[Yandex Cloud documentation](../../index.md) > [Yandex Compute Cloud](../index.md) > [Concepts](index.md) > Virtual machines > Serial console

# VM serial console

{% note warning %}

When assessing the risks associated with enabling VM access via the serial console, keep in mind the following:

* The VM will remain manageable over the internet even without an external IP address.

    A user who has successfully authenticated in the Yandex Cloud [management console](https://console.yandex.cloud) and has the required [access permissions](../security/index.md) for the VM will be able to access the serial console.
    
    One can also access the VM serial console via [SSH](../operations/vm-connect/ssh.md) client applications, such as PuTTY, or through the [CLI](../../cli/index.md) by authenticating with an SSH key. Therefore, make sure to prevent any unauthorized access to your SSH key and always end the web session to reduce interception risks.

* Your serial console session will simultaneously be shared by all users who have access to the serial console. Users will be able to see each other's actions if concurrently viewing the serial console output.
* A valid serial console session can be accessed by another user.

We recommend enabling serial console access only when absolutely necessary, granting access permissions to a limited group of trusted users, and using strong VM passwords.

When you are done using the management console, do not forget to [ban](../operations/serial-console/index.md#disable) access to it.

{% endnote %}

The _serial console_ allows you to access a [virtual machine](vm.md) no matter what state its [network](../../vpc/concepts/network.md#network) is in. The serial console operates based on the [IPMI](https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface) interface and uses the Baseboard Management Controller (BMC) of the cloud server hosting the VM instance.

This means you can use the serial console for things like troubleshooting the virtual machine or access to it over SSH or [OS Login](../../organization/concepts/os-login.md).

[Managing](../operations/serial-console/index.md) serial console access requires the `compute.admin` or `editor` [role](../security/index.md).

You can connect to the serial console of a Linux VM instance using the management console, standard SSH client, or Yandex Cloud CLI. For more information, see [Connecting to a Linux VM serial console](../operations/serial-console/connect-ssh.md).

You can connect to the serial console of a Windows VM instance using the management console or Yandex Cloud CLI. For more information, see [Connecting to the serial console of a Windows VM instance](../operations/serial-console/windows-sac.md).

Access to the VM serial console is disabled by default.

## Serial ports {#serial-ports}

{% note warning %}

How a serial console works depends on how the operating system is set up. Yandex Compute Cloud provides a channel between the user and the virtual machine's COM port and does not guarantee the stability of the console's operation from the OS side.

{% endnote %}

You can use the serial console for connection to Compute Cloud VM instances via different [serial ports](https://en.wikipedia.org/wiki/Serial_port) (COM ports): `COM1`, `COM2`, `COM3`, or `COM4`.

The default, the serial ports used for the purpose are `COM1` (Linux) and `COM2` (Windows). To use a different port, configure it manually on your VM instance OS side.

## Security when using SSH {#security}

{% note info %}

You can only connect to a VM serial console over SSH using a passwordless key. Attempting to use a password will terminate the connection.

{% endnote %}

For remote access, it is important to ensure protection against [MITM attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). You can achieve this using client/server encryption.

A secure connection can be established using the following methods:

* Before each connection to the VM, you can download the current [SHA256 fingerprint](https://storage.yandexcloud.net/cloud-certs/serialssh-fingerprint.txt) of the SSH key.

    The first time you connect to a VM, the client shows the SSH key fingerprint and awaits confirmation to establish a connection:

    * `YES`: Establish a connection.
    * `NO`: Reject.

    Make sure the fingerprint from the link matches the fingerprint given by the client.
* Before each connection to the serial console, you can download the host's public [SSH key](https://storage.yandexcloud.net/serialssh-certs/serialssh-knownhosts) (file named `serialssh-knownhosts`) and use it to connect.

    Recommended startup options:

    ```bash
    ssh \
      -o ControlPath=none \
      -o IdentitiesOnly=yes \
      -o CheckHostIP=no \
      -o StrictHostKeyChecking=yes \
      -o UserKnownHostsFile=./serialssh-knownhosts \
      -p 9600 \
      -i ~/.ssh/<private_SSH_key_name> \
      <VM_ID>.<username>@serialssh.cloud.yandex.net
    ```

    
    
    The host's public SSH key can be changed later on.

Check the specified files often. Download them only via HTTPS but first make sure that the `https://storage.yandexcloud.net` website has a valid certificate. If the website cannot guarantee secure encryption of your data due to certificate issues, your browser will display a warning.

#### See also {#see-also}

* [Managing serial console access](../operations/serial-console/index.md)
* [Connecting to a Linux VM serial console](../operations/serial-console/connect-ssh.md)
* [Connecting to the serial console of a Windows VM instance](../operations/serial-console/windows-sac.md)