What is SSH Key Pair, Benefits and Usage
An SSH key pair, or key pair for short, is a secure authentication method provided by Alibaba Cloud for remote logon to your Linux instance.
An SSH key pair, or key pair for short, is a secure authentication method provided by Alibaba Cloud for remote logon to your Linux instance. It is an alternative to authentication using a username and password.
The key pair is composed of a public key and a private key. The asymmetric cryptography feature uses the public key to encrypt data, and the local client uses the private key to decrypt the data.
The Linux ECS instance stores the public key. You use the private key to connect to your instance by entering SSH commands or using other tools. Username and password authentication is disabled by ECS once the SSH key pair is enabled to guarantee security.
Benefits
Compared with typical username and password authentication, SSH key pair has the following benefits:
High security
Using an SSH key pair to log on to a Linux instance is more secure and reliable.
-
A key pair prevents brute force attacks targeted at password cracking.
-
Due to the complexity of RSA encryption, the private key cannot be deduced even if the public key is maliciously acquired.
Ease of use
-
You can log on remotely to an instance by configuring the key pair in the ECS console and on the local client, meaning you do not need to enter a password every time you log on.
-
We recommend this method if you maintain multiple ECS instances.
Limits
Using an SSH key pair has the following restrictions:
- Applies only to Linux instances.
- Alibaba Cloud only supports the creation of 2048-bit RSA key pairs.
- Alibaba Cloud holds the public key of the key pair.
- After the key pair is created, you must download and securely store the private key.
- The private key is in the unencrypted PEM-encoded
PKCS#8
format.
- Each Alibaba Cloud account can have a maximum of 500 key pairs per region.
- Only one SSH key pair can be added to a Linux instance at a time. If a key pair has already been added to your instance, the new key pair replaces the old one.
- During the lifecycle of a Linux instance, you can add or remove an SSH key pair at any time. After you add or remove a key pair, you must restart the instance for the change to take effect.
- All instances of any instance type family, except for the I/O optimized-instances of Generation I, support SSH key pairs.
Create an SSH key pair
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Click Create SSH Key Pair.
- Enter a name for the SSH key pair, and then select Auto-Create SSH Key Pair.
- Click OK to create the SSH key pair.
View public key information
For Windows:
- Start PuTTYgen.
- Click Load.
- Select the .ppk or .pem file.
PuTTYgen shows the public key information.
For Linux or Mac:
Run the ssh-keygen command and specify the path of the .pem file.
ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem
The returned public key information is as follows:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdlrdZwV3+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIP6t0Mk5aPkK/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcV14uAy0yV6/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjGACGcXclex+lHtTGiAIRG1riyNRVC47ZEVCxxxxxx
View public key information within an instance
A public key is stored in the ~/.ssh/authorized_keys
file. Opening that file in an instance returns public key information.
Import an SSH key pair
In addition to creating an SSH key pair in the ECS console, you can also use a tool to generate an SSH key pair and import the public key to Alibaba Cloud.
An imported public key must be Base64
encoded and must support any of the following encryption methods:
- rsa
- dsa
- ssh-rsa
- ssh-dss
- ecdsa
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- Obtain public key information.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Click Create SSH Key Pair.
- Enter a name for the SSH key pair, select Import SSH Key Pair, and then enter public key information in the Public Key box.
- Click OK.
Attach an SSH key pair
You can attach an SSH key pair to an instance during or after instance creation.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Find the target key pair, and click Bind in the Actions column.
- In the Select Instance box, select the target ECS instance, and click > to move it to the Selected box.
- Click OK.
After you attach an SSH key pair to an ECS instance, you can log on to that ECS instance by using the SSH key pair.
Detach an SSH key pair
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Find the target key pair, and click Unbind in the Actions column.
- In the Select Instance box, select the target ECS instance, and click > to move it to the Selected box.
- Click OK.
Add or replace a key pair in an instance
You can add multiple key pairs in an instance and use them to access that instance. You can also replace an existing key pair.
- Retrieve the public key of a new key pair.
- Use the existing key pair to log on to the ECS instance.
- Run vim .ssh/authorized_keys to open the file.
- Add or replace the public key.
- Add a public key: Add a new public key below the existing public key, and save the file.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCys3aOkFm1Xh8iN0lijeQF5mz9Iw/FV/bUUduZjauiJa1KQJSF4+czKtqMAv38QEspiWStkSfpTn1g9qeUhfKd4uWlmxeQ+XjPsf22fRem+v7MHMa7KnZWiHJxO62D4Ihvv2hKfskz8K44mVMeInMjGO+u17IaL2l2ri8q9YdvVHt0Mw5TpCkERWGoBPE1Y8vxFb97TaE5+zc+2+eff6PDCMkVTP+c/feMeCxpx6Lhc2NEpHIPxMpjOv1IytKiDfWcezA2aCmKre0Q2t/YudCmJ8HTCnLId5LpirbNE4X08Bk7tXZAU8UaoeDdUr/FKB1Cxw1TbGMTfWBcdWkdp2lv imported-openssh-key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdlrdZwV3+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIP6t0Mk5aPkK/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcV14uAy0yV6/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjGACGcXclex+lHtTGiAIRG1riyNRVC47ZEVCg9iTWWGrWFvVlnI0E3Deb/9H9mPCO1Xt2fxxxxxxxxBtmR imported-openssh-key
- Replace a public key: Delete the existing public key, add a new public key, and save the file.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdlrdZwV3+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIP6t0Mk5aPkK/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcV14uAy0yV6/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjGACGcXclex+lHtTGiAIRG1riyNRVC47ZEVCg9iTWWGrWFvVlnI0E3Deb/9H9mPCO1Xt2fxxxxxxxxBtmR imported-openssh-key
If you can use the new private key to log on to the ECS instance, the add or replace operation is completed successfully.
- Add a public key: Add a new public key below the existing public key, and save the file.
Delete an SSH key pair
An SSH key pair cannot be restored once it is deleted. However, the delete operation does not impact the instance that is using that key pair, and the instance details still show the name of the deleted key pair.
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- Select one or more key pairs to be deleted.
- Click Delete.