[Yandex Cloud documentation](../../../index.md) > [Yandex Compute Cloud](../../index.md) > [Step-by-step guides](../index.md) > Serial console > Managing serial console access

# Managing serial console access

The [serial console](../../concepts/serial-console.md) allows you to access a [VM instance](../../concepts/vm.md) no matter what the [network](../../../vpc/concepts/network.md#network) or OS state currently is.

[Managing](index.md) serial console access requires the `compute.admin` or `editor` [role](../../security/index.md).

By default, access to the Compute Cloud VM serial console is disabled.

{% note warning %}

When assessing the risks associated with enabling VM access via the serial console, keep in mind the following:

* The VM will remain manageable over the internet even without an external IP address.

    A user who has successfully authenticated in the Yandex Cloud [management console](https://console.yandex.cloud) and has the required [access permissions](../../security/index.md) for the VM will be able to access the serial console.
    
    One can also access the VM serial console via [SSH](../vm-connect/ssh.md) client applications, such as PuTTY, or through the [CLI](../../../cli/index.md) by authenticating with an SSH key. Therefore, make sure to prevent any unauthorized access to your SSH key and always end the web session to reduce interception risks.

* Your serial console session will simultaneously be shared by all users who have access to the serial console. Users will be able to see each other's actions if concurrently viewing the serial console output.
* A valid serial console session can be accessed by another user.

We recommend enabling serial console access only when absolutely necessary, granting access permissions to a limited group of trusted users, and using strong VM passwords.

When you are done using the management console, do not forget to [ban](index.md#disable) access to it.

{% endnote %}

## Enabling access to the serial console {#enable}

You can enable access to the serial console either when creating a new VM instance or by updating the existing one.

### Creating a new VM with serial console access enabled {#turn-on-for-new-instance}

To enable access to the serial console when creating a new VM instance based on a public [image](../images-with-pre-installed-software/get-list.md) from [Yandex Cloud Marketplace](../../../marketplace/index.md):

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) where you want to create your VM.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, select ![server](../../../_assets/console-icons/server.svg) **Virtual machines**.
  1. Click **Create virtual machine**.
  1. Under **Boot disk image**, select one of the Yandex Cloud Marketplace [images](../../concepts/image.md).
  1. Under **Location**, select an [availability zone](../../../overview/concepts/geo-scope.md) where your VM will reside.
  1. Under **Computing resources**, select one of the preset configurations or create a custom one.
  1. Under **Network settings**:

      * In the **Subnet** field, enter the ID of a subnet in the new VM’s availability zone. Alternatively, select a [cloud network](../../../vpc/concepts/network.md#network) from the list.

          * Each network must have at least one [subnet](../../../vpc/concepts/network.md#subnet). If your network has no subnets, create one by selecting **Create subnet**.
          * If there is no network, click **Create network** to create one:
      * In the **Public IP address** field, select the `Auto` address assignment method to assign a random IP address from the Yandex Cloud address pool.
      * Select the [relevant security groups](../../../vpc/concepts/security-groups.md). If you leave this field empty, the default security group will be assigned to the VM.
  1. Under **Access**:
     
     * Select **Access by OS Login** to [connect](../vm-connect/os-login.md) and manage access to the new VM using [OS Login](../../../organization/concepts/os-login.md) in Yandex Identity Hub.
     
         With OS Login, you can connect to VMs using SSH keys and SSH certificates via a standard SSH client or the [Yandex Cloud CLI](../../../cli/quickstart.md). OS Login enables rotating the SSH keys used to access VMs, providing the most [secure](../../../security/domains/iaas-checklist.md#vm-security) access option.
     
     * If you prefer not to use OS Login, select **SSH key** and specify the following VM access data:
     
         * In the **Login** field, enter the username.
     
             {% note alert %}
     
             Do not use `root` or other [OS-reserved usernames](https://github.com/canonical/subiquity/blob/main/reserved-usernames). To perform operations requiring root privileges, use the `sudo` command.
     
             {% endnote %}
     
         * In the **SSH key** field, select the SSH key saved in your [organization user](../../../organization/concepts/membership.md) profile.
           
           If there are no SSH keys in your profile or you want to add a new key:
           
           1. Click **Add key**.
           1. Enter a name for the SSH key.
           1. Select one of the following:
           
               * `Enter manually`: Paste the contents of the public SSH key. You need to [create](../vm-connect/ssh.md#creating-ssh-keys) an SSH key pair on your own.
               * `Load from file`: Upload the public part of the SSH key. You need to create an SSH key pair on your own.
               * `Generate key`: Automatically create an SSH key pair.
               
                 When adding a new SSH key, an archive containing the key pair will be created and downloaded. In Linux or macOS-based operating systems, unpack the archive to the `/home/<user_name>/.ssh` directory. In Windows, unpack the archive to the `C:\Users\<user_name>/.ssh` directory. You do not need additionally enter the public key in the management console.
           
           1. Click **Add**.
           
           The system will add the SSH key to your organization user profile. If the organization has [disabled](../../../organization/operations/os-login-access.md) the ability for users to add SSH keys to their profiles, the added public SSH key will only be saved in the user profile inside the newly created resource.
     
     If you want to add multiple users with SSH keys to the VM at the same time, [specify](../../concepts/metadata/sending-metadata.md) these users' data under **Metadata**. You can also use metadata to [install additional software](../vm-create/create-with-cloud-init-scripts.md) on a VM when creating it.
     
     In public Linux images provided by Yandex Cloud, the functionality of connecting over SSH using login and password is disabled by default.
  1. Under **General information**, enter a name for your VM:

      * Length: between 3 and 63 characters.
      * It can only contain lowercase Latin letters, numbers, and hyphens.
      * It must start with a letter and cannot end with a hyphen.

      {% note info %}
      
      The VM name is used to generate an [internal FQDN](../../concepts/network.md#hostname), which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
      
      {% endnote %}

  1. Expand the **Additional** section, and enable **Enable** in the **Serial console access** field.
  1. Click **Create VM**.

  The VM will appear in the list. The new VM will get an [IP address](../../../vpc/concepts/address.md) and a [host name](../../../vpc/concepts/address.md#fqdn) (FQDN).

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. [Create](../vm-connect/ssh.md#creating-ssh-keys) a key pair (public and private keys) for SSH access to the VM.
  1. Create a VM in the default [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder). The example below creates a VM based on a public [image](../images-with-pre-installed-software/get-list.md) from [Yandex Cloud Marketplace](../../../marketplace/index.md) running [Ubuntu 24.04 LTS](https://yandex.cloud/en/marketplace/products/yc/ubuntu-2404-lts-oslogin):

      ```bash
      yc compute instance create \
        --name sample-instance \
        --zone ru-central1-a \
        --network-interface subnet-id=<subnet_ID>,nat-ip-version=ipv4 \
        --create-boot-disk image-folder-id=standard-images,image-family=ubuntu-2404-lts-oslogin,auto-delete=true \
        --metadata enable-oslogin=false,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'
      ```

      Where:

      * `--name`: VM name. The naming requirements are as follows:

          * Length: between 3 and 63 characters.
          * It can only contain lowercase Latin letters, numbers, and hyphens.
          * It must start with a letter and cannot end with a hyphen.

          {% note info %}
          
          The VM name is used to generate an [internal FQDN](../../concepts/network.md#hostname), which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
          
          {% endnote %}

      * `--zone`: [Availability zone](../../../overview/concepts/geo-scope.md) to create the VM in.
      * `--network-interface`: Network settings of the new VM:

          * `subnet-id`: [ID of the subnet](../../../vpc/operations/subnet-get-info.md) in the availability zone the VM is created in.
      * `--metadata`: VM [metadata](../../concepts/vm-metadata.md):

          * `enable-oslogin`: Parameter responsible for access to the VM instance via [OS Login](../../../organization/concepts/os-login.md). The possible values are:

              * `true`: To enable access to the VM via OS Login. This will block access to the VM with the SSH key set via the metadata.
              * `false`: To disable access to the VM via OS Login. Access the VM will only be possible with the SSH key set via the metadata.
          * `serial-port-enable=1`: Parameter enabling access to the VM via the serial console.
          * `ssh-keys`: Name of the local VM user and the contents of the [public SSH key](../vm-connect/ssh.md#creating-ssh-keys) that will allow this user to connect to the VM over SSH.

      For more information about the `yc compute instance create` command, see the [CLI reference](../../../cli/cli-ref/compute/cli-ref/instance/create.md).

{% endlist %}

### Enabling access to the serial console for an existing VM {#turn-on-for-current-instance}

To enable access to the serial console for an existing VM: 

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) the VM instance resides in.

  1. Navigate to **Compute Cloud**.

  1. In the left-hand panel, select ![server](../../../_assets/console-icons/server.svg) **Virtual machines**.

  1. Find the VM row in the VM list, click ![ellipsis](../../../_assets/console-icons/ellipsis.svg), and select ![pencil](../../../_assets/console-icons/pencil.svg) **Edit**. In the window that opens:

     1. Expand the **Additional** section, and enable **Enable** in the **Serial console access** field.
     1. Click **Save changes**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Update the VM by specifying its [name or ID](../vm-info/get-info.md#outside-instance) in the command below:

      ```bash
      yc compute instance update <VM_name_or_ID> \
        --metadata enable-oslogin=<true|false>,serial-port-enable=1,ssh-keys='<username>:<public_SSH_key>'
      ```

      Where `--metadata` is the VM [metadata](../../concepts/vm-metadata.md):

      * `enable-oslogin`: Parameter responsible for access to the VM instance via [OS Login](../../../organization/concepts/os-login.md). The possible values are:

          * `true`: To enable access to the VM via OS Login. This will block access to the VM with the SSH key set via the metadata.
          * `false`: To disable access to the VM via OS Login. Access the VM will only be possible with the SSH key set via the metadata.
      * `serial-port-enable=1`: Parameter enabling access to the VM via the serial console.
      * `ssh-keys`: Name of the local VM user and the contents of the [public SSH key](../vm-connect/ssh.md#creating-ssh-keys) that will allow this user to connect to the VM over SSH.

     For more information about the `yc compute instance update` command, see the [CLI reference](../../../cli/cli-ref/compute/cli-ref/instance/update.md).

{% endlist %}

## Disabling access to the serial console {#disable}

Access to the serial console for all newly created Compute Cloud VMs is disabled by default.

To disable serial console access for an existing VM: 

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) the VM instance resides in.

  1. Navigate to **Compute Cloud**.

  1. In the left-hand panel, select ![server](../../../_assets/console-icons/server.svg) **Virtual machines**.

  1. Find the VM row in the VM list, click ![ellipsis](../../../_assets/console-icons/ellipsis.svg), and select ![pencil](../../../_assets/console-icons/pencil.svg) **Edit**. In the window that opens:

     1. Expand the **Additional** section, and enable **Enable** in the **Serial console access** field.
     1. Click **Save changes**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Update the VM by specifying its [name or ID](../vm-info/get-info.md#outside-instance) in the command below:

      ```bash
      yc compute instance update <VM_name_or_ID> \
        --metadata enable-oslogin=<true|false>,serial-port-enable=0,ssh-keys='<username>:<public_SSH_key>'
      ```

      Where `--metadata` is the VM [metadata](../../concepts/vm-metadata.md):

      * `enable-oslogin`: Parameter responsible for access to the VM instance via [OS Login](../../../organization/concepts/os-login.md). The possible values are:

          * `true`: To enable access to the VM via OS Login. This will block access to the VM with the SSH key set via the metadata.
          * `false`: To disable access to the VM via OS Login. Access the VM will only be possible with the SSH key set via the metadata.
      * `serial-port-enable=1`: Parameter disabling access to the VM via the serial console.
      * `ssh-keys`: Name of the local VM user and the contents of the [public SSH key](../vm-connect/ssh.md#creating-ssh-keys) that will allow this user to connect to the VM over SSH.

      For more information about the `yc compute instance update` command, see the [CLI reference](../../../cli/cli-ref/compute/cli-ref/instance/update.md).

{% endlist %}

#### See also {#see-also}

* [VM serial console](../../concepts/serial-console.md)
* [Connecting to a Linux VM serial console](connect-ssh.md)
* [Connecting to the serial console of a Windows VM instance](windows-sac.md)