Note:

This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Access and Manage a Linux Compute Instance using Oracle Cloud Infrastructure

Introduction

In this tutorial, we will explain how to access the console of a Linux instance to install applications or perform management operations.

Connectivity Approaches

Linux compute instances can be accessed using multiple approaches. We have listed the most common approaches.

Approach 1: Connect via SSH to the compute instance public IP address using a SSH private key with the macOS terminal.
Approach 2: Connect via terminal console to the compute instance using SSH username and password with the Oracle Cloud Infrastructure (OCI) Cloud Shell console.
Approach 3: Connect via SSH to the compute instance public IP address using a SSH private key with the Royal TSX application.
Approach 4: Connect via SSH to the compute instance private IP address using a SSH private key with OCI Cloud Shell.
Approach 5: Connect via SSH to the compute instance’s private IP address using SSH username and password with OCI Cloud Shell.
Approach 6: Connect via SSH to the compute instance private IP address using a SSH private key with OCI Bastion host.
Approach 7: Use a Stepstone compute instance inside a Virtual Cloud Network (VCN).

Objectives

Access and manage a Linux compute instance using Oracle Cloud Infrastructure.

Approach 1: Connect via SSH to the Compute Instance Public IP Address using a SSH Private Key with the macOS Terminal

In this approach, we will connect to a Linux instance using SSH and the public IP address that is provided by OCI to connect directly to the instance using the macOS terminal.

Run the following commands.
1. Use the command line interface (CLI) to navigate to the folder where the public and private keys are stored.
```
cd Downloads
cd MyFreeInstanceKeys
ls -l
```
2. Connect to the instance using the SSH command where you specify the private key.
3. Restrict permissions of the private key and make sure the access is restricted, before it can be used.
```
chmod 600 ssh-key-2024-01-31.key
```
4. Connect to the instance using the SSH command where you specify the private key.
```
ssh -i ssh-key-2024-01-31.key opc@xxx.xxx.xxx.229
```
5. Run the following command to verify the IP address.
```
ip a
```
6. Verify the IP address.

Approach 2: Connect via Terminal Console to the Compute Instance using SSH Username and Password with the OCI Cloud Shell Console

This approach can be used as a backdoor when you do not have any network connectivity to your instance and logging in with SSH is not possible.

Prerequisites for approach 2

We need to create the local username and password first and to do this we need to log in with SSH using the private key using one of the other approaches. This is done in Approach 1, 3, 4, 5 and 6.

When we log in with SSH using a private key, we can create a new local username and assign a password to that new username. Run the following commands.
```
sudo useradd console
sudo passwd console
```

It is also possible to create a new local username and password at the instance creation process. But we will show this in another tutorial.

Continue with approach 2

Now that we have created the local username and password we can continue with connecting via the terminal console to the compute instance using SSH username and password with the OCI Cloud Shell console.

In this approach, we will connect to a Linux instance using the local console provided by OCI to connect directly to the instance using the OCI Cloud Shell.

Connect to the OCI Cloud Shell.
1. In Instance details page, scroll down.
2. Click Console Connection to start OCI Cloud Shell and connect to the console.
Click Launch Cloud Shell connection.
The OCI Cloud Shell window only provides a username and not a password.
This username and password needs to be created and are not there by default.
1. The OCI Cloud Shell window will be opened.
2. The prompt provides an username.
Type in the local username and password in the console terminal.

Approach 3: Connect via SSH to the Compute Instance Public IP Address using a SSH Private Key with the Royal TSX Application

In this approach, we will connect to a Linux instance using SSH and the public IP address that is provided by OCI to connect directly to the instance using the Royal TSX application.

Open the Royal TSX application and create a new document.
1. Right-click the Connections folder.
2. Click Add.
3. Click Terminal.
In the Terminal tab, enter the following information.
1. Enter the Display Name.
2. Enter the public IP address or FQDN of the instance in Computer Name.
3. Click Credentials.
In the Credentials tab, enter the following information.
1. Make sure the Credential is selected.
2. Select Specify username and password.
3. Enter the Username.
4. Select the Private Key File tab.
In the Private Key File tab, enter the following information.
1. Select Path to Private Key File.
2. Select the Private Key File path.
3. Click Apply & Close.
1. Double-click the new create connection to log in.
2. Run the ip a command to review the private IP address.

Approach 4: Connect via SSH to the Compute Instance Private IP Address using a SSH Private Key with OCI Cloud Shell

In this approach, we will connect to the Linux instance using the OCI Cloud Shell provided by OCI and connect to the instance using the private IP address.

Log in to the OCI Console and click on the OCI Cloud Shell icon to open the Cloud Shell console.
Click Cloud Shell.

Make sure that the Cloud Shell window opens.
Enter N to skip the tutorial for now.

In order to connect to the Linux instance using the private IP address, it is important that the Cloud Shell gets access to the same subnet as where the Linux instance is connected to.

We can do this by plugging the Cloud Shell into the same VCN and subnet where the Linux instance also resides. By default the network is set to Public, but we are going to change this by creating a new private network on the fly.

Click Network and select Private network definition list.
Click Create private network definition.
In Create private network definition, enter the following information.
1. Enter a Name.
2. Select the corresponding VCN where the Linux instance resides in.
3. Select the Subnet where the Linux instance resides in.
4. Select Use active network to activate the private network right away.
5. Click Create.
Notice that the status of the network will change to the newly created private network with Connecting. This will take a few seconds to complete.
1. Private network is connected.
2. Click Close to close the private network definition list.
1. Run the ls-l command and see that we do not have the private key in the home folder.
2. To upload the private key, click the wheel.
1. Click Upload.
1. Click Select from your computer.
2. Click Upload.
1. Select the private key from the local computer.
2. Click Open.
1. Review the key selected in the previous step.
2. Click Upload.
1. Make sure the upload is completed.
2. Click Hide.
Run the ls-l command to check the private key.
1. Restrict permissions of the private key and make sure the access is restricted before it can be used.
2. Connect to the instance using the SSH command and specify the private key.
3. Run the following command to verify the IP address.
4. Verify the IP address.
5. Minimize the Cloud Shell console.
Cloud Shell console is minimized. Click Restore to restore the Cloud Shell console.
Review the restored Cloud Shell console. Click X to close the Cloud Shell window.
Click Exit to close the Cloud Shell window.

Now, we are back in the instance overview.

Approach 5: Connect via SSH to the Compute Instance Private IP Address using SSH Username and Password with OCI Cloud Shell

In Approach 4, we have used the private key to log in to the Linux instance. In this approach, we will use the username and password.

Log in using the following SSH command with a username and notice that we are getting a permission denied error.

Note: We have used the same user that we have created previously with the username console.
```
ssh console@10.0.0.163
```
In order to test this and fix the error, create a new Linux compute instance.

Log in with SSH using a private key, and create a local username and password on the new Linux instance.

By default the Linux image SSH configuration will only allow to log in using the private key, not with a username and password using SSH. Previously, we were able to use the username and password, but that was through a direct console connection.
Change the settings in the /etc/ssh/sshd_config file.

Use the following command to change the sshd_config file.

sudo more /etc/ssh/sshd_config

The /etc/ssh/sshd_config file contains these settings:

[opc@myfreeinstance2 ssh]$ sudo more /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.103 208/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server
# on command line.
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in RHEL and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp  /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
[opc@myfreeinstance2 ssh]$

Add the following code to the file to allow log in with SSH using the username and password.
```
PasswordAuthentication yes
```
After the file has been saved. Run the following command and restart the SSH server on the Linux instance.
```
sudo systemctl restart sshd
```
Open the OCI Cloud Shell.
1. Make sure Cloud Shell is still connected to the private network where the Linux image is available.
2. Log in with the SSH command using the username.
3. Enter yes to continue.
4. Enter the password to log in.

Approach 6: Connect via SSH to the compute instance private IP address using a SSH private key with OCI Bastion host

In this approach, we will connect to the Linux instance using the OCI Bastion service and from there connect to the instance using the private IP address through a tunnel connection.

Before we can use the OCI Bastion service, we need to create the OCI Bastion service first.
1. Open the OCI Console and click hamburger menu.
2. Click Identity & Security.
3. Click Bastion.
Click Create Bastion and enter the following information.
1. Enter the Bastion Name.
2. Select the VCN that we want to access with the Bastion service.
3. Select the subnet that we want to access with the Bastion service.
4. Enter an IP address or CIDR that we want to allow to the Bastion service. For this tutorial, we use home IP address of the ISP connection.
5. Click Create bastion.
Click the newly created Bastion service.
Notice that the status is set to CREATING.
1. After a few seconds, we will see the status has been changed to ACTIVE.
2. Click Create session to create a session for the Linux instance that we want to manage.
1. Select the Session Type as Managed SSH session.
2. Enter the Username.
3. Enter the Linux compute instance that we want to connect to through the Bastion service.
4. Select a public key that we want to configure for this specific session.
5. Make sure the public key is selected.
6. Click Create Session.
1. Notice the following error: To create a Managed SSH session, the Bastion plugin must be enabled on the target instance, but the plugin is disabled, this means that in order to connect to a Linux instance using Bastion, a piece of software or plugin needs to be installed on the Linux instance and the plugin needs to be enabled.
2. Let’s enable this plugin on the Linux instance and on the OCI Console, click the hamburger menu.
Click Instances.
Select the Linux compute instance.
Scroll down.
Notice that the Bastion plugin is set to disabled.
To enable the Bastion plugin, follow the instruction.
1. Click toggle to enable the Bastion plugin.
2. Wait till the status shows Running.
  
  Note: When we change the toggle from Disabled to Enabled, It can take a minute before the status is actually changed, because in the background the plugin needs to be downloaded, installed and started and this takes time.
3. Let’s recreate the session on the Bastion plugin. On the OCI Console, click the hamburger menu.
1. Click Identity & Security.
2. Click Bastion.
Click the Bastion.
Click Create session to create a session for the Linux instance that we want to manage.
1. Select the Session Type as Managed SSH session.
2. Enter the Username.
3. Select the Linux compute instance that we want to connect to through the Bastion.
4. Select Choose SSH key file.
5. Select a public key that we want to configure for this specific session.
6. Make sure the public key is selected.
7. Click Create Session.
Notice the state is Creating.
1. When the session is created, see the state is Active.
2. Notice that the default time of the session is 3 hours. After 3 hours the session will be stopped automatically and we will not be able to use the session anymore and we need to create a new session.
1. Drag and drop the help menu to another spot so that we can access the session menu.
2. Click three dots to access the session menu.
3. Select Copy SSH command.

Paste the SSH command into a text editor and notice the <privatekey> placeholders.

Replace the <privatekey> placeholders with the name of your private key. Use the private key that corresponds with the public key used, when the Bastion session was created.

Example

Original command.

ssh -i <privateKey> -o ProxyCommand="ssh -i <privateKey> -W %h:%p -p 22 ocid1.bastionsession.oc1.eu-amsterdam-1.amaaaaaaccocy5aapmrn66fdxdlg7lhefofhndmeq2ir6owe5afm2v7oghiq@host.bastion.eu-amsterdam-1.oci.oraclecloud.com" -p 22 opc@10.0.0.176

Modified command.

ssh -i ssh-key-2024-01-31.key -o ProxyCommand="ssh -i ssh-key-2024-01-31.key -W %h:%p -p 22 ocid1.bastionsession.oc1.eu-amsterdam-1.amaaaaaaccocy5aapmrn66fdxdlg7lhefofhndmeq2ir6owe5afm2v7oghiq@host.bastion.eu-amsterdam-1.oci.oraclecloud.com" -p 22 opc@10.0.0.176

Connect to the Linux instance through the Bastion session.
1. Use the full copied command with the private keys added from the computer where we have the private keys stored using the macOS terminal to connect to the Linux instance through the Bastion session.
2. Enter yes to continue.
3. Enter yes to continue.
4. Run the following command to verify the IP address.
5. Verify the IP address.
Open the Bastion session settings in the OCI Console.
1. Click three dots to access the session menu.
2. Select Delete session.
1. Enter the Session name to confirm the session removal.
2. Click Delete.
Review the state which is Deleting.

When the session is deleted, the state is set to Deleted.

When the session is deleted the SSH session we opened through the macOS terminal is now also terminated.

Bastion plugin is not present.

In this approach, we have enabled the Bastion plugin on an already running Linux instance. We can also enable the Bastion plugin when we create an instance from the start.

Select the Advanced options, select the following options and continue with the creation of the instance.

Click Oracle Cloud Agent.
Select Bastion.

When we created a new image from the start and we check the status after the Bastion plugin right after the instance has been created and the status is RUNNING*, we may see an error message with Plugin Bastion not present….

It can take a minute before the status is actually changed. Because in the background the plugin needs to be downloaded, installed and started and this takes time. Wait for 5 minutes till the status is changed to Running.

When the status is not changed and the message stays Plugin Bastion not present…, it may be the case that the Linux instance is not able to reach the internet to download the Bastion plugin. Troubleshoot the internet, NAT and service gateway inside VCN to make sure your instance is able to access the internet.

Approach 7: Use a Stepstone compute instance inside a Virtual Cloud Network

In this approach, we will create a dedicated Linux instance that we can use as some kind of stepstone or dedicated Bastion and from there we will access the other Linux instance. We are using resources that may cost additional money compared to using the OCI Bastion service that is offered for free by Oracle.

We will not go into details of this approach as this is a combination of the approaches that we have explained earlier.

Next Steps

In this tutorial, we have all the possible approaches to access and manage a Linux instance inside OCI. We can either access the Linux instance directly from the internet and console, or we can use an intermediate stepstone like OCI Cloud Shell, Bastion or a dedicated instance.

We have also showed, how we can connect to the instance with SSH using the private or public key and with a local username and password.

All the possible connection approaches are shown in the following image.

Acknowledgments

Author - Iwan Hoogendoorn (OCI Network Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

Title and Copyright Information

Access and Manage a Linux Compute Instance using Oracle Cloud Infrastructure

F93420-02

August 2024

Oracle and/or its affiliates.