4 ‐ Recover Access to an OCI Instance When SSH Keys Are Lost (Password Authentication Not Set) - SanjeevOCI/Ocidocs GitHub Wiki

Recover Access to an OCI Instance When SSH Keys Are Lost (Password Authentication Not Set)

Applies to: OCI Linux instances (opc user)
Goal: Regain access to a locked OCI instance if both the SSH key pair is lost and password authentication was never enabled.

🧭 Overview

There are two ways to regain access:

  1. Using Cloud Shell (recommended) — Create a Console Connection to the instance and access it through the Cloud Shell serial console.
  2. Using a healthy instance — If another instance exists in the same subnet, use it to reach the locked instance.

Preferred Method: Cloud Shell (Console Connection)
This avoids boot volume detach/attach and preserves instance identity.

1️⃣ Using Cloud Shell (Recommended)

Step 1: Navigate to the Instance

  1. ☰ → ComputeInstances
  2. Select the problematic instance.
  3. Click Cloud Shell on the instance page.

Instance details page

Cloud Shell button on instance

Step 2: Open Cloud Shell Session

Click the Cloud Shell icon at the bottom of the OCI Console. This will open an interactive shell session in your browser, authenticated with your OCI identity.

CloudShell access step 1 CloudShell access step 2 CloudShell access step 3

Step 3: Create a Console Connection

  1. In the Instance Details page → Resources (left panel) → click Console Connections.
  2. Click Create Console Connection.

Console Connection step 1

  1. Paste your new public key (from a keypair generated on your local machine or Cloud Shell).
  2. OCI will generate an SSH command to connect to the serial console using the matching private key.

Console Connection step 2

Continue through the creation flow:

Console Connection step 3 Console Connection step 4 Console Connection step 5 Console Connection step 6 Console Connection step 7 Console Connection step 8 Console Connection step 9 Console Connection step 10 Console Connection step 11 Console Connection step 12 Console Connection step 13 Console Connection step 14 Console Connection step 15 Console Connection step 16 Console Connection step 17 Console Connection step 18 Console Connection step 19 Console Connection step 20 Console Connection step 21 Console Connection step 22

Step 4: SSH to Serial Console

OCI will display an SSH command. Run it exactly in Cloud Shell or locally, using the private key that matches the public key you provided earlier.

Once connected, you’ll get a serial console shell for the instance.

Step 5: Restore Access

You can now:

Option A — Add a new public key

sudo su - opc
mkdir -p ~/.ssh && chmod 700 ~/.ssh
echo "<your-new-public-key>" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Option B — Temporarily enable password auth

sudo systemctl reload sshd
sudo passwd opc

✅ After you restore access, you can SSH normally to the instance again.

2️⃣ Using a Healthy Instance in the Same Subnet

  1. If Instance 2 (healthy) exists in the same VCN & subnet as Instance 1 (problematic), you can use Instance 2 to reach Instance 1:
  2. SSH into the healthy instance using your existing key.
  3. Use private IP of the problematic instance to access it internally, or mount/edit its boot volume if needed.
  4. Add your new public key to the authorized_keys file of the problematic instance user.

This method requires both instances to be reachable over the same subnet and proper NSG/SecList rules.

📝 Key Notes

  • Cloud Shell Console Connection is safest and doesn't require stopping or detaching volumes.
  • If using the helper instance method, remember to unmount and detach the volume properly before reattaching.
  • Always test SSH with the new key after modification.

✅ Summary

We have regained access to a locked OCI instance after both the SSH key pair is lost and password authentication was never enabled.