-
Notifications
You must be signed in to change notification settings - Fork 377
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
59 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,13 +2,13 @@ | |
| SPDX-License-Identifier: MIT | ||
| path: "/tutorials/add-ssh-key-to-your-hetzner-cloud" | ||
| slug: "add-ssh-key-to-your-hetzner-cloud" | ||
| date: "2021-08-10" | ||
| date: "2024-08-21" | ||
| title: "How to login to your Hetzner instance with an SSH Key" | ||
| short_description: "In this tutorial I will show you how to login to your Hetzner instance with an SSH Key" | ||
| tags: ["SSH", "ssh-keygen"] | ||
| author: "Helmer Barcos" | ||
| author_link: "https://github.com/hlbp" | ||
| author_img: "https://avatars.githubusercontent.com/u/33654444?v=4" | ||
| author_img: "https://avatars.githubusercontent.com/u/33654444" | ||
| author_description: "Full Stack Software Developer" | ||
| language: "en" | ||
| available_languages: ["en"] | ||
|
|
@@ -18,81 +18,101 @@ cta: "cloud" | |
|
|
||
| ## Introduction | ||
|
|
||
| In order to access your Hetzner instance from your local computer in a safe way, it is recommended to make use of an SSH Key. In this tutorial I will guide you how to setup the secure login with your SSH Key on a new Hetzner instance. | ||
| In order to access your Hetzner instance from your local computer in a safe way, it is recommended to make use of an SSH Key. In this tutorial, I will guide you how to setup the secure login with your SSH Key on a new Hetzner instance. | ||
|
|
||
| Passwords are often very weak. If you increase the password strength, it gets very difficult to remember the password and the use of a password manager is unavoidable. SSH keys also benefit from their length. They can be as long as 4096 bits. You also can use different algorithms like ECC (Elliptic Curve Cryptography) using the standard `ed25519`. In this tutorial we will use `rsa` which is good enough and has higher compatibility with a lot of applications. | ||
| Passwords are often very weak. If you increase the password strength, it gets very difficult to remember the password and the use of a password manager is unavoidable. SSH keys also benefit from their length. They can be as long as 4096 bits. You can also use different algorithms like ECC (Elliptic Curve Cryptography) using the standard `ed25519`, which we will also use in this tutorial. | ||
|
|
||
| **Prerequisites** | ||
|
|
||
| - A Hetzner Cloud Account | ||
| - Permissions for creating a Hetzner Project and a Hetzner instance | ||
| - ssh-keygen, cat and nano installed on your local computer | ||
| - `ssh-keygen`, `cat` and `nano` installed on your local computer | ||
|
|
||
| ## Step 1 - Create your local SSH Key | ||
|
|
||
| - You need to create an SSH Key on your local machine. It is recommended to add a comment at the end in order to identify the SSH Key in the future. Some information about the computer itself should be useful. For example `SSH-Key - MacbookPro 13 Inch - [email protected]` | ||
| - You need to create an SSH Key on your local machine. It is recommended to add a comment at the end in order to identify the SSH Key in the future. Some information about the computer itself could be useful. For example: `SSH-Key - MacbookPro 13 Inch - [email protected]` | ||
|
|
||
| ```bash | ||
| ssh-keygen -t ed25519 -C "some comment here" | ||
| ``` | ||
|
|
||
| ```bash | ||
| ssh-keygen -t rsa -b 4096 -C "some comment here" | ||
| ``` | ||
| - Then you will be asked for the filename/location of the SSH key. You could just hit enter in order to leave the default name (`ed25519`) and location (`/home/user/.ssh/`). If you want to name the file to be able to distinguish between multiple keys for multiple different servers, you can enter `/home/user/.ssh/server01` where you replace `user` with your `username` | ||
|
|
||
| - Then you will be asked for the filename/location of the RSA Key. You could just hit enter in order to leave the default name ('id_rsa') and location (`/home/user/.ssh/`). If you want to name the file to be able to distinguish between multiple keys for multiple different servers, you can enter `/home/user/.ssh/server01` where you replace `user` with your `username` | ||
|
|
||
| - Then you should set your own [passphrase](https://www.ssh.com/academy/ssh/passphrase) for adding more security to the server. There are many tutorials on Youtube and the whole internet, where adding a passphrase is just omitted or not recommended. **We strongly recommend to set a passphrase in order to set up a secure instance**. This passphrase will protect the private key, so no one can access the server even if he has access to your computer. You can configure your ssh client to communicate to keypass, to avoid entering the password every time, but understand, that typically keypass is active all the time, so direct access to your logged in session would not prevent unpermitted access to the server in that case. Yet it protects anyone from copying the file and using it on another computer. By default this command will create a public and a private Key named `id_rsa.pub` and `id_rsa` respectively and they will be saved on the path `~/.ssh/`. The file `id_rsa.pub` is the public key the server needs to authenticate the user and the file `id_rsa` is your private key that no one should have access to except for you, especially if you skip the step of setting up a passphrase | ||
| - Then you should set your own [passphrase](https://www.ssh.com/academy/ssh/passphrase) for adding more security to the server. There are many tutorials on YouTube and the whole internet, where adding a passphrase is just omitted or not recommended. **We strongly recommend to set a passphrase in order to set up a secure instance**. This passphrase will protect the private key, so no one can access the server even if they have access to your computer. You can configure your SSH client to communicate to keypass, to avoid entering the password every time, but understand, that typically keypass is active all the time, so direct access to your logged-in session would not prevent unpermitted access to the server in that case. Yet it protects anyone from copying the file and using it on another computer. By default, this command will create a public and a private key named `id_ed25519.pub` and `id_ed25519` respectively and they will be saved on the path `~/.ssh/`. The file `id_ed25519.pub` is the public key the server needs to authenticate the user and the file `id_ed25519` is your private key that no one should have access to except for you, especially if you skip the step of setting up a passphrase. | ||
|
|
||
| ## Step 2 - Add the SSH Key to your Hetzner Cloud Console | ||
|
|
||
| In this step it is important to clarify that the SSH keys are not shared between Hetzner projects. That means that you need to repeat this step with the same key or different keys for each new project. | ||
|
|
||
| - Select one project or create a new one | ||
| - On left side menu of your project select the `Security` menu | ||
| - On left side menu of your project, select the `Security` menu item | ||
| - Click on the `Add SSH Key` button | ||
| - On your local machine execute the command `cat /home/user/.ssh/id_rsa.pub` to see the content of your file or open it in the editor | ||
| - Copy the content of your `id_rsa.pub`file from your local machine to the clipboard by selecting the output and using `<ctrl>+<shift>+c` | ||
| - Paste the SSH Key in the marked area on your hetzner account | ||
| - On your local machine execute the command `cat /home/user/.ssh/id_ed25519.pub` to see the content of your file or open it in the editor | ||
| - Copy the content of your `id_ed25519.pub`file from your local machine to the clipboard by selecting the output and using `ctrl`+`shift`+`c` | ||
| - Paste the SSH Key in the marked area on your Hetzner account | ||
| - Add a name for the SSH Key in order to identify it on the Hetzner Cloud Console or leave the automatically generated name based on the key comment | ||
| - That's it. This specific SSH Key is ready to be used every time you create a new instance for this specific project | ||
|
|
||
| ## Step 3 - Create a Hetzner instance with the added SSH Key on the Cloud Console | ||
|
|
||
| - On left side menu of the project where you added the SSH Key in previous step select the `Servers` menu | ||
| - On left side menu of the project where you added the SSH Key in the previous step, select the `Servers` menu item | ||
| - Click on the `Add Server` button | ||
| - Select a `Location`, an `Ubuntu:20.04 Image`, a `Standard Local (NVMe SSD) Storage Type`, an `Instance Type` and other desired configurations | ||
| - Select a location, an operating system, a type, and other desired configurations | ||
| - On the `SSH Key` field make sure you click the suggested SSH Key that you added on the previous step. The key field should get highlighted | ||
| - Create the Instance by clicking `CREATE & BUY NOW` | ||
|
|
||
| ## Step 4 - Test the login with the SSH Key from your local computer | ||
|
|
||
| - Copy the IP address of the Hetzner instance | ||
| - On your local computer start the login. Replace the xxx.xxx.xxx.xxx with the IP address of the created Hetzner Instance | ||
|
|
||
| ```bash | ||
| ssh [email protected] | ||
| ``` | ||
|
|
||
| - Type `yes` in order to add the fingerprint to the known_host | ||
| - On your local computer start the login. Replace `xxx.xxx.xxx.xxx` with the IP address of the created Hetzner Instance | ||
| ```bash | ||
| ssh [email protected] | ||
| ``` | ||
| - Type `yes` in order to add the fingerprint to the `known_host` file | ||
| - Enter the passphrase you set for the SSH Key | ||
| - And that's it. The process was successful if you see the welcome message of the Ubuntu Hetzner instance | ||
|
|
||
| ## Step 5 - Add an SSH key to an already created server | ||
|
|
||
| If you created your server prior to adding the SSH key, you cannot assign it to your server. If there are no valuable data on it, it is best to just delete the server and create a new instance. | ||
|
|
||
| If you are already running a production environment this will not work obviously. | ||
| If you created your server prior to adding the SSH key, you cannot assign it to your server via Cloud Console. | ||
|
|
||
| It is best to try this on a new server first, to not cut the SSH connection to a production environment. Since this will only take a few minutes, you can quickly setup a server with debian and have at worst a few cents of cost. So create a new server with no SSH key and follow these steps. | ||
| It is best to try this on a new server first, to not cut the SSH connection to a production environment. Since this will only take a few minutes, you can quickly setup a server and have at worst a few cents of cost. So create a new server with no SSH key and follow these steps. | ||
|
|
||
| - Copy the content of your public key file using `cat /home/user/.ssh/id_rsa.pub`, selecting the output and using `<ctrl>+<shift>+c` | ||
| - Log into your server using `ssh root@server_ip` | ||
| - View the content of your public key file using: | ||
| ```bash | ||
| cat /home/user/.ssh/id_ed25519.pub | ||
| ``` | ||
| Select the output using `ctrl`+`shift`+`c` | ||
| - Log into your server using: | ||
| ```bash | ||
| ssh root@server_ip | ||
| ``` | ||
| - Write the key to the server: | ||
| - For root user enter the command: `echo "keyfile_content" >> /root/.ssh/authorized_keys` | ||
| - For any other user enter the command: `echo "keyfile_content" >> /home/user/.ssh/authorized_keys` | ||
| - Replace `keyfile_content` with `<ctrl>+<shift>+v` to insert it between the 2 quotes | ||
| - Replace `user` with the username | ||
| - Open the ssh config using `nano /etc/ssh/sshd_config`. You can replace `nano` with the editor of your choice, if installed. | ||
| - Find a line with `PermitRootLogin` and replace it **exactly** with `PermitRootLogin prohibit-password`, if you want to disable password login. This will disable the ability to use insecure passwords and only accepts your ssh keys | ||
| - execute `systemctl restart sshd` to reload your SSH deamon to activate the new configs | ||
| - exit the SSH session and try to access it without a password. If you specified a passphrase to protect your local private key, you need to still insert the passphrase | ||
| - As root user: | ||
| ```bash | ||
| echo "keyfile_content" >> /root/.ssh/authorized_keys | ||
| ``` | ||
| - As any other user: | ||
| ```bash | ||
| echo "keyfile_content" >> /home/user/.ssh/authorized_keys | ||
| ``` | ||
| Replace `keyfile_content` with the content of `id_ed25519.pub` you just copied | ||
| Replace `user` with the username | ||
| - Open the ssh config using: | ||
| ```bash | ||
| nano /etc/ssh/sshd_config | ||
| ``` | ||
| You can replace `nano` with the editor of your choice, if installed. | ||
| - If you want to disable password login, find a line with `PermitRootLogin` and replace it **exactly** with: | ||
| ```config | ||
| PermitRootLogin prohibit-password | ||
| ``` | ||
| This will disable the ability to use insecure passwords and only accepts your SSH keys | ||
| - To reload your SSH deamon to activate the new configs, execute: | ||
| ```bash | ||
| systemctl restart sshd | ||
| ``` | ||
| - Exit the SSH session and try to access it without a password. If you specified a passphrase to protect your local private key, you need to still insert the passphrase | ||
|
|
||
| If you followed these steps carefully and everything is working as intended, you can now proceed with your production server and delete the test server again. | ||
|
|
||
|
|
||