# Configuring OS Login access on an existing VM

To configure OS Login access for an already deployed VM, you can manually install the OS Login agent.


## Enabling access via OS Login {#enable-os-login}

{% note tip %}

To create VMs with OS Login access and [connect](os-login.md) to such VMs, [enable](../../../organization/operations/os-login-access.md) OS Login at the Yandex Cloud [organization](../../../organization/quickstart.md) level first.

{% endnote %}

To configure OS Login access for an existing VM:

1. Enable [access via OS Login](../../../organization/operations/os-login-access.md) at the organization level.

1. [Connect](ssh.md#vm-connect) to the VM over SSH.

1. Install the OS Login agent on the VM. Run the command below based on the VM OS:

    {% note info %}

    The [Ubuntu 24.04](https://yandex.cloud/en/marketplace/products/yc/ubuntu-2404-lts-oslogin) public comes with the pre-installed OS Login agent, so you do not need to install it manually.

    {% endnote %}

    {% list tabs %}

    - Ubuntu

      * Ubuntu 24.04

        ```bash
        curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-24.04/config_oslogin.sh | bash
        ```

      * Ubuntu 22.04

        ```bash
        curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-22.04/config_oslogin.sh | bash
        ```

      * Ubuntu 20.04

        ```bash
        curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-20.04/config_oslogin.sh | bash
        ```

      * Ubuntu 18.04

        ```bash
        curl https://storage.yandexcloud.net/oslogin-configs/ubuntu-18.04/config_oslogin.sh | bash
        ```

    - CentOS 7

      ```bash
      curl https://storage.yandexcloud.net/oslogin-configs/centos-7/config_oslogin.sh | bash
      ```

    - Debian 11

      ```bash
      curl https://storage.yandexcloud.net/oslogin-configs/debian-11/config_oslogin.sh | bash
      ```

    - AlmaLinux 9

      ```bash
      curl https://storage.yandexcloud.net/oslogin-configs/almalinux-9/config_oslogin.sh | bash
      ```

    {% endlist %}

1. [Enable](../vm-control/vm-update.md#enable-oslogin-access) access via OS Login on the VM.

You can now connect to the VM via OS Login using either the [YC CLI](os-login.md#connect-with-yc-cli) or a [standard SSH client](os-login.md#connect-with-ssh-client). To connect, you can use an SSH certificate or SSH key, which you first need to [add](../../../organization/operations/add-ssh.md) to the profile of a Yandex Identity Hub user or service account.


## Disabling access via OS Login {#disable-os-login}

To access a VM without OS Login, the VM must store the public part of the SSH key. If the VM was [created](../vm-create/create-linux-vm.md) without an SSH key or the key was lost, [add](recovery-access.md#ssh-recovery) an SSH key and a local user to the VM manually before disabling OS Login access.

To get back the ability to [connect](ssh.md) to the VM over SSH without using OS Login:

1. Disable access via OS Login.

    {% list tabs group=instructions %}

    - Management console {#console}

        1. In the [management console](https://console.yandex.cloud), select the folder this VM belongs to.
        1. Navigate to **Compute Cloud**.
        1. In the left-hand panel, select ![image](../../../_assets/console-icons/server.svg) **Virtual machines** and click the name of the VM.
        1. In the top-right corner, click ![image](../../../_assets/console-icons/pencil.svg) **Edit VM**.
        1. Under **Access**, select **SSH key**.
        1. Click **Save changes**.

    - CLI {#cli}

      If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

      The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

      Run this command:

      ```bash
      yc compute instance update
        --name <VM_name> \
        --folder-id <folder_ID> \
        --metadata enable-oslogin=false
      ```

      Make sure OS Login access is now disabled:

      ```bash
      yc compute ssh
        --name <VM_name> \
        --folder-id <folder_ID>
      ```

      Result:

      ```text
      ...
      username@12.345.***.***: Permission denied (publickey).
      ...
      ```

    {% endlist %}

1. [Connect](ssh.md#vm-connect) to the VM over SSH.

1. Run the following command to delete OS Login packets:

    {% list tabs %}

    - Linux {#linux}

      ```bash
      curl https://storage.yandexcloud.net/oslogin-configs/common/remove_oslogin.sh | bash
      ```

      When deleting, you will be prompted to confirm the deletion of the `cron` and `unscd` packets. To confirm, type `y` and press **Enter**.

    {% endlist %}

{% note alert %}

A user with [superuser](https://en.wikipedia.org/wiki/Superuser) permissions for a VM can retain access to it even if the [roles are revoked](../../../organization/security/index.md#revoke). To prevent user access to a VM with old permissions, [create](../images-with-pre-installed-software/create.md) a new VM from a clean image.

{% endnote %}