Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!

How to login to your Hetzner instance with an SSH Key

profile picture
Author
Helmer Barcos
Published
2021-08-10
Time to read
7 minutes reading time

About the author- Full Stack Software Developer

Introduction

In order to access your Hetzner instance from your local computer in a safe way, it is recommended to make use of an SSH Key. In this tutorial I will guide you how to setup the secure login with your SSH Key on a new Hetzner instance.

Passwords are often very weak. If you increase the password strength, it gets very difficult to remember the password and the use of a password manager is unavoidable. SSH keys also benefit from their length. They can be as long as 4096 bits. You also can use different algorithms like ECC (Elliptic Curve Cryptography) using the standard ed25519. In this tutorial we will use rsa which is good enough and has higher compatibility with a lot of applications.

Prerequisites

  • A Hetzner Cloud Account
  • Permissions for creating a Hetzner Project and a Hetzner instance
  • ssh-keygen, cat and nano installed on your local computer

Step 1 - Create your local SSH Key

  • You need to create an SSH Key on your local machine. It is recommended to add a comment at the end in order to identify the SSH Key in the future. Some information about the computer itself should be useful. For example SSH-Key - MacbookPro 13 Inch - example@example.com
ssh-keygen -t rsa -b 4096 -C "some comment here"
  • Then you will be asked for the filename/location of the RSA Key. You could just hit enter in order to leave the default name ('id_rsa') and location (/home/user/.ssh/). If you want to name the file to be able to distinguish between multiple keys for multiple different servers, you can enter /home/user/.ssh/server01 where you replace user with your username

  • Then you should set your own passphrase for adding more security to the server. There are many tutorials on Youtube and the whole internet, where adding a passphrase is just omitted or not recommended. We strongly recommend to set a passphrase in order to set up a secure instance. This passphrase will protect the private key, so no one can access the server even if he has access to your computer. You can configure your ssh client to communicate to keypass, to avoid entering the password every time, but understand, that typically keypass is active all the time, so direct access to your logged in session would not prevent unpermitted access to the server in that case. Yet it protects anyone from copying the file and using it on another computer. By default this command will create a public and a private Key named id_rsa.pub and id_rsa respectively and they will be saved on the path ~/.ssh/. The file id_rsa.pub is the public key the server needs to authenticate the user and the file id_rsa is your private key that no one should have access to except for you, especially if you skip the step of setting up a passphrase

Step 2 - Add the SSH Key to your Hetzner Cloud Console

In this step it is important to clarify that the SSH keys are not shared between Hetzner projects. That means that you need to repeat this step with the same key or different keys for each new project.

  • Select one project or create a new one
  • On left side menu of your project select the Security menu
  • Click on the Add SSH Key button
  • On your local machine execute the command cat /home/user/.ssh/id_rsa.pub to see the content of your file or open it in the editor
  • Copy the content of your id_rsa.pubfile from your local machine to the clipboard by selecting the output and using <ctrl>+<shift>+c
  • Paste the SSH Key in the marked area on your hetzner account
  • Add a name for the SSH Key in order to identify it on the Hetzner Cloud Console or leave the automatically generated name based on the key comment
  • That's it. This specific SSH Key is ready to be used every time you create a new instance for this specific project

Step 3 - Create a Hetzner instance with the added SSH Key on the Cloud Console

  • On left side menu of the project where you added the SSH Key in previous step select the Servers menu
  • Click on the Add Server button
  • Select a Location, an Ubuntu:20.04 Image, a Standard Local (NVMe SSD) Storage Type, an Instance Type and other desired configurations
  • On the SSH Key field make sure you click the suggested SSH Key that you added on the previous step. The key field should get highlighted
  • Create the Instance by clicking CREATE & BUY NOW

Step 4 - Test the login with the SSH Key from your local computer

  • Copy the IP address of the Hetzner instance
  • On your local computer start the login. Replace the xxx.xxx.xxx.xxx with the IP address of the created Hetzner Instance
ssh root@xxx.xxx.xxx.xxx
  • Type yes in order to add the fingerprint to the known_host
  • Enter the passphrase you set for the SSH Key
  • And that's it. The process was successful if you see the welcome message of the Ubuntu Hetzner instance

Step 5 - Add an SSH key to an already created server

If you created your server prior to adding the SSH key, you cannot assign it to your server. If there are no valuable data on it, it is best to just delete the server and create a new instance.

If you are already running a production environment this will not work obviously.

It is best to try this on a new server first, to not cut the SSH connection to a production environment. Since this will only take a few minutes, you can quickly setup a server with debian and have at worst a few cents of cost. So create a new server with no SSH key and follow these steps.

  • Copy the content of your public key file using cat /home/user/.ssh/id_rsa.pub, selecting the output and using <ctrl>+<shift>+c
  • Log into your server using ssh root@server_ip
  • Write the key to the server:
    • For root user enter the command: echo "keyfile_content" >> /root/.ssh/authorized_keys
    • For any other user enter the command: echo "keyfile_content" >> /home/user/.ssh/authorized_keys
    • Replace keyfile_content with <ctrl>+<shift>+v to insert it between the 2 quotes
    • Replace user with the username
  • Open the ssh config using nano /etc/ssh/sshd_config. You can replace nano with the editor of your choice, if installed.
  • Find a line with PermitRootLogin and replace it exactly with PermitRootLogin prohibit-password, if you want to disable password login. This will disable the ability to use insecure passwords and only accepts your ssh keys
  • execute systemctl restart sshd to reload your SSH deamon to activate the new configs
  • exit the SSH session and try to access it without a password. If you specified a passphrase to protect your local private key, you need to still insert the passphrase

If you followed these steps carefully and everything is working as intended, you can now proceed with your production server and delete the test server again.

Conclusion

You can now login to your Hetzner instance with a secure method.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Report Issue
Try Hetzner Cloud

Get 20€ free credit!

Valid until: 31 December 2024 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more