Introduction
This article will help you to set up, configure, and use the remote access protocol "SSH" in combination with your Hetzner product(s).
What is SSH?
SSH is a fully encrypted protocol that allows remote access to the shell of UNIX based systems (like Linux, BSD and MacOS). In addition, the protocol's applications include key-based authentication, file transfers and traffic tunneling.
How do I get an SSH server?
Hetzner products with SSH access:
- limited access
- webhosting (for managing and editing web files and scripts)
- Level 9
- Level 19
- Storage Boxes (non-interactive, only for SCP and Rsync)
- managed servers (custom software installation/configuration and file management)
- webhosting (for managing and editing web files and scripts)
- full root access
- dedicated root servers
- cloud servers
An SSH server is already included in our standard images, which are available as automatic installations via Robot. Or you can get install a customizable one using the Installimage Script in the Rescue System. After the installation has been finished, you can just connect to the installed system via SSH.
If you installed the operating system yourself, you'll probably need to install an SSH service afterwards:
Operating System | Installation |
---|---|
Debian/Ubuntu | apt install openssh-server |
CentOS/RHEL | yum install openssh-server |
SuSE | zypper in openssh |
Arch Linux | pacman -S openssh |
Gentoo | emerge -av openssh |
Windows | Microsoft documentation |
MacOS | systemsetup -setremotelogin on |
In certain cases, you need to manually start the service after installation. If you use a firewall, you need to open port 22 for SSH.
How do I get an SSH client?
- With Linux, BSD, and MacOS, SSH is generally already pre-installed or can be easily installed by using your distribution's package manager.
- Since Windows does not come with an SSH client, we recommend downloading the tool
PuTTY
.
Operating System | Installation |
---|---|
Debian/Ubuntu | apt install openssh-client |
CentOS/RHEL | yum install openssh-clients |
SuSE | zypper in openssh |
Arch Linux | pacman -S openssh |
Gentoo | emerge -av openssh |
Windows | PuTTY from greenend.org.uk |
MacOS | available via command line |
How do I use my SSH client to connect to a server?
-
If you use an UNIX system (Linux/BSD/MacOS), the following command will establish the SSH connection for you:
ssh <user>@<IP_or_domain>
Enter the corresponding user name (usually "root") for
<user>
and the IP address or domain of your product for<IP_or_domain>
. -
If you are using
PuTTY
, enter your DNS server name or its IP address. If necessary, select SSH and Port 22 and click on "Open". Then you will be asked to enter your user name (usuallyroot
) and password. Once you enter these correctly, you will be logged in to the system.
How do I ensure that I am connecting to the right server?
The first time you connect to a server, a message prompts you to examine the "fingerprint" of the server and to confirm it. The fingerprint is a condensed version of the server's public key.
The authenticity of host 'example.com (10.0.0.1)' can't be established.
RSA key fingerprint is SHA256:DlxqI4BctJqAgyCfyExywbm9a7qdL7nqfMKgoQuGp5w..
Are you sure you want to continue connecting (yes/no)?
Depending on which key you use for the connection, the output will look different. In addition to RSA, the key types DSA, ECDSA and ED25519 are all common ones. But you should no longer use DSA; by default, it is no longer the default option as of OpenSSH 7.
With the automatic installation via Robot, the fingerprints are displayed and transmitted additionally by email. When activating the Rescue system, these fingerprints are also displayed on Robot.
If the following warning appears while you're reconnecting, you should take it seriously:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:DlxqI4BctJqAgyCfyExywbm9a7qdL7nqfMKgoQuGp5w.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle
attacks.
Permission denied (publickey,password).
This warning message is displayed when the fingerprint of the target system changes, for example, when you're booting the Rescue system or installing a new operating system. In this case, just remove the wrong fingerprint locally using this command:
ssh-keygen -R <IP_or_domain>
If you haven't connected to a different operating system on the same IP or domain yet, you should take the warning about a man-in-the-middle attack seriously. If you think there might be a man-in-the-middle attack, you should interrupt the connection and you should order a KVM Console so you can check the situation inside the running system.
How do I create a new SSH host key?
A ll host keys are automatically regenerated with an automatic installation via Robot or via the Installimage Script in the Rescue System. To replace a key in an installed system, use ssh-keygen
. You can find a list of all available Keys (ssh_host*) under /etc/ssh/
ls -l /etc/ssh
total 280
-rw-r--r-- 1 root root 242091 Oct 3 2014 moduli
-rw-r--r-- 1 root root 1689 Oct 17 2014 ssh_config
-rw-r--r-- 1 root root 2530 Dec 30 10:51 sshd_config
-rw------- 1 root root 668 Dec 30 10:44 ssh_host_dsa_key
-rw-r--r-- 1 root root 622 Dec 30 10:44 ssh_host_dsa_key.pub
-rw------- 1 root root 227 Dec 30 10:44 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 194 Dec 30 10:44 ssh_host_ecdsa_key.pub
-rw------- 1 root root 432 Dec 30 10:44 ssh_host_ed25519_key
-rw-r--r-- 1 root root 114 Dec 30 10:44 ssh_host_ed25519_key.pub
-rw------- 1 root root 1675 Dec 30 10:44 ssh_host_rsa_key
-rw-r--r-- 1 root root 414 Dec 30 10:44 ssh_host_rsa_key.pub
For example, to renew the ED25519 key, type the following command:
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N
Generating public/private ed25519 key pair.
/etc/ssh/ssh_host_ed25519_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.
Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.
The key fingerprint is:
d5:1d:28:01:f7:c5:0f:fb:7b:42:07:08:1f:93:1c:c6 root@your_host
The key's randomart image is:
+--[ED25519 256]--+
| ..o+o=o |
| .o+Eoo. |
| .+o+.+ |
| . o o .|
| S o |
| .o|
| . o|
| o.|
| o|
+-----------------+
How can I transfer files via SSH?
SCP
The protocol for handling the file transfer is called SCP. It uses an underlying SSH connection for the fully encrypted authentification and data stream. Hence there also needs to be an SSH server on the opposite system.
You can use SCP in connection with many remote file managers, and also on the Linux, BSD or MacOS shell. Simply use the following command syntax to start a file transfer from your system to another one, or to do the reverse:
scp <source> <destination>
To copy a file from System-A
to System-B
while logged into System-A
:
scp /path/to/file holu@System-B:/path/to/destination-file
To copy a file from System-A
to System-B
while logged into System-B
:
scp holu@System-B:/path/to/file /path/to/destination-file
To copy a whole directory recursively (with all files and subdirectories in it), you need to append -rp
:
scp -rp holu@System-B:/path/to/folder/ /path/to/destination-folder/
SFTP
The SFTP protocol (Secure File Transfer Protocol) has been developed as an alternative to FTPS (TLS encrypted FTP), and in comparison, uses only one connection, which is handled by an encrypted SSH connection. Therefore, a SSH server is required, like with SCP.
You can use SFTP with many remote file managers, and also on the Linux, BSD or MacOS shell. In comparison to SCP, you have to establish the connection first:
sftp <user>@<IP_or_domain>
Once connected, you will see the sftp
prompt, and using this, you can interact with the remote machine:
sftp holu@your_host.example.com
Connected to holu@your_host.example.com.
sftp>
Most of the SFTP commands are similar to the commands you would use in the Linux shell. By using the command help
or ?
, you should get a list of available commands:
sftp> help
Available commands:
bye Quit sftp
cd path Change remote directory to 'path'
chgrp grp path Change group of file 'path' to 'grp'
chmod mode path Change permissions of file 'path' to 'mode'
chown own path Change owner of file 'path' to 'own'
df [-hi] [path] Display statistics for current directory or
filesystem containing 'path'
exit Quit sftp
get [-afPpRr] remote [local] Download file
reget [-fPpRr] remote [local] Resume download file
reput [-fPpRr] [local] remote Resume upload file
help Display this help text
lcd path Change local directory to 'path'
lls [ls-options [path]] Display local directory listing
lmkdir path Create local directory
ln [-s] oldpath newpath Link remote file (-s for symlink)
lpwd Print local working directory
ls [-1afhlnrSt] [path] Display remote directory listing
lumask umask Set local umask to 'umask'
mkdir path Create remote directory
progress Toggle display of progress meter
put [-afPpRr] local [remote] Upload file
pwd Display remote working directory
quit Quit sftp
rename oldpath newpath Rename remote file
rm path Delete remote file
rmdir path Remove remote directory
symlink oldpath newpath Symlink remote file
version Show SFTP version
!command Execute 'command' in local shell
! Escape to local shell
? Synonym for help
For more information and examples, please see the SFTP documentation.
How do I use SSH to create a tunnel?
The tunneling feature of the SSH protocol, which many people use to encrypt a data stream (as with SCP and SFTP), is also useful for creating a secure VPN-like connection between two systems. For more information, please see the SSH tunneling documentation.