ECS instances do not have a default password. If you forget the password, you can reset it. If you do not specify a username when you create an instance, the default username is used.
Operating system | Default username | Description |
Linux |
| The super administrator for Linux. |
Windows |
| The super administrator for Windows. |
The root user has high-level permissions, which poses a security risk if used directly. We recommend that you log on as ecs-user with required permissions and run sudo command to perform sensitive operations.
Password management
Reset a password
An online password reset does not require a restart. Try resetting the password online before having an offline reset.
Online password reset (no restart required)
Go to the ECS console - Instance. Select a region and resource group, and then find the instance that you want to manage.
Follow the on-screen instructions to open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click OK. Wait for the password to be reset. You can keep the default settings for other parameters.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
For Password Reset Method, select Online Reset.
ImportantIf Online Reset is unavailable, use another method: OfflineOffline pa password reset (restart required).
If the password reset fails, use another method: Offline password reset (restart required).
Offline password reset (restart required)
An offline password reset requires you to restart the instance for the change to take effect. A restart may interrupt services that are running on the instance. Plan the restart time accordingly.
Go to the ECS console - Instance. Select a region and resource group, and then find the instance that you want to manage.
Follow the on-screen instructions to open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click OK. Wait for the password to be reset.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
For Password Reset Method, select Offline Reset.
You must restart the instance for the new password to take effect. To ensure service stability, restart the instance during off-peak hours.
Connect to the instance by using VNC.
A successful VNC logon indicates that the password was successfully reset in the operating system.
If you can log on to the instance using VNC but cannot log on using tools such as Workbench, the password was reset successfully. The issue may be with the SSH configuration. For more information, see Use the troubleshooting tool to identify the issue.
Change a password
You can change the password online from the console.
Online password reset
Go to the ECS console - Instance. Select a region and resource group, and then find the instance that you want to manage.
Depending on your console version, open the Reset Instance Password dialog box.
In the Reset Instance Password dialog box, configure the following parameters and click OK. Wait for the password to be reset. You can keep the default settings for other parameters.
New Password/Confirm Password: Enter a new password for the instance. For security, create a strong password that contains uppercase letters, lowercase letters, digits, and special characters.
For Password Reset Method, select Online Reset.
ImportantIf Online Reset is unavailable, change the password manually within the instance.
If the password reset fails, change the password manually within the instance.
Change the password manually within the instance
Windows instances
This section uses a Windows Server 2019 operating system as an example:
Right-click the Start icon
, click Run (R), enter compmgmt.msc, and then pressEnter.In the navigation pane on the left, choose .
Right-click the username for which you want to change the password, such as Administrator, and then click Set Password.
In the Set Password for Administrator dialog box, click Proceed. Enter a new password in the New Password and Confirm Password fields.
ImportantCreate a strong password. It must contain uppercase letters, lowercase letters, digits, and special characters.
Click OK. A message is displayed indicating that the password has been set. This means the password was changed successfully.
Linux instances
This section uses an Alibaba Cloud Linux 3 operating system as an example:
Run the following command to change the password for a specified user:
Replace
<username>with the actual username.sudo passwd <username>At the prompt, enter the new password and press
Enter. Re-enter the new password and pressEnteragain.ImportantCreate a strong password. The password must contain uppercase letters, lowercase letters, digits, and special characters.
If the password is changed successfully, a message similar to the following is returned:
passwd: all authentication tokens updated successfully.
Key pair management
When creating an instance, you can bind a key pair that has been created in or imported to Alibaba Cloud to log on to the instance. You can also bind or replace a key pair later.
A key pair is a secure credential that protects against brute-force and dictionary attacks. It consists of a public key that is stored on the instance and a private key that you keep. To log on to the instance, you must provide the private key for authentication.
The following figure shows the SSH key pair authentication flow. After the client sends a logon request, the server uses the public key to encrypt a random string. The client then uses the private key to decrypt the string and returns it to the server. The server authenticates the logon by comparing the two strings to confirm they match.
To use a key pair for a Windows instance, you must enable the SSH service on the instance. Key pairs for Windows instances cannot be managed in the console.
Create or import a key pair
Console
Create a key pair
Go to the ECS console - Key Pairs page. In the upper-left corner, select a region and resource group.
An ECS instance can only be bound to a key pair in the same region.
Click Create SSH Key Pair. For the creation mode, select Auto-create.
Click OK.
After the key pair is created, the browser automatically downloads the private key file (key_pair_name.pem) to your computer.
Import a key pair
View the public key for a private key
Local machine runs Linux or macOS
You can use the
ssh-keygencommand to view the public key from an existing private key file.<path_to_key_pair> is the path to the private key file, for example,
/path_to_key_pair/my-key-pair.pem.ssh-keygen -y -f <path_to_key_pair>The public key information is returned:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA****+GF9q7rhc6vYrExwT4WU4fsaRcVXGV2Mg9RHex21hl1au77GkmnIgukBZjywlQOT4GDdsJy2nBOdJPrCEBIPxxxxxxxxxx/fctNuKjcmMMOA8YUT+sJKn3l7rCLkesE+S5880yNdRjBiiUy40kyr7Y+fqGVdSOHGMXZQPpkBtojcxxxxxxxxxxx/htEqGa/Jq4fH7bR6CYQ2XgH/hCap29Mdi/G5Tx1nbUKuIHdMWOPvjxxxxxxxxxx+lHtTGiAIRG1riyNRVC47ZEVCxxxxxxLocal machine runs Windows
Complete the following steps to view the public key information:
Start PuTTYgen.
Click Load.
Select a
.ppkor.pemfile.PuTTYgen displays the public key information.
Import a key pair (public key)
Go to the ECS console - Key Pairs page. In the upper-left corner, select a region.
An ECS instance can only be bound to a key pair in the same region.
Click Create SSH Key Pair, select Import as the creation method, and enter the Public Key.
Click OK to complete the import.
API
Create a key pair: For more information, see CreateKeyPair.
Import the public key of a key pair: For more information, see ImportKeyPair.
Bind or replace a key pair
Console
Only Linux instances support binding, unbinding, and replacing key pairs in the console.
Bind a key pair when creating an instance
When you create an instance using the Custom Launch method, you can set Logon Credential to Key Pair and then select an existing Key Pair.
Bind or replace a key pair
Binding or replacing a key pair in the console requires you to restart the instance for the change to take effect. A restart may interrupt services on the instance. Plan the restart time accordingly.
You can bind a maximum of one key pair to each instance in the console. To bind multiple key pairs, you must manually bind on the instance (no restart required).
Bind or replace in the console (restart required)
Go to the ECS console - Instance. In the upper-left corner, select a region and resource group. Find the ECS instance and follow these instructions:
In the Actions column, click 
> Bind Key Pair. Select an existing key pair and click OK. The change takes effect after you restart the instance.
Manually bind on the instance (no restart required)
Generate a key pair
The steps to generate a key pair vary depending on the tool. This example uses the
ssh-keygentool.Run the following command to generate a key pair.
ssh-keygen -t rsa -b 2048 -f id_rsaParameters:
-t rsa: The key type is anrsakey pair.-b 2048: The key length is 2048 bits.-f id_rsa: The file name and save location for the generated key pair.
You are prompted to enter a passphrase. The passphrase is used to protect your private key. Setting a passphrase is a recommended security measure. If you do not want to use a passphrase, press
Enterto continue.After the command is executed successfully, two files are generated in the current folder:
id_rsa: Your private key.id_rsa.pub: Your public key.
ImportantKeep your private key secure and do not share it with others.
Bind the public key to the instance
After you log on to the instance using Workbench, follow these steps.
The steps to bind a public key for a root user are different from those for a non-root user. Choose the appropriate steps based on your needs.
Set the public key for the root user
Create the
authorized_keysconfiguration file.If the
/root/.sshfolder or theauthorized_keysfile does not exist, run the following commands to create them.sudo mkdir /root/.ssh sudo touch /root/.ssh/authorized_keysAdd the public key.
Open the
authorized_keysfile using a text editor such as Vim.sudo vim /root/.ssh/authorized_keysPaste your public key content into the file. You can configure multiple public keys. Add each public key on a new line. When you are finished, save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chmod 700 /root/.ssh sudo chmod 600 /root/.ssh/authorized_keys
Set the public key for a non-root user
Create the
authorized_keysconfiguration file.If the
/root/.sshfolder or theauthorized_keysfile does not exist, run the following commands to create them.In the commands,
<username>represents the username for which you want to bind the public key.sudo mkdir /home/<username>/.ssh sudo touch /home/<username>/.ssh/authorized_keysAdd the public key.
Open the
authorized_keysfile using a text editor such as Vim.sudo vim /home/<username>/.ssh/authorized_keysPaste your public key content into the file. You can configure multiple public keys. Add each public key on a new line. When you are finished, save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chown -R <username>:<username> /home/<username>/.ssh sudo chmod 700 /home/<username>/.ssh sudo chmod 600 /home/<username>/.ssh/authorized_keys
Enable public key authentication for the SSH service
After you configure the public key, you must enable SSH public key authentication on the server. Otherwise, key-based logon will fail.
Back up the SSH configuration file
/etc/ssh/sshd_config.sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Open the
/etc/ssh/sshd_configfile using a text editor such as Vim. Find thePubkeyAuthenticationparameter and set it toyesto enable public key authentication.sudo vim /etc/ssh/sshd_configRestart the SSH service to apply the changes.
This example uses Alibaba Cloud Linux 3:
sudo systemctl restart sshdOn some operating systems, such as Ubuntu and Debian, the SSH service is named
sshinstead ofsshd. Adjust the command as needed.ImportantIf you are connected to the instance over SSH, restarting the service disconnects you. You can reconnect after the service restarts.
API
Only Linux instances support binding, replacing, and unbinding key pairs using the API.
Set a key pair when creating an instance: When you call RunInstances to create an instance, set the
KeyPairNameparameter to the name of the key pair.Bind or replace a key pair: Call AttachKeyPair and specify the key pair name
KeyPairNameand instance IDsInstanceIds.unbind a key pair: Call DetachKeyPair and specify the key pair name
KeyPairNameand instance IDsInstanceIds.
Unbind a key pair
Unbinding a key pair in the console requires you to restart the instance for the change to take effect. A restart may interrupt services on the instance. Plan the restart time accordingly.
Unbind in the console (restart required)
Go to the ECS console - Instance. In the upper-left corner, select a region and resource group. Find the ECS instance and follow these instructions:
In the Actions column, click > Unbind Key Pair, and then click Unbind. The change takes effect after you restart the instance.
Manually unbind on the instance (no restart required)
You can manually purge the public keys stored in the authorized_keys file on the instance to unbind a key pair. The path to the authorized_keys configuration file varies depending on the user:
root user:
/root/.ssh/authorized_keysNon-root user:
/home/<username>/.ssh/authorized_keysHere,
<username>represents the non-root username.
Delete a key pair
Console
You cannot delete a key pair that is bound to an instance.
Go to the ECS console - Key Pairs page. In the upper-left corner, select a region and resource group.
Find the key pair that you want to delete and click Delete in the Actions column.
API
Call DeleteKeyPairs and specify the KeyPairNames parameter with the names of the key pairs that you want to delete.
Multi-user remote logon
To set up multiple users for an ECS instance, follow these steps to create regular users and enable remote access.
Linux
Log on to the instance using Workbench and follow these steps to create a user:
Create a user
Replace <username> in the command with the username you want to create. For example, to create a user named
exampleuser, runsudo useradd -m exampleuser.sudo useradd -m <username>Set a password or key pair
Bind a key pair
Generate a key pair file on your local machine.
ImportantFor security reasons, do not create a key pair using ssh-keygen on the instance. Do not save the generated private key on the ECS instance that you want to connect to.
The steps to generate a key pair vary depending on the tool. This example uses the
ssh-keygentool.Run the following command to generate a key pair.
ssh-keygen -t rsa -b 2048 -f id_rsaParameters:
-t rsa: The key type is anrsakey pair.-b 2048: The key length is 2048 bits.-f id_rsa: The file name and save location for the generated key pair.
You are prompted to enter a passphrase. The passphrase is used to protect your private key. Setting a passphrase is a recommended security measure. If you do not want to use a passphrase, press
Enterto continue.After the command is executed successfully, two files are generated in the current folder:
id_rsa: Your private key.id_rsa.pub: Your public key.
ImportantKeep your private key secure and do not share it with others.
Bind the public key to the user.
Create the
authorized_keysconfiguration file.If the
/root/.sshfolder or theauthorized_keysfile does not exist, run the following commands to create them.In the commands,
<username>represents the username for which you want to bind the public key.sudo mkdir /home/<username>/.ssh sudo touch /home/<username>/.ssh/authorized_keysAdd the public key.
Open the
authorized_keysfile using a text editor such as Vim.sudo vim /home/<username>/.ssh/authorized_keysPaste your public key content into the file. You can configure multiple public keys. Add each public key on a new line. When you are finished, save and close the file.
Set file permissions.
SSH requires strict permission settings. Incorrect permissions can cause SSH logon to fail.
Run the following commands to set the correct permissions.
sudo chown -R <username>:<username> /home/<username>/.ssh sudo chmod 700 /home/<username>/.ssh sudo chmod 600 /home/<username>/.ssh/authorized_keys
Enable public key authentication for the SSH service.
After you configure the public key, you must enable SSH public key authentication on the server. Otherwise, key-based logon will fail.
Back up the SSH configuration file
/etc/ssh/sshd_config.sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Open the
/etc/ssh/sshd_configfile using a text editor such as Vim. Find thePubkeyAuthenticationparameter and set it toyesto enable public key authentication.sudo vim /etc/ssh/sshd_configRestart the SSH service to apply the changes.
This example uses Alibaba Cloud Linux 3:
sudo systemctl restart sshdOn some operating systems, such as Ubuntu and Debian, the SSH service is named
sshinstead ofsshd. Adjust the command as needed.ImportantIf you are connected to the instance over SSH, restarting the service disconnects you. You can reconnect after the service restarts.
Set a password
Run the following command:
Replace
<username>with the username for which you want to set the password.sudo passwd <username>Enter the new password and press
Enter. Re-enter the new password to confirm and pressEnter.If the change is successful, a message similar to the following is displayed:
passwd: all authentication tokens updated successfully.(Verification) Log on to the ECS instance as the new user.
Windows
By default, Windows supports a maximum of two concurrent remote connections over Remote Desktop Protocol (RDP). If you need more than two users to log on to a Windows instance at the same time, you must use Microsoft's Remote Desktop Services.
Log on to the instance using Workbench and follow these steps:
Create a user
Open Control Panel, find User Accounts, and click Change account type.
On the Manage Accounts page, click Add a user account to go to the Add a user page.
On the Add a user page, follow the on-screen instructions to set the username and password for the new user.
This example creates a user named exampleuser. Set the User name as needed.
Click Next, and then click Finish. The new user is created.
Add the new user to the
Remote Desktop UsersgroupOnly users in the Remote Desktop Users group can log on to the instance remotely.
In the search box on the taskbar, search for Computer Management and click to open the Computer Management window.
Under , find the Remote Desktop Users group. Double-click it to open the Remote Desktop Users Properties page.
Follow the steps shown in the figure.
On the Remote Desktop Users Properties page, click Add.
Enter the username of the user created in Step 2 and click Check Names. The input box will automatically complete the full name of the user.
Click OK. On the Remote Desktop Users Properties page, click Apply and then OK. The user is added to the group.
(Verification) Remotely log on to the ECS instance as the new user.
FAQ
Q1: What is the default or initial username for an ECS instance?
Linux instances: The default username is
root. If you set the instance to useecs-userduring creation, the username isecs-user.Windows instances: The default username is
Administrator.
Q2: What is the default or initial password for an ECS instance?
No default password is set.
For security reasons, Alibaba Cloud does not set a default or initial password for an ECS instance. If you did not set a password when you created the instance, see Reset a password.
Q3: How can I view the instance password?
Alibaba Cloud does not store the instance password that you set. Therefore, you cannot view it.
Q4: How do I recover my credentials if I forgot my username or password?
Forgot username: You can find your username using the reset password feature in the console. The username that you set when you created the instance is displayed at the top of the Reset Instance Password dialog box.
Forgot password: For more information, see Reset a password.
Q5: Why does online password reset fail?
In most cases, this failure occurs because security software on the instance blocks the password modification instruction from Cloud Assistant. To resolve this issue, use Offline password reset.
Q6: How do I switch between root and ecs-user?
Switching from root to ecs-user
You can only set the username to
ecs-userwhen you create an instance from specific Linux images using the custom purchase method.After an instance is created, you cannot directly switch to the
ecs-useraccount. However, you can create anecs-useraccount by following the steps in Multi-user remote logon and grantsudopermissions to that user.Switching from ecs-user to root
We strongly recommend using the
ecs-useraccount and execute privileged commands withsudo, rather than logging on directly as therootuser.If you must switch to the
rootuser during a session, you can log on to the instance asecs-userand run thesudo sucommand to switch to therootuser.
Console features such as offline password reset and binding key pairs work only for the username that is set during instance creation.
Q7: How can I enable both SSH key pair and password authentication for a Linux instance?
You can enable both authentication methods by modifying the /etc/ssh/sshd_config configuration file of the SSH service.
Enable SSH key pair authentication (recommended, more secure): This method is controlled by the
PubkeyAuthenticationoption. Set the option toyesto enable key pair authentication. After you modify the configuration, you must restart the SSH service on the instance.Enable SSH password authentication (not recommended, less secure): This method is controlled by the
PasswordAuthenticationoption. Set the option toyesto enable password authentication. After you modify the configuration, you must restart the SSH service on the instance.