[Yandex Cloud documentation](../../../index.md) > [Yandex Compute Cloud](../../index.md) > [Step-by-step guides](../index.md) > Images with pre-installed software > Running a VM from a public image

# Working with a VM created from a public image

## Connecting to a VM {#ways-to-connect}

You can connect to a [virtual machine](../../concepts/vm.md) via SSH using an SSH key pair, [via OS Login](../vm-connect/os-login.md), or via the [serial console](../../concepts/serial-console.md).

### Connecting over SSH {#connect}

This method for connecting to a VM uses an SSH key pair: the public key resides on the VM, while the private one is kept by the user. Connecting with a key pair is more secure than with a username and password.

{% note info %}

SSH connections using a login and password are disabled by default on public Linux images that are provided by Yandex Cloud.

{% endnote %}

#### Creating an SSH key pair {#creating-ssh-keys}

{% list tabs group=operating_system %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to [create](../vm-create/create-linux-vm.md) your VM.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/server.svg) **Virtual machines**.
  1. Click **Create virtual machine**.
  1. Under **Access**, click **Add key**.
  1. In the window that opens, select `Generate key` and click **Add**.
  
      When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the `/home/<user_name>/.ssh` directory. In Windows, unpack the archive to the `C:\Users\<user_name>/.ssh` directory. You do not need additionally enter the public key in the management console.
  
      The system will add the SSH key to your organization user profile. If the organization has [disabled](../../../organization/operations/os-login-access.md) the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.
  
  {% cut "UNPROTECTED PRIVATE KEY FILE warning" %}
      
  On Unix-like systems, after you unpack a private key to the `.ssh` directory, the key gets permissions that are too high. This causes the `UNPROTECTED PRIVATE KEY FILE` warning when connecting to the VM. To reduce the permissions, run this command:
  
  ```bash
  chmod 600 <path_to_private_key_file>
  ```
      
  {% endcut %}

- Linux/macOS {#linux-macos}

  1. Open the terminal.
  1. Use the `ssh-keygen` command to create a new key:
  
      ```bash
      ssh-keygen -t ed25519 -C "<optional_comment>"
      ```
  
      You can specify an empty string in the `-C` parameter to avoid adding a comment, or you may not specify the `-C` parameter at all: in this case, a default comment will be added.
  
      After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the `.pub` extension, while the private key, in a file without extension.
  
      By default, the command prompts you to save the key under the `id_ed25519` name in the following directory: `/home/<username>/.ssh`. If there is already an SSH key named `id_ed25519` in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.

- Windows 10/11 {#windows}

  If you do not have [OpenSSH](https://en.wikipedia.org/wiki/OpenSSH) installed yet, follow this [guide](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui) to install it.
  
  1. Run `cmd.exe` or `powershell.exe` (make sure to update PowerShell before doing so).
  1. Use the `ssh-keygen` command to create a new key:
  
      ```shell
      ssh-keygen -t ed25519 -C "<optional_comment>"
      ```
  
      You can specify an empty string in the `-C` parameter to avoid adding a comment, or you may not specify the `-C` parameter at all: in this case, a default comment will be added.
  
      After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the `.pub` extension, while the private key, in a file without extension.
  
      By default, the command prompts you to save the key under the `id_ed25519` name in the following folder: `C:\Users\<username>/.ssh`. If there is already an SSH key named `id_ed25519` in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.

- Windows 7/8 {#windows7-8}

  Create keys using the PuTTY app:
  
  1. [Download](https://www.putty.org) and install PuTTY.
  1. Add the folder with PuTTY to the `PATH` variable:
  
      1. Click **Start** and type **Change system environment variables** in the Windows search bar.
      1. Click **Environment Variables...** at the bottom right.
      1. In the window that opens, find the `PATH` parameter and click **Edit**.
      1. Add your folder path to the list.
      1. Click **OK**.
  
  1. Launch the PuTTYgen app.
  1. Select **EdDSA** as the pair type to generate. Click **Generate** and move the cursor in the field above it until key creation is complete.
  
      ![ssh_generate_key](../../../_assets/compute/ssh-putty/ssh_generate_key.png)
  
  1. In **Key passphrase**, enter a strong password. Enter it again in the field below.
  1. Click **Save private key** and save the private key. Do not share its key phrase with anyone.
  1. Click **Save public key** and save the public key to a file named `<key_name>.pub`.

{% endlist %}

#### Connecting using an SSH key pair {#vm-connect}

After the VM starts (its status is `RUNNING`), you can connect to it over SSH. To do this, use `ssh` in Linux, macOS, and Windows 10/11, or [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/) in Windows 7/8.

To connect, specify the VM address. This can be either its [IP address](../../../vpc/concepts/address.md) or [FQDN](../../../vpc/concepts/address.md#fqdn). You can also connect from another Yandex Cloud VM using FQDN if this VM is connected to the same [virtual network](../../../vpc/concepts/network.md#network). You can find out the IP address in the [management console](https://console.yandex.cloud) by going to the **Network** section on the VM's page.

### Connecting via OS Login {#os-login-connect}

[OS Login](../../../organization/concepts/os-login.md) is used to provide users with SSH access to VMs using IAM. To access a VM via OS Login, [enable](../../../organization/operations/os-login-access.md) organization-level OS Login access.

To connect to a VM via OS Login, the user needs the `compute.osLogin` or `compute.osAdminLogin` role plus the `resource-manager.auditor` [role](../../../resource-manager/security/index.md#resource-manager-auditor) or higher for the folder the VM is in. The VM must support OS Login at the OS level. You can [create](../vm-connect/os-login-create-vm.md) a new VM with OS Login support or [set up](../vm-connect/enable-os-login.md) access via OS Login for an existing VM.

To connect to a VM via OS Login, specify the VM name or ID.

If a VM has OS Login access enabled, you cannot use a standard [SSH](../vm-connect/ssh.md#vm-connect) client to connect to that VM with an SSH key.

## Passwords for pre-installed software {#logins-passwords}

In addition to OS distributions, Cloud Marketplace offers public images with pre-installed software. To get passwords to configure the pre-installed software in such images:

1. Connect to the VM.

1. You can find passwords for pre-installed software in the `/root/default_passwords.txt` file. Only a superuser has read and write permissions for the file. Get a list of passwords using this command:

   ```bash
   sudo cat /root/default_passwords.txt
   ```

If a public VM image has no pre-installed software, there will be no password file provided.

## Using SSL {#ssl}

To use SSL, generate an SSL certificate and configure the web server to use it.

To [create](../../../certificate-manager/operations/managed/cert-create.md) an SSL certificate, use [Yandex Certificate Manager](../../../certificate-manager/index.md). You can [export](../../../certificate-manager/operations/managed/cert-get-content.md) the certificate and use it on the web server.

## Filtering network traffic {#network-filter}

On VMs created from public images, only the ports required for configuring and running pre-installed software are open.

You can view a list of open ports for a particular VM when [connecting to it using an SSH key pair](../vm-connect/ssh.md). To open additional ports, use `iptables`.

At the [cloud network](../../../vpc/concepts/network.md#network) level, [security groups](../../../vpc/concepts/security-groups.md) are used to filter the network traffic. To allow specific traffic for a VM at the network level, [configure](../../../vpc/operations/security-group-add-rule.md) a security group and [link](../vm-control/vm-change-security-groups-set.md) it to the VM.

## Installing updates {#updates}

VMs created from public images do not feature automatic updates for their operating system or software. You can update them manually.