Binding a Key Pair to an ECS

If you set the login mode to Password when purchasing an ECS running Linux, and you need to change the login mode to Key Pair, you can bind the key pair to the ECS on the KPS console, KPS will configure the key pair. After the key pair is bound, you can use the private key to log in to the ECS.

Operation

Table 1 describes the operation guide.

**Table 1** Operation
Operation	Application Scenario	Prerequisites	Constraints
Binding a key pair Binding a Key Pair Binding Key Pairs in Batches	Log in to the ECS using a key pair.	The ECS must be in the Running or Shut down state. The ECS whose key pair is to be reset must use the public image provided by Huawei Cloud. To bind to a key pair, you can write the public key of the user to the /root/.ssh/authorized_keys file on the server. Ensure that the file is not modified before binding the key pair. Otherwise, the key pair fails to be bound. The SSH port (22 by default) of the ECS security group must allow traffic from the 100.125.0.0/16 CIDR block in advance.	On the management console, key pairs cannot be bound to ECSs that run Windows. Key pairs cannot be bound to public images running CoreOS, openEuler, FreeBSD (Other), Kylin V10 64-bit, UnionTech OS Server 20, Euler 64-bit, or CentOS Stream 8 64-bit. You can bind key pairs to a maximum of 10 ECSs at a time.
Viewing a Key Pair	You can view the key pair information on the KPS console, including the name, fingerprint, and private key.	-	-
Resetting a Key Pair	If the private key is lost, use a new key pair to bind to the ECS.	The ECS whose key pair is to be reset must use the public image provided by Huawei Cloud. To reset the key pair, you can replace the public key of the user by modifying the /root/.ssh/authorized_keys file on the server. Ensure that the file is not modified before resetting the key pair. Otherwise, the reset will fail. The ECS must be in the Shut down state.	-
Replacing a Key Pair	If your private key is leaked, you must replace the public key of the ECS with a new key pair. After the replacement, only the new private key can be used for authentication — the original private key will no longer grant access.	The ECS whose key pair is to be replaced uses the public image provided by Huawei Cloud. To replace the key pair, you can replace the public key of the user by modifying the /root/.ssh/authorized_keys file on the server. Ensure that the file is not modified before replacing the key pair. Otherwise, replacing the public key will fail. The ECS must be in the Running state.	-
Unbinding a Key Pair	If you no longer want to use a key pair to log in to an ECS, change the login mode to password.	The ECS must be in the Running or Shut down state. The ECS whose key pair is to be unbound uses the public image provided by Huawei Cloud. To unbind from a key pair, you can delete the public key of the user from the /root/.ssh/authorized_keys file on the server. Ensure that the file is not modified before unbinding from the key pair. Otherwise, the unbinding will fail.	If you have not set a password for logging in to the ECS, or you have forgotten your password, reset the login password on the ECS management console. For details, see Elastic Cloud Server User Guide. If you set login mode to Key Pair when you create the ECS, after the key pair is unbound, shut down the ECS first to bind a key pair again. To log in to the ECS, after you unbind the key pair, reset the password in time on the ECS console. For details, see Elastic Search Server User Guide. You can unbind an ECS on the KPS console for the following OSs: EulerOS, CentOS, RedHat, SUSE, Debian, openSUSE, Oracle Linux, Fedora, Ubuntu, Huawei Cloud EulerOS, AlmaLinux, Rocky Linux, CentOS Stream, and openEuler.

Binding a Key Pair

Log in to the DEW console.
Click in the upper left corner of the console and select a region or project.
In the navigation pane on the left, click Key Pair Service.
Click ECS List to view ECSs.
Locate the target ECS and click Bind in the Operation. The Bind Key Pair dialog box is displayed.
- If the ECS is shut down, a dialog box will be displayed, as shown in Figure 1.
  Figure 1 Binding a key pair (1)
- If the ECS is running, you need to provide the root password, as shown in Figure 2.
  Figure 2 Binding a key pair (2)
  - If you have the root password of the ECS, you can directly enter the password to bind the key pair to the ECS.
  - If you do not have the root password of the ECS, you can shut it down, and bind the key pair when the ECS is in Shut down state.
Select a new key pair from the drop-down list box of New Key Pair.
The default port number is 22 and can be modified.
Before using user-defined port, ensure that:
- The key pair can be connected to the ECS using the port. For details about how to modify the security group configuration of an ECS, see Configuring Security Group Rules.
- Modify the default port of the ECS and ensure that the port is enabled. For details, see Enhancing Security for SSH Logins to Linux ECSs.
- Modify the default port of the ECS and ensure that the port is enabled.
You can choose whether to disable the password login mode as necessary. By default, the password login mode is disabled.
- If you do not disable the password login mode, you can use the password or the key pair to log in to the ECS.
- If the password login mode is disabled, you can use only the key pair to log in to the ECS. If you need to use the password login mode later, you can enable the password login mode again. For details, see How Do I Enable the Password Login Mode for an ECS?.
Read and select I have read and agree to the Key Pair Service Disclaimer.
Click OK to complete the operation.
- If the ECS is not shut down, use the root password to bind the key pair. It takes about 30 seconds to complete.
- If the ECS is shut down, the binding operation may take about five minutes.

Binding Key Pairs in Batches

Binding key pairs in batches is supported when multiple ECSs need to be bound to the same key pair and the ECSs are in the Running state.

Scenario 1: If the ECSs to be bound to a key pair share the same password, you can use one-click binding, that is, select the key pair to be bound to and enter the root password of the ECSs.
Scenario 2: If the ECSs to be bound to a key pair use different root passwords, you need to use separate binding, that is, select the key pair to be bound to and enter the root password of each ECS.

In the navigation pane on the left, click Key Pair Service.
Click ECS List to view ECSs.
Select the servers to be bound in batches and click Bind above the search box.
- If the passwords of the ECSs to be bound are the same, you can select a key pair by one click and enter the password to bind the key pair, as shown in Figure 3.
  Figure 3 Unified bind
- If the passwords of the ECSs to be bound are different, you can bind them separately, as shown in Figure 4.
  Figure 4 Separate bind
  
  If you select Unified bind, only the same key pair can be used for binding.

Viewing a Key Pair

This section describes how to view the key pair information, including the names, fingerprints, and private keys on the KPS page of the DEW console.

In the navigation pane on the left, click Key Pair Service.
Click the Private Key Pairs tab and view information about the key pair in the key pair list.

The list describes the names, fingerprints, private keys, and statuses of key pairs.

Click the name of the target key pair. The detailed information about the key pair and the list of ECSs using the key pair are displayed, as shown in Figure 5.

Figure 5 Key pair details
Click to enlarge

When you purchase an ECS and set login mode to Key Pair, the selected key pair is bound to the ECS.

Table 2 lists the parameters of the ECS to which the key pair is bound.

**Table 2** Parameters of an ECS
Parameter	Description
ECS Name/ID	Name and ID of anECS
Status	Status of an ECS. The possible values are as follows: Running Creating Faulty Shut down
Private IP Address	Private IP address
Elastic IP Address	Elastic IP address
Bind Key Pair	Key pair bound to the ECS

Click ECS List to view ECSs.

Figure 6 ECS list
Click the number next to in the Status column to view the failed tasks, as shown in Figure 7.

Status of resetting or replacing the key pair:

: Executing

: Execution failed
- Locate the target failed key pair task and click Delete in Operation column. You can also click Delete All on top of the list to delete all failed tasks.
- Click Learn more to view related documents.
Figure 7 Failed key pair tasks

Resetting a Key Pair

If your private key is lost, you can use a new key pair to reconfigure the ECS through the management console. After resetting the key pair, you need to use the private key of the new key pair to log in to the ECS, and the original private key cannot be used to log in to the ECS.

The ECS whose key pair is to be reset must use the public image provided by Huawei Cloud.
To reset the key pair, you can replace the public key of the user by modifying the /root/.ssh/authorized_keys file on the server. Ensure that the file is not modified before resetting the key pair. Otherwise, the reset will fail.
The ECS must be in the Shut down state.

In the navigation pane on the left, click Key Pair Service.
Click the ECS List tab, locate the target ECS in the list and click Reset in the Operation column. The key pair reset dialog box is displayed, as shown in Figure 8.

Figure 8 Resetting a key pair
Select a new key pair from the drop-down list box of New Key Pair.
Click OK. The ECS key pair will be reset in about 10 minutes.

Replacing a Key Pair

If your private key is leaked, you can use a new key pair to replace the public key of the ECS through the management console. After replacing the key pair, you need to use the private key of the new key pair to log in to the ECS, and the original private key cannot be used to log in to the ECS.

The ECS whose key pair is to be replaced uses the public image provided by Huawei Cloud.
To replace the key pair, you can replace the public key of the user by modifying the /root/.ssh/authorized_keys file on the server. Ensure that the file is not modified before replacing the key pair. Otherwise, replacing the public key will fail.
The ECS must be in the Running state.

In the navigation pane on the left, click Key Pair Service.
Click the ECS List tab, locate the target ECS in the list and click Replace in the Operation column. The key pair replacement dialog box is displayed, as shown in Figure 9.

Figure 9 Replacing a key pair
Select a new key pair from the drop-down list box of New Key Pair.
Click Select File to upload the private key (in .pem format) of the original key pair or copy the private key content to the text box.
- The private key to be uploaded or copied to the text box must be in the .pem format. If it is in the .ppk format, convert it by referring to How Do I Convert the Format of a Private Key File?.
Click OK. The key pair will be replaced in about one minute.

Unbinding a Key Pair

If you want to change the login mode from Key Pair to Password, unbind the key pair on the KPS console.

In the navigation pane on the left, click Key Pair Service.
Click the ECS List tab, locate the target ECS in the list, and click Unbind in the Operation column.
- If the ECS is shut down, a dialog box will be displayed, as shown in Figure 10.
  Figure 10 Unbinding a key pair (1)
- If the ECS is running, a dialog box will be displayed, as shown in Figure 11.
  Figure 11 Unbinding a key pair (2)
If you unbind the key pair when the ECS is in the Running state, you need to upload the private key. Click Select file to upload the private key (in the .pem format) of the existing key pair or copy the private key to the text box. If the ECS is shut down, skip this step.
- The private key to be uploaded or copied to the text box must be in the .pem format. If it is in the .ppk format, convert it by referring to How Do I Convert the Format of a Private Key File?.
Click OK. The key pair will be unbound from the ECS in about one minute.

To log in to the ECS, after you unbind the key pair, reset the password in time on the ECS console. For details, see Elastic Search Server User Guide.