Introduction
In order to securely access your Hetzner instance from your local computer, it is recommended to use an SSH key. In this tutorial, I will guide you on how to set up secure login with your SSH key on a new Hetzner instance.
Passwords are often very weak. If you increase the strength of the password, it becomes very difficult to remember the password and using a password manager is inevitable. SSH keys also benefit from their length. They can be up to 4096 bits. You can also use different algorithms such as ECC (Elliptic Curve Cryptography) using the ed25519 standard, which we will also use in this tutorial.
Prerequisites
- A Hetzner cloud account
- Permissions to create a Hetzner project and a Hetzner instance
- ssh-keygen, cat and nano installed on your local computer
Step 1 – Create your local SSH key
You need to create an SSH key on your local machine. It is recommended to add a comment at the end to identify the SSH key in the future. Some information about the computer itself can be useful. For example:
SSH-Key - MacbookPro 13 Inch - [email protected]
ssh-keygen -t ed25519 -C "some comment here"
You will then be asked for the SSH key file name/location. To leave the default name (ed25519) and location (/home/user/.ssh/), you can just hit enter. If you want to name the file so that you can distinguish between multiple keys for multiple servers, you can enter /home/user/.ssh/server01, where you replace user with your username.
Then you need to set your password to add more security to the server. There are many tutorials on YouTube and the entire internet that simply omit or do not recommend adding a passphrase. We strongly recommend setting a passphrase to set up a secure instance. This passphrase protects the private key, so no one can access the server even if they have access to your computer. You can configure your SSH client to communicate with keypass to avoid having to enter the password every time, but be aware that keypass is usually always on, so direct access to your logged in session does not prevent unauthorized access to the server at that time. This does, however, protect anyone from copying the file and using it on another computer. By default, this command creates a public key and a private key named id_ed25519.pub and id_ed25519, which are stored in the ~/.ssh/ directory. The id_ed25519.pub file is the public key that the server needs to authenticate the user, and the id_ed25519 file is your private key that no one but you should have access to, especially if you skip the step of setting a passphrase.
Step 2 – Add the SSH key to your Hetzner Cloud Console
At this point it is important to clarify that SSH keys are not shared between Hetzner projects. This means you will need to repeat this step with the same key or different keys for each new project.
- Select a project or create a new one.
- In the left menu of your project, select the Security menu item.
- Click the Add SSH Key button.
- On your local machine, run the command cat /home/user/.ssh/id_ed25519.pub to see the contents of your file or open it in an editor.
- Copy the contents of your id_ed25519.pubfile from your local device to the clipboard by selecting Output and using ctrl+shift+c.
- Place the SSH key in the designated field in your Hetzner account
- Add a name for the SSH key to identify it in the Hetzner Cloud Console or leave the automatically generated name based on the key's name.
- That's it. This specific SSH key is ready to use every time you create a new instance for this specific project.
Step 3 – Create a Hetzner instance with the SSH key added in the Cloud Console
- In the left menu of the project where you added the SSH key in the previous step, select the Servers menu item.
- Click on the Add Server button.
- Choose a location, an operating system, a type, and other desired settings.
- In the SSH Key section, make sure to click on the suggested SSH key you added in the previous step. The Key field should be highlighted.
- Create the sample by clicking Create and Buy.
Step 4 – Test login with SSH key from your local computer
- Copy the Hetzner instance IP address
- Start by logging in to your local computer. Replace xxx.xxx.xxx.xxx with the IP address of the Hetzner instance you created.
- Type yes to add the fingerprint to the known_host file.
- Enter the passphrase you set for the SSH key.
- And that's it. If you see the sample Ubuntu Hetzner welcome message, the process was successful.
Step 5 – Add an SSH key to a previously created server
If you created your server before adding the SSH key, you will not be able to assign it to your server through the Cloud Console.
It's best to try this on a new server first so that you don't lose SSH connectivity to a production environment. Since this only takes a few minutes, you can get a server up and running quickly and cost a few cents at worst. So create a new server without SSH keys and follow these steps.
The contents of your public key file using:
cat /home/user/.ssh/id_ed25519.pub
Select the output using ctrl+shift+c
Log in to your server using:
ssh root@server_ip
Write the server key:
- As root user:
echo "keyfile_content" >> /root/.ssh/authorized_keys
- Like any other user:
echo "keyfile_content" >> /home/user/.ssh/authorized_keys
Replace keyfile_content with the content of id_ed25519.pub that you just copied Replace user with username
nano /etc/ssh/sshd_config
If installed, you can replace nano with your preferred editor.
If you want to disable password login, find a line with PermitRootLogin and change it exactly to:
PermitRootLogin prohibit-password
This disables the use of insecure passwords and only accepts your SSH keys.
To reload your SSH daemon to activate the new settings, run:
systemctl restart sshd
Exit the SSH session and try accessing it without a password. If you have set a passphrase to protect your local private key, you will still need to enter the passphrase.
If you followed these steps carefully and everything is working as planned, you can now continue with your production server and delete the test server again.
Result
You can now log in to your Hetzner instance in a secure way.
