Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Connecting to a Linux VM serial console

Written by
Updated at June 18, 2026

Warning

When assessing the risks associated with enabling VM access via the serial console, keep in mind the following:

  • The VM will remain manageable over the internet even without an external IP address.

    A user who has successfully authenticated in the Yandex Cloud management console and has the required access permissions for the VM will be able to access the serial console.

    One can also access the VM serial console via SSH client applications, such as PuTTY, or through the CLI by authenticating with an SSH key. Therefore, make sure to prevent any unauthorized access to your SSH key and always end the web session to reduce interception risks.

  • Your serial console session will simultaneously be shared by all users who have access to the serial console. Users will be able to see each other's actions if concurrently viewing the serial console output.

  • A valid serial console session can be accessed by another user.

We recommend enabling serial console access only when absolutely necessary, granting access permissions to a limited group of trusted users, and using strong VM passwords.

When you are done using the management console, do not forget to ban access to it.

To connect to a VM's serial console, first enable serial console access for the VM instance.

You can connect to the serial console through the management console, as well as using the standard SSH client or via OS Login.

Before connecting to the serial console, carefully read this section: Security when using SSH.

Getting started

Some operating systems may request local user data to access the VM serial console. Therefore, before connecting to the serial console of a VM running such an OS, create a local user password.

In the example below, you will create a new local Linux user account with password protection:

  1. Connect to the VM over SSH or via OS Login.

  2. Create a new local user account with password protection:

    export NEW_USERNAME=<new_username>
sudo useradd -m -d /home/$NEW_USERNAME -s /bin/bash $NEW_USERNAME \
&& sudo passwd $NEW_USERNAME

    The system will prompt you to enter and confirm the password for the new user:

    New password:
Retype new password:
passwd: password updated successfully

Warning

How a serial console works depends on how the operating system is set up. Yandex Compute Cloud provides a channel between the user and the virtual machine's COM port and does not guarantee the stability of the console's operation from the OS side.

Connecting via the management console

  1. In the management console, select the folder the VM instance resides in.

  2. Navigate to Compute Cloud.

  3. In the left-hand panel, select Virtual machines and select the VM instance from the list that opens.

  4. In the left-hand menu, select Serial console.

  5. At the top of the screen, in the drop-down list, select the serial port used by the serial console for VM connections.

    By default, serial port COM1 is used on Linux VMs. To use a different port, configure it manually on your VM OS side.

  6. In the serial console window that opens, enter the username and password you set earlier.

Warning

When you are done using the management console, do not forget to ban access to it.

Connecting using a standard SSH client

Alert

You can only connect to a VM serial console over SSH using a passwordless key. Attempting to use a password will terminate the connection.

Make sure you have the Yandex Cloud CLI installed and configured on your machine.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

Your next steps depend on whether OS Login access is enabled for the VM. With OS Login access enabled, you can connect to the serial console using the exported SSH certificate. To connect to VMs with OS Login access disabled, use SSH keys.

  1. Enable metadata authorization when connecting to the serial console:

    yc compute instance update <VM_name_or_ID> \
  --serial-port-settings ssh-authorization=INSTANCE_METADATA \
  --metadata enable-oslogin=false,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'

    Where:

    Result:

    done (6s)
id: fhm0b28lgfp4********
folder_id: b1g9d2k0itu4********
created_at: "2024-03-28T19:53:23Z"
name: first-instance
zone_id: ru-central1-a
platform_id: standard-v3
resources:
  memory: "1073741824"
  cores: "2"
  core_fraction: "20"
status: RUNNING
metadata_options:
  gce_http_endpoint: ENABLED
  aws_v1_http_endpoint: ENABLED
  gce_http_token: ENABLED
  aws_v1_http_token: DISABLED
boot_disk:
  mode: READ_WRITE
  device_name: epdu3ce920e7********
  auto_delete: true
  disk_id: epdu3ce920e7********
network_interfaces:
  - index: "0"
    mac_address: d0:0d:5c:**:**:**
    subnet_id: e2luhnr3rhf8********
    primary_v4_address:
      address: 192.168.1.21
      one_to_one_nat:
        address: 51.250.***.***
        ip_version: IPV4
    security_group_ids:
      - enpjauvetqfb********
serial_port_settings:
  ssh_authorization: INSTANCE_METADATA
gpu_settings: {}
fqdn: sample-vm.ru-central1.internal
scheduling_policy:
  preemptible: true
network_settings:
  type: STANDARD
placement_policy: {}
hardware_generation:
  legacy_features:
    pci_topology: PCI_TOPOLOGY_V1

    For more information about the yc compute instance update command, see the CLI reference.

    Note

    If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN value in the serial_port_settings.ssh_authorization field by default. If OS Login access is disabled in the organization, the default value of this field will be INSTANCE_METADATA.

  2. Connect to the VM's serial console:

    ssh -t \
  -p 9600 \
  -o IdentitiesOnly=yes \
  -i <path_to_private_SSH_key> \
  <VM_ID>.<username>.port=1@serialssh.cloud.yandex.net

    Where:

    • private_SSH_key_path: Path to the private part of the SSH key you use to access the VM.

    • VM_ID: VM ID.

    • user_name: Username for SSH connections, as stated in the VM metadata.

    • port=1: Number of the serial port used by the serial console for VM connections.

      By default, serial port COM1 is used on Linux VMs. To use a different port, configure it manually on your VM OS side.

    When connecting, the system may prompt you for a login and password to authenticate to the VM. Enter the username and password you created earlier to gain access to the VM instance.

  3. Finish using the serial console:

    1. Exit the local OS user profile:

      exit

    2. Close the serial console session. Do it by entering the following character sequence:

      ~.

  1. Enable OS Login authorization when connecting to the serial console:

    yc compute instance update <VM_name_or_ID> \
  --serial-port-settings ssh-authorization=OS_LOGIN \
  --metadata enable-oslogin=true,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'

    Where:

    • <VM_name_or_ID>: To learn how to find out the VM name or ID, see Getting information about a VM.

    • --metadata: VM metadata:

      • ssh-keys: Name of the local VM user and the contents of the public SSH key that will allow this user to connect to the VM over SSH if access via OS Login is disabled for this VM later.

    Result:

    done (6s)
id: fhm0b28lgfp4********
folder_id: b1g9d2k0itu4********
created_at: "2024-03-28T19:53:23Z"
name: first-instance
zone_id: ru-central1-a
platform_id: standard-v3
resources:
  memory: "1073741824"
  cores: "2"
  core_fraction: "20"
status: RUNNING
metadata_options:
  gce_http_endpoint: ENABLED
  aws_v1_http_endpoint: ENABLED
  gce_http_token: ENABLED
  aws_v1_http_token: DISABLED
boot_disk:
  mode: READ_WRITE
  device_name: epdu3ce920e7********
  auto_delete: true
  disk_id: epdu3ce920e7********
network_interfaces:
  - index: "0"
    mac_address: d0:0d:5c:**:**:**
    subnet_id: e2luhnr3rhf8********
    primary_v4_address:
      address: 192.168.1.21
      one_to_one_nat:
        address: 51.250.***.***
        ip_version: IPV4
    security_group_ids:
      - enpjauvetqfb********
serial_port_settings:
  ssh_authorization: OS_LOGIN
gpu_settings: {}
fqdn: sample-vm.ru-central1.internal
scheduling_policy:
  preemptible: true
network_settings:
  type: STANDARD
placement_policy: {}
hardware_generation:
  legacy_features:
    pci_topology: PCI_TOPOLOGY_V1

    For more information about the yc compute instance update command, see the CLI reference.

    Note

    If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN value in the serial_port_settings.ssh_authorization field by default. If OS Login access is disabled in the organization, the default value of this field will be INSTANCE_METADATA.

  2. Export the OS Login certificate by specifying your organization ID:

    yc compute ssh certificate export \
  --organization-id <organization_ID>

    Result:

    Identity: /home/myuser/.ssh/yc-organization-id-bpfaidqca8vd********-yid-orgusername
Certificate: /home/myuser/.ssh/yc-organization-id-bpfaidqca8vd********-yid-orgusername-cert.pub

    The exported certificate is valid for one hour.

  3. Connect to the VM's serial console:

    ssh -t \
  -p 9600 \
  -i <SSH_certificate_path> \
  <VM_ID>.<OS_Login_username>.port=1@serialssh.cloud.yandex.net

    Where:

    • <SSH_certificate_path>: Path to the SSH certificate (Identity) you exported earlier.

    • <VM_ID>: VM ID.

    • <OS_Login_username>: OS Login username in the organization. You can find the OS Login username at the end of the exported certificate name, after the organization ID.

      You can also get the username using the yc organization-manager os-login profile list Yandex Cloud CLI command or in the Cloud Center interface in the user profile on the OS Login Profiles tab.

      Note

      The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Identity Hub.

    • port=1: Number of the serial port used by the serial console for VM connections.

      By default, serial port COM1 is used on Linux VMs. To use a different port, configure it manually on your VM OS side.

    When connecting, the system may prompt you for a login and password to authenticate to the VM. Enter the username and password you created earlier to gain access to the VM instance.

  4. Finish using the serial console:

    1. Exit the local OS user profile:

      exit

    2. Close the serial console session. Do it by entering the following character sequence:

      ~.

Warning

When you are done using the management console, do not forget to ban access to it.

Connecting via the Yandex Cloud CLI

Alert

You can only connect to a VM serial console over SSH using a passwordless key. Attempting to use a password will terminate the connection.

Make sure you have the Yandex Cloud CLI installed and configured on your machine.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

Your next steps depend on whether OS Login access is enabled for the VM. With OS Login access enabled, you can connect to the serial console using short-lived SSH certificates. To connect to VMs with OS Login access disabled, use SSH keys.

  1. See the description of the CLI command for connecting to a serial console:

    yc compute connect-to-serial-port --help

  2. Enable metadata authorization when connecting to the serial console:

    yc compute instance update <VM_name_or_ID> \
  --serial-port-settings ssh-authorization=INSTANCE_METADATA \
  --metadata enable-oslogin=false,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'

    Where:

    Result:

    done (6s)
id: fhm0b28lgfp4********
folder_id: b1g9d2k0itu4********
created_at: "2024-03-28T19:53:23Z"
name: first-instance
zone_id: ru-central1-a
platform_id: standard-v3
resources:
  memory: "1073741824"
  cores: "2"
  core_fraction: "20"
status: RUNNING
metadata_options:
  gce_http_endpoint: ENABLED
  aws_v1_http_endpoint: ENABLED
  gce_http_token: ENABLED
  aws_v1_http_token: DISABLED
boot_disk:
  mode: READ_WRITE
  device_name: epdu3ce920e7********
  auto_delete: true
  disk_id: epdu3ce920e7********
network_interfaces:
  - index: "0"
    mac_address: d0:0d:5c:**:**:**
    subnet_id: e2luhnr3rhf8********
    primary_v4_address:
      address: 192.168.1.21
      one_to_one_nat:
        address: 51.250.***.***
        ip_version: IPV4
    security_group_ids:
      - enpjauvetqfb********
serial_port_settings:
  ssh_authorization: INSTANCE_METADATA
gpu_settings: {}
fqdn: sample-vm.ru-central1.internal
scheduling_policy:
  preemptible: true
network_settings:
  type: STANDARD
placement_policy: {}
hardware_generation:
  legacy_features:
    pci_topology: PCI_TOPOLOGY_V1

    For more information about the yc compute instance update command, see the CLI reference.

    Note

    If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN value in the serial_port_settings.ssh_authorization field by default. If OS Login access is disabled in the organization, the default value of this field will be INSTANCE_METADATA.

  3. Connect to the VM's serial console:

    yc compute connect-to-serial-port \
  --instance-name <VM_name> \
  --ssh-key <path_to_private_SSH_key> \
  --port 1

    Where:

    • --instance-name: VM name. Instead of the VM name, you can provide its ID in the --instance-id parameter.

    • --ssh-key: Path to the private key for SSH access to the VM, e.g., ~/.ssh/id_ed25519.

    • --port: Number of the serial port used by the serial console for VM connections.

      By default, serial port COM1 is used on Linux VMs. To use a different port, configure it manually on your VM OS side.

    When connecting, the system may prompt you for a login and password to authenticate to the VM. Enter the username and password you created earlier to gain access to the VM instance.

    For more information about the yc compute connect-to-serial-port command, see the CLI reference.

  4. Finish using the serial console:

    1. Exit the local OS user profile:

      exit

    2. Close the serial console session. Do it by entering the following character sequence:

      ~.

  1. See the description of the CLI command for connecting to a serial console:

    yc compute connect-to-serial-port --help

  2. Enable OS Login authorization when connecting to the serial console:

    yc compute instance update <VM_name_or_ID> \
  --serial-port-settings ssh-authorization=OS_LOGIN \
  --metadata enable-oslogin=true,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'

    Where:

    • <VM_name_or_ID>: To learn how to find out the VM name or ID, see Getting information about a VM.

    • --metadata: VM metadata:

      • ssh-keys: Name of the local VM user and the contents of the public SSH key that will allow this user to connect to the VM over SSH if access via OS Login is disabled for this VM later.

    Result:

    done (6s)
id: fhm0b28lgfp4********
folder_id: b1g9d2k0itu4********
created_at: "2024-03-28T19:53:23Z"
name: first-instance
zone_id: ru-central1-a
platform_id: standard-v3
resources:
  memory: "1073741824"
  cores: "2"
  core_fraction: "20"
status: RUNNING
metadata_options:
  gce_http_endpoint: ENABLED
  aws_v1_http_endpoint: ENABLED
  gce_http_token: ENABLED
  aws_v1_http_token: DISABLED
boot_disk:
  mode: READ_WRITE
  device_name: epdu3ce920e7********
  auto_delete: true
  disk_id: epdu3ce920e7********
network_interfaces:
  - index: "0"
    mac_address: d0:0d:5c:**:**:**
    subnet_id: e2luhnr3rhf8********
    primary_v4_address:
      address: 192.168.1.21
      one_to_one_nat:
        address: 51.250.***.***
        ip_version: IPV4
    security_group_ids:
      - enpjauvetqfb********
serial_port_settings:
  ssh_authorization: OS_LOGIN
gpu_settings: {}
fqdn: sample-vm.ru-central1.internal
scheduling_policy:
  preemptible: true
network_settings:
  type: STANDARD
placement_policy: {}
hardware_generation:
  legacy_features:
    pci_topology: PCI_TOPOLOGY_V1

    For more information about the yc compute instance update command, see the CLI reference.

    Note

    If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN value in the serial_port_settings.ssh_authorization field by default. If OS Login access is disabled in the organization, the default value of this field will be INSTANCE_METADATA.

  3. Connect to the VM's serial console:

    yc compute connect-to-serial-port \
  --instance-name <VM_name> \
  --port 1

    Where:

    • --instance-name: VM name. Instead of the VM name, you can provide its ID in the --instance-id parameter.

    • --port: Number of the serial port used by the serial console for VM connections.

      By default, serial port COM1 is used on Linux VMs. To use a different port, configure it manually on your VM OS side.

    When connecting, the system may prompt you for a login and password to authenticate to the VM. Enter the username and password you created earlier to gain access to the VM instance.

    For more information about the yc compute connect-to-serial-port command, see the CLI reference.

  4. Finish using the serial console:

    1. Exit the local OS user profile:

      exit

    2. Close the serial console session. Do it by entering the following character sequence:

      ~.

Warning

When you are done using the management console, do not forget to ban access to it.

Troubleshooting connection issues

  • If you connect to the serial console and nothing appears on the screen:
    • Press Enter.
    • Restart the VM (for VMs created before February 22, 2019).
  • If you get the Warning: remote host identification has changed! error when connecting with an SSH key, run the ssh-keygen -R <VM_IP_address> command.
  • If you get the Permission denied (publickey). error when connecting with an SSH certificate, make sure OS Login authorization is enabled on the VM for serial console connections and the certificate is valid. Enable OS Login authorization on the VM for serial console connections or re-export the SSH certificate as required.
  • If you get the Connection closed by 2a0d:d6c1:0:**::*** port 9600 error when connecting using an SSH certificate, open the known_hosts file on your local machine and delete all lines that start with [serialssh.cloud.yandex.net]:9600. Then try connecting again and respond with yes to Are you sure you want to continue connecting (yes/no/[fingerprint])?.

See also

Previous
Managing serial console access
Next
Connecting to a Windows VM serial console