ECS instances do not have a default password. If you forget the password, you can reset it. If you do not specify a username when you create an instance, the default username is used.
Operating system
Default username
Description
Linux
root
The super administrator for Linux.
Windows
Administrator
The super administrator for Windows.
ImportantThe root user has high-level permissions, which poses a security risk if used directly. We recommend that you log on as ecs-user with required permissions and run sudo command to perform sensitive operations.
An online password reset does not require a restart. Try resetting the password online before having an offline reset.
Online password reset (no restart required)Go to the ECS console - Instance. Select a region and resource group, and then find the instance that you want to manage.
Follow the on-screen instructions to open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click OK. Wait for the password to be reset. You can keep the default settings for other parameters.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
For Password Reset Method, select Online Reset.
If the password reset fails, use another method: Offline password reset (restart required).
An offline password reset requires you to restart the instance for the change to take effect. A restart may interrupt services that are running on the instance. Plan the restart time accordingly.
Go to the ECS console - Instance. Select a region and resource group, and then find the instance that you want to manage.
Follow the on-screen instructions to open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click OK. Wait for the password to be reset.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
For Password Reset Method, select Offline Reset.
You must restart the instance for the new password to take effect. To ensure service stability, restart the instance during off-peak hours.
Connect to the instance by using VNC.
A successful VNC logon indicates that the password was successfully reset in the operating system.
If you cannot log on to the instance using VNC, the password reset failed. In this case, create an image and then submit a ticket. Inform the engineers that both online and offline password resets failed and that you require technical support.
If you can log on to the instance using VNC but cannot log on using tools such as Workbench, the password was reset successfully. The issue may be with the SSH configuration. For more information, see Use the troubleshooting tool to identify the issue.
You can change the password online from the console.
Online password resetGo to the ECS console - Instance. Select a region and resource group, and then find the instance that you want to manage.
Depending on your console version, open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click OK. Wait for the password to be reset. You can keep the default settings for other parameters.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
For Password Reset Method, select Online Reset.
If the password reset fails, change the password manually within the instance.
This section uses a Windows Server 2019 operating system as an example:
Right-click the Start icon , click Run (R), enter compmgmt.msc, and then press Enter.
In the navigation pane on the left, choose .
Right-click the username for which you want to change the password, such as Administrator, and then click Set Password.
In the Set Password for Administrator dialog box, click Proceed. Enter a new password in the New Password and Confirm Password fields.
ImportantCreate a strong password. It must contain uppercase letters, lowercase letters, digits, and special characters.
Click OK. A message is displayed indicating that the password has been set. This means the password was changed successfully.
This section uses an Alibaba Cloud Linux 3 operating system as an example:
Run the following command to change the password for a specified user:
Replace <username> with the actual username.
sudo passwd <username>At the prompt, enter the new password and press Enter. Re-enter the new password and press Enter again.
Create a strong password. The password must contain uppercase letters, lowercase letters, digits, and special characters.
If the password is changed successfully, a message similar to the following is returned:
passwd: all authentication tokens updated successfully.When creating an instance, you can bind a key pair that has been created in or imported to Alibaba Cloud to log on to the instance. You can also bind or replace a key pair later.
A key pair is a secure credential that protects against brute-force and dictionary attacks. It consists of a public key that is stored on the instance and a private key that you keep. To log on to the instance, you must provide the private key for authentication.
How key pair authentication works
The following figure shows the SSH key pair authentication flow. After the client sends a logon request, the server uses the public key to encrypt a random string. The client then uses the private key to decrypt the string and returns it to the server. The server authenticates the logon by comparing the two strings to confirm they match.
To use a key pair for a Windows instance, you must enable the SSH service on the instance. Key pairs for Windows instances cannot be managed in the console.Create or import a key pair Console Create a key pair
Go to the ECS console - Key Pairs page. In the upper-left corner, select a region and resource group.
An ECS instance can only be bound to a key pair in the same region.
Click Create SSH Key Pair. For the creation mode, select Auto-create.
Click OK.
After the key pair is created, the browser automatically downloads the private key file (key_pair_name.pem) to your computer.
Supported encryption methods for imported key pairs
rsa
dsa
ssh-rsa
ssh-dss
ecdsa
View the public key for a private key
Local machine runs Linux or macOSYou can use the ssh-keygen command to view the public key from an existing private key file.
<path_to_key_pair> is the path to the private key file, for example, /path_to_key_pair/my-key-pair.pem.
ssh-keygen -y -f <path_to_key_pair>The public key information is returned:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA****+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIPxxxxxxxxxx/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcxxxxxxxxxxx/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjxxxxxxxxxx+lHtTGiAIRG1riyNRVC47ZEVCxxxxxxComplete the following steps to view the public key information:
Start PuTTYgen.
Click Load.
Select a .ppk or .pem file.
PuTTYgen displays the public key information.
Go to the ECS console - Key Pairs page. In the upper-left corner, select a region.
An ECS instance can only be bound to a key pair in the same region.
Click Create SSH Key Pair, select Import as the creation method, and enter the Public Key.
Click OK to complete the import.
Create a key pair: For more information, see CreateKeyPair.
Import the public key of a key pair: For more information, see ImportKeyPair.
Only Linux instances support binding, unbinding, and replacing key pairs in the console.
Bind a key pair when creating an instanceWhen you create an instance using the Custom Launch method, you can set Logon Credential to Key Pair and then select an existing Key Pair.
Bind or replace a key pair ImportantBinding or replacing a key pair in the console requires you to restart the instance for the change to take effect. A restart may interrupt services on the instance. Plan the restart time accordingly.
You can bind a maximum of one key pair to each instance in the console. To bind multiple key pairs, you must manually bind on the instance (no restart required).
Go to the ECS console - Instance. In the upper-left corner, select a region and resource group. Find the ECS instance and follow these instructions:
In the Actions column, click . Select an existing key pair and click OK. The change takes effect after you restart the instance.
Manually bind on the instance (no restart required)
The steps to generate a key pair vary depending on the tool. This example uses the ssh-keygen tool.
Run the following command to generate a key pair.
ssh-keygen -t rsa -b 2048 -f id_rsaParameters:
-t rsa: The key type is an rsa key pair.
-b 2048: The key length is 2048 bits.
-f id_rsa: The file name and save location for the generated key pair.
You are prompted to enter a passphrase. The passphrase is used to protect your private key. Setting a passphrase is a recommended security measure. If you do not want to use a passphrase, press Enter to continue.
After the command is executed successfully, two files are generated in the current folder:
id_rsa: Your private key.
id_rsa.pub: Your public key.
Keep your private key secure and do not share it with others.
After you log on to the instance using Workbench, follow these steps.
The steps to bind a public key for a root user are different from those for a non-root user. Choose the appropriate steps based on your needs.
Set the public key for the root userCreate the authorized_keys configuration file.
If the /root/.ssh folder or the authorized_keys file does not exist, run the following commands to create them.
sudo mkdir /root/.ssh
sudo touch /root/.ssh/authorized_keysAdd the public key.
Open the authorized_keys file using a text editor such as Vim.
sudo vim /root/.ssh/authorized_keysPaste your public key content into the file. You can configure multiple public keys. Add each public key on a new line. When you are finished, save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chmod 700 /root/.ssh
sudo chmod 600 /root/.ssh/authorized_keysCreate the authorized_keys configuration file.
If the /root/.ssh folder or the authorized_keys file does not exist, run the following commands to create them.
In the commands, <username> represents the username for which you want to bind the public key.
sudo mkdir /home/<username>/.ssh
sudo touch /home/<username>/.ssh/authorized_keysAdd the public key.
Open the authorized_keys file using a text editor such as Vim.
sudo vim /home/<username>/.ssh/authorized_keysPaste your public key content into the file. You can configure multiple public keys. Add each public key on a new line. When you are finished, save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chown -R <username>:<username> /home/<username>/.ssh
sudo chmod 700 /home/<username>/.ssh
sudo chmod 600 /home/<username>/.ssh/authorized_keysAfter you configure the public key, you must enable SSH public key authentication on the server. Otherwise, key-based logon will fail.
Back up the SSH configuration file /etc/ssh/sshd_config.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakOpen the /etc/ssh/sshd_config file using a text editor such as Vim. Find the PubkeyAuthentication parameter and set it to yes to enable public key authentication.
sudo vim /etc/ssh/sshd_configRestart the SSH service to apply the changes.
This example uses Alibaba Cloud Linux 3:
sudo systemctl restart sshdOn some operating systems, such as Ubuntu and Debian, the SSH service is namedImportantsshinstead ofsshd. Adjust the command as needed.
If you are connected to the instance over SSH, restarting the service disconnects you. You can reconnect after the service restarts.
Only Linux instances support binding, replacing, and unbinding key pairs using the API.
Set a key pair when creating an instance: When you call RunInstances to create an instance, set the KeyPairName parameter to the name of the key pair.
Bind or replace a key pair: Call AttachKeyPair and specify the key pair name KeyPairName and instance IDs InstanceIds.
unbind a key pair: Call DetachKeyPair and specify the key pair name KeyPairName and instance IDs InstanceIds.
Unbinding a key pair in the console requires you to restart the instance for the change to take effect. A restart may interrupt services on the instance. Plan the restart time accordingly.
Unbind in the console (restart required)Go to the ECS console - Instance. In the upper-left corner, select a region and resource group. Find the ECS instance and follow these instructions:
In the Actions column, click , and then click Unbind. The change takes effect after you restart the instance.
Manually unbind on the instance (no restart required)You can manually purge the public keys stored in the authorized_keys file on the instance to unbind a key pair. The path to the authorized_keys configuration file varies depending on the user:
root user: /root/.ssh/authorized_keys
Non-root user: /home/<username>/.ssh/authorized_keys
Here, <username> represents the non-root username.
You cannot delete a key pair that is bound to an instance.
Go to the ECS console - Key Pairs page. In the upper-left corner, select a region and resource group.
Find the key pair that you want to delete and click Delete in the Actions column.
Call DeleteKeyPairs and specify the KeyPairNames parameter with the names of the key pairs that you want to delete.
To set up multiple users for an ECS instance, follow these steps to create regular users and enable remote access.
LinuxLog on to the instance using Workbench and follow these steps to create a user:
Replace <username> in the command with the username you want to create. For example, to create a user namedexampleuser, runsudo useradd -m exampleuser.
sudo useradd -m <username>Generate a key pair file on your local machine.
ImportantFor security reasons, do not create a key pair using ssh-keygen on the instance. Do not save the generated private key on the ECS instance that you want to connect to.
The steps to generate a key pair vary depending on the tool. This example uses the ssh-keygen tool.
Run the following command to generate a key pair.
ssh-keygen -t rsa -b 2048 -f id_rsaParameters:
-t rsa: The key type is an rsa key pair.
-b 2048: The key length is 2048 bits.
-f id_rsa: The file name and save location for the generated key pair.
You are prompted to enter a passphrase. The passphrase is used to protect your private key. Setting a passphrase is a recommended security measure. If you do not want to use a passphrase, press Enter to continue.
After the command is executed successfully, two files are generated in the current folder:
id_rsa: Your private key.
id_rsa.pub: Your public key.
Keep your private key secure and do not share it with others.
Bind the public key to the user.
Create the authorized_keys configuration file.
If the /root/.ssh folder or the authorized_keys file does not exist, run the following commands to create them.
In the commands, <username> represents the username for which you want to bind the public key.
sudo mkdir /home/<username>/.ssh
sudo touch /home/<username>/.ssh/authorized_keysAdd the public key.
Open the authorized_keys file using a text editor such as Vim.
sudo vim /home/<username>/.ssh/authorized_keysPaste your public key content into the file. You can configure multiple public keys. Add each public key on a new line. When you are finished, save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chown -R <username>:<username> /home/<username>/.ssh
sudo chmod 700 /home/<username>/.ssh
sudo chmod 600 /home/<username>/.ssh/authorized_keysEnable public key authentication for the SSH service.
After you configure the public key, you must enable SSH public key authentication on the server. Otherwise, key-based logon will fail.
Back up the SSH configuration file /etc/ssh/sshd_config.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakOpen the /etc/ssh/sshd_config file using a text editor such as Vim. Find the PubkeyAuthentication parameter and set it to yes to enable public key authentication.
sudo vim /etc/ssh/sshd_configRestart the SSH service to apply the changes.
This example uses Alibaba Cloud Linux 3:
sudo systemctl restart sshdOn some operating systems, such as Ubuntu and Debian, the SSH service is namedImportantsshinstead ofsshd. Adjust the command as needed.
If you are connected to the instance over SSH, restarting the service disconnects you. You can reconnect after the service restarts.
Run the following command:
Replace <username> with the username for which you want to set the password.
sudo passwd <username>Enter the new password and press Enter. Re-enter the new password to confirm and press Enter.
If the change is successful, a message similar to the following is displayed:
passwd: all authentication tokens updated successfully.By default, Windows supports a maximum of two concurrent remote connections over Remote Desktop Protocol (RDP). If you need more than two users to log on to a Windows instance at the same time, you must use Microsoft's Remote Desktop Services.
Log on to the instance using Workbench and follow these steps:
Open Control Panel, find User Accounts, and click Change account type.
On the Manage Accounts page, click Add a user account to go to the Add a user page.
On the Add a user page, follow the on-screen instructions to set the username and password for the new user.
This example creates a user named exampleuser. Set the User name as needed.
Click Next, and then click Finish. The new user is created.
Remote Desktop Users group
Only users in the Remote Desktop Users group can log on to the instance remotely.
In the search box on the taskbar, search for Computer Management and click to open the Computer Management window.
Under , find the Remote Desktop Users group. Double-click it to open the Remote Desktop Users Properties page.
Follow the steps shown in the figure.
On the Remote Desktop Users Properties page, click Add.
Enter the username of the user created in Step 2 and click Check Names. The input box will automatically complete the full name of the user.
Click OK. On the Remote Desktop Users Properties page, click Apply and then OK. The user is added to the group.
Linux instances: The default username is root. If you set the instance to use ecs-user during creation, the username is ecs-user.
Windows instances: The default username is Administrator.
No default password is set.
For security reasons, Alibaba Cloud does not set a default or initial password for an ECS instance. If you did not set a password when you created the instance, see Reset a password.
Q3: How can I view the instance password?Alibaba Cloud does not store the instance password that you set. Therefore, you cannot view it.
Q4: How do I recover my credentials if I forgot my username or password?Forgot username: You can find your username using the reset password feature in the console. The username that you set when you created the instance is displayed at the top of the Reset Instance Password dialog box.
Forgot password: For more information, see Reset a password.
Q5: Why does online password reset fail?In most cases, this failure occurs because security software on the instance blocks the password modification instruction from Cloud Assistant. To resolve this issue, use Offline password reset.
Q6: How do I switch between root and ecs-user?Switching from root to ecs-user
You can only set the username to ecs-user when you create an instance from specific Linux images using the custom purchase method.
After an instance is created, you cannot directly switch to the ecs-user account. However, you can create an ecs-user account by following the steps in Multi-user remote logon and grant sudo permissions to that user.
Switching from ecs-user to root
We strongly recommend using the ecs-user account and execute privileged commands with sudo, rather than logging on directly as the root user.
If you must switch to the root user during a session, you can log on to the instance as ecs-user and run the sudo su command to switch to the root user.
Console features such as offline password reset and binding key pairs work only for the username that is set during instance creation.Q7: How can I enable both SSH key pair and password authentication for a Linux instance?
You can enable both authentication methods by modifying the /etc/ssh/sshd_config configuration file of the SSH service.
Enable SSH key pair authentication (recommended, more secure): This method is controlled by the PubkeyAuthentication option. Set the option to yes to enable key pair authentication. After you modify the configuration, you must restart the SSH service on the instance.
Enable SSH password authentication (not recommended, less secure): This method is controlled by the PasswordAuthentication option. Set the option to yes to enable password authentication. After you modify the configuration, you must restart the SSH service on the instance.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4