serial console's output. -
A valid session can be exploited by another user.
We recommend using the serial console only when absolutely necessary, grant access to a narrow group of people, and use strong VM passwords.
Make sure you disable access after you finish using the serial console.
Connecting to the serial console
Note
How the serial console works depends on the operating system settings. Compute Cloud provides a communication channel between the user and COM port on the VM, but it does not guarantee that the console works properly on the OS.
To connect to the serial console, use the CLI.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
Your next steps depend on the operating system and whether OS Login access is enabled for the VM. If OS Login access is enabled for the VM, you connect to the serial console using short-lived SSH certificates. SSH keys are used to connect to VMs with OS Login access disabled.
Some OS's may request user credentials to access a VM. In such cases, you need to create a local user password before connecting to the serial consoles of such VMs.
-
Create a local user password on the VM:
- Connect to the VM over SSH.
-
Create a user to authenticate on the VM through the serial console and set a local password for it:
sudo useradd <username> && sudo passwd <username>
Where
<username>
is the name of the new user, e.g.,yc-user
.When prompted by the system, enter your user password, then confirm it.
Result:
passwd: password updated successfully
- Disconnect from the VM. To do this, enter the
logout
command.
-
View the description of the CLI command for connecting to the serial console:
yc compute connect-to-serial-port --help
-
Get a list of VMs in the default folder:
yc compute instance list
Result:
+----------------------+-----------------+---------------+---------+----------------------+ | ID | NAME | ZONE ID | STATUS | DESCRIPTION | +----------------------+-----------------+---------------+---------+----------------------+ | fhm0b28lgfp4******** | first-instance | ru-central1-a | RUNNING | my first vm via CLI | | fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI | +----------------------+-----------------+---------------+---------+----------------------+
-
Connect to the serial console of the VM you need:
yc compute connect-to-serial-port \ --instance-name <VM_name> \ --ssh-key ~/.ssh/id_ed25519
Where:
-
--instance-name
: Required parameter. VM name.
Instead of the VM name, you can provide its ID in the--instance-id
parameter. -
--ssh-key
: Optional parameter. Path to the private key for SSH access to the VM, e.g.,~/.ssh/id_ed25519
. If this parameter is omitted, theyc_serialssh_key
SSH key will be generated.
Alert
You can only connect to a VM's serial console via SSH using a non-password-protected key. Otherwise, the connection will be terminated after you enter a password.
When connecting, the system may request a username and password to authenticate on the VM. Enter the username and password you created earlier to gain access to the serial console.
For more information about the
yc compute connect-to-serial-port
command, see the CLI reference. -
-
Create a local user password on the VM:
- Connect to the VM via OS Login.
-
Create a user to authenticate on the VM through the serial console and set a local password for it:
sudo useradd <username> && sudo passwd <username>
Where
<username>
is the name of the new user, e.g.,yc-user
.When prompted by the system, enter your user password, then confirm it.
Result:
passwd: password updated successfully
- Disconnect from the VM. To do this, enter the
logout
command.
-
Get a list of VMs in the default folder:
yc compute instance list
Result:
+----------------------+-----------------+---------------+---------+----------------------+ | ID | NAME | ZONE ID | STATUS | DESCRIPTION | +----------------------+-----------------+---------------+---------+----------------------+ | fhm0b28lgfp4******** | first-instance | ru-central1-a | RUNNING | my first vm via CLI | | fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI | +----------------------+-----------------+---------------+---------+----------------------+
-
Enable OS Login authorization for the VM when connecting to the serial console by specifying the VM name:
yc compute instance update \ --name <VM_name> \ --serial-port-settings ssh-authorization=OS_LOGIN
Result:
done (6s) id: fhm0b28lgfp4******** folder_id: b1g9d2k0itu4******** created_at: "2024-03-28T19:53:23Z" name: first-instance zone_id: ru-central1-a platform_id: standard-v3 resources: memory: "1073741824" cores: "2" core_fraction: "20" status: RUNNING metadata_options: gce_http_endpoint: ENABLED aws_v1_http_endpoint: ENABLED gce_http_token: ENABLED aws_v1_http_token: DISABLED boot_disk: mode: READ_WRITE device_name: epdu3ce920e7******** auto_delete: true disk_id: epdu3ce920e7******** network_interfaces: - index: "0" mac_address: d0:0d:5c:**:**:** subnet_id: e2luhnr3rhf8******** primary_v4_address: address: 192.168.1.21 one_to_one_nat: address: 51.250.***.*** ip_version: IPV4 security_group_ids: - enpjauvetqfb******** serial_port_settings: ssh_authorization: OS_LOGIN gpu_settings: {} fqdn: sample-vm.ru-central1.internal scheduling_policy: preemptible: true network_settings: type: STANDARD placement_policy: {}
-
View the description of the CLI command for connecting to the serial console:
yc compute connect-to-serial-port --help
-
Connect to the serial console of the VM you need:
yc compute connect-to-serial-port \ --instance-name <VM_name>
Where
--instance-name
is a required parameter. VM name. Instead of the VM name, you can provide its ID in the--instance-id
parameter.When connecting, the system may request a username and password to authenticate on the VM. Enter the username and password you created earlier to gain access to the serial console.
For more information about the
yc compute connect-to-serial-port
command, see the CLI reference.
-
View the description of the CLI command for connecting to the serial console:
yc compute connect-to-serial-port --help
-
Get a list of VMs in the default folder:
yc compute instance list
Result:
+----------------------+-----------------+---------------+---------+----------------------+ | ID | NAME | ZONE ID | STATUS | DESCRIPTION | +----------------------+-----------------+---------------+---------+----------------------+ | fhm0b28lgfp4******** | first-instance | ru-central1-a | RUNNING | my first vm via CLI | | fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI | +----------------------+-----------------+---------------+---------+----------------------+
-
Connect to the Windows SAC of the VM you need:
yc compute connect-to-serial-port \ --instance-name <VM_name> \ --port 2
Where:
--instance-name
: Required parameter. VM name. Instead of the VM name, you can provide its ID in the--instance-id
parameter.--port
: Optional parameter. Port number to connect to the serial console. When connecting to the Windows serial console (SAC), specify2
.
When prompted by the system, enter your username, domain (VM name), and password. For more information, see Starting your terminal in the Windows serial console (SAC).
For more information about the
yc compute connect-to-serial-port
command, see the CLI reference.
Troubleshooting
- If you connect to the serial console and nothing appears on the screen:
- Press Enter.
- Restart the VM (for VMs created before February 22, 2019).
Disconnecting from the serial console
To disconnect from the serial console:
- Press Enter.
- Enter the following characters in succession:
~.
.