Introduction
In order to access your Hetzner instance from your local computer in a safe way, it is recommended to make use of an SSH Key. In this tutorial I will guide you how to setup the secure login with your SSH Key on a new Hetzner instance.
Passwords are often very weak. If you increase the password strength, it gets very difficult to remember the password and the use of a password manager is unavoidable. SSH keys also benefit from their length. They can be as long as 4096 bits. You also can use different algorithms like ECC (Elliptic Curve Cryptography) using the standard ed25519
. In this tutorial we will use rsa
which is good enough and has higher compatibility with a lot of applications.
Prerequisites
- A Hetzner Cloud Account
- Permissions for creating a Hetzner Project and a Hetzner instance
- ssh-keygen, cat and nano installed on your local computer
Step 1 - Create your local SSH Key
- You need to create an SSH Key on your local machine. It is recommended to add a comment at the end in order to identify the SSH Key in the future. Some information about the computer itself should be useful. For example
SSH-Key - MacbookPro 13 Inch - example@example.com
ssh-keygen -t rsa -b 4096 -C "some comment here"
-
Then you will be asked for the filename/location of the RSA Key. You could just hit enter in order to leave the default name ('id_rsa') and location (
/home/user/.ssh/
). If you want to name the file to be able to distinguish between multiple keys for multiple different servers, you can enter/home/user/.ssh/server01
where you replaceuser
with yourusername
-
Then you should set your own passphrase for adding more security to the server. There are many tutorials on Youtube and the whole internet, where adding a passphrase is just omitted or not recommended. We strongly recommend to set a passphrase in order to set up a secure instance. This passphrase will protect the private key, so no one can access the server even if he has access to your computer. You can configure your ssh client to communicate to keypass, to avoid entering the password every time, but understand, that typically keypass is active all the time, so direct access to your logged in session would not prevent unpermitted access to the server in that case. Yet it protects anyone from copying the file and using it on another computer. By default this command will create a public and a private Key named
id_rsa.pub
andid_rsa
respectively and they will be saved on the path~/.ssh/
. The fileid_rsa.pub
is the public key the server needs to authenticate the user and the fileid_rsa
is your private key that no one should have access to except for you, especially if you skip the step of setting up a passphrase
Step 2 - Add the SSH Key to your Hetzner Cloud Console
In this step it is important to clarify that the SSH keys are not shared between Hetzner projects. That means that you need to repeat this step with the same key or different keys for each new project.
- Select one project or create a new one
- On left side menu of your project select the
Security
menu - Click on the
Add SSH Key
button - On your local machine execute the command
cat /home/user/.ssh/id_rsa.pub
to see the content of your file or open it in the editor - Copy the content of your
id_rsa.pub
file from your local machine to the clipboard by selecting the output and using<ctrl>+<shift>+c
- Paste the SSH Key in the marked area on your hetzner account
- Add a name for the SSH Key in order to identify it on the Hetzner Cloud Console or leave the automatically generated name based on the key comment
- That's it. This specific SSH Key is ready to be used every time you create a new instance for this specific project
Step 3 - Create a Hetzner instance with the added SSH Key on the Cloud Console
- On left side menu of the project where you added the SSH Key in previous step select the
Servers
menu - Click on the
Add Server
button - Select a
Location
, anUbuntu:20.04 Image
, aStandard Local (NVMe SSD) Storage Type
, anInstance Type
and other desired configurations - On the
SSH Key
field make sure you click the suggested SSH Key that you added on the previous step. The key field should get highlighted - Create the Instance by clicking
CREATE & BUY NOW
Step 4 - Test the login with the SSH Key from your local computer
- Copy the IP address of the Hetzner instance
- On your local computer start the login. Replace the xxx.xxx.xxx.xxx with the IP address of the created Hetzner Instance
ssh root@xxx.xxx.xxx.xxx
- Type
yes
in order to add the fingerprint to the known_host - Enter the passphrase you set for the SSH Key
- And that's it. The process was successful if you see the welcome message of the Ubuntu Hetzner instance
Step 5 - Add an SSH key to an already created server
If you created your server prior to adding the SSH key, you cannot assign it to your server. If there are no valuable data on it, it is best to just delete the server and create a new instance.
If you are already running a production environment this will not work obviously.
It is best to try this on a new server first, to not cut the SSH connection to a production environment. Since this will only take a few minutes, you can quickly setup a server with debian and have at worst a few cents of cost. So create a new server with no SSH key and follow these steps.
- Copy the content of your public key file using
cat /home/user/.ssh/id_rsa.pub
, selecting the output and using<ctrl>+<shift>+c
- Log into your server using
ssh root@server_ip
- Write the key to the server:
- For root user enter the command:
echo "keyfile_content" >> /root/.ssh/authorized_keys
- For any other user enter the command:
echo "keyfile_content" >> /home/user/.ssh/authorized_keys
- Replace
keyfile_content
with<ctrl>+<shift>+v
to insert it between the 2 quotes - Replace
user
with the username
- For root user enter the command:
- Open the ssh config using
nano /etc/ssh/sshd_config
. You can replacenano
with the editor of your choice, if installed. - Find a line with
PermitRootLogin
and replace it exactly withPermitRootLogin prohibit-password
, if you want to disable password login. This will disable the ability to use insecure passwords and only accepts your ssh keys - execute
systemctl restart sshd
to reload your SSH deamon to activate the new configs - exit the SSH session and try to access it without a password. If you specified a passphrase to protect your local private key, you need to still insert the passphrase
If you followed these steps carefully and everything is working as intended, you can now proceed with your production server and delete the test server again.
Conclusion
You can now login to your Hetzner instance with a secure method.