Help Center/ Elastic Cloud Server/ Troubleshooting/ Passwords and Key Pairs Issues/ How Do I Change the Key Pair for a Linux ECS?
Updated on 2024-08-15 GMT+08:00

How Do I Change the Key Pair for a Linux ECS?

Symptom

You changed the key pair for logging in to a Linux ECS, but you could not use the new key pair to log in to the ECS.

Solution

  1. Use the password or old key to log in to the ECS and run the following commands to create a key pair:
    [root@host -]$ ssh-keygen <==Create a key pair.
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa): <== Press Enter.
    Created directory ´/root/.ssh´.
    Enter passphrase (empty for no passphrase): <== Enter the key passphrase or press Enter to leave it blank.
    Enter same passphrase again: <== Enter the key passphrase again.
    Your identification has been saved in /root/.ssh/id_rsa. <== Private key
    Your public key has been saved in /root/.ssh/id_rsa.pub. <== Public key
    The key fingerprint is:
    0f:d3:e7:1a:1c:bd:5c:03:f1:19:f1:22:df:9b:cc:08 root@host
  2. The key passphrase is mandatory when a private key is used. This prevents the private key from being stolen.

    A hidden directory .ssh is generated in the home directory of the root user. The directory contains two key files: id_rsa (private key) and id_rsa.pub (public key).

  3. Run the following commands on the Linux ECS to install the public key:
    [root@host ~]$ cd .ssh
    [root@host .ssh]$ cat id_rsa.pub >> authorized_keys
  4. To ensure successful connection, run the following commands to configure file permissions:
    [root@host .ssh]$ chmod 600 authorized_keys
    [root@host .ssh]$ chmod 700 ~/.ssh
  5. (Optional) Edit the /etc/ssh/sshd_config file as follows to enable SSH key pair login. (Skip this step for Linux ECSs created using a public image because key pair login has been enabled for them by default.)
    RSAAuthentication yes
    PubkeyAuthentication yes
  6. Check the following configuration item to ensure that user root can log in to the ECS using SSH:
    PermitRootLogin yes
  7. After the preceding configuration is complete and the login using a key is successful, run the following command to disable password login:

    PasswordAuthentication no

  8. Restart SSH.

    service sshd restart

Follow-up Procedure

  1. Download the private key to your local computer, to convert it into a format that can be used by PuTTY.

    Use WinSCP or SFTP to download the private key file id_rsa. Keep the file secure.

  2. Open PuTTY Key Generator and click Load an existing private key file in Actions to load the downloaded private key file.

    If you have set a key passphrase, you need to enter it.

  3. After the private key file is loaded successfully, PuTTY Key Generator displays the information about the key.
  4. In the Key comment box, enter the description of the private key and click Save private key to save the private key file in a format that can be used by PuTTY.
  5. Use PuTTY to log in to the ECS. In the navigation pane of PuTTY, choose Connection > SSH > Auth, and in the Private key file for authentication area, browse to and select your private key file, enter the key passphrase, and click Open to log in to the ECS.