SSH

Introduction

This article will help you to set up, configure, and use the remote access protocol "SSH" in combination with your Hetzner product(s).

What is SSH?

SSH is a fully encrypted protocol that allows remote access to the shell of UNIX based systems (like Linux, BSD and MacOS). In addition, the protocol's applications include key-based authentication, file transfers and traffic tunneling.

How do I get an SSH server?

Hetzner products with SSH access:

limited access
- webhosting (for managing and editing web files and scripts)
  - Level 9
  - Level 19
- Storage Boxes (non-interactive, only for SCP and Rsync)
- managed servers (custom software installation/configuration and file management)
full root access
- dedicated root servers
- cloud servers

An SSH server is already included in our standard images, which are available as automatic installations via Robot. Or you can get install a customizable one using the Installimage Script in the Rescue System. After the installation has been finished, you can just connect to the installed system via SSH.

If you installed the operating system yourself, you'll probably need to install an SSH service afterwards:

Operating System	Installation
Debian/Ubuntu	`apt install openssh-server`
CentOS/RHEL	`yum install openssh-server`
SuSE	`zypper in openssh`
Arch Linux	`pacman -S openssh`
Gentoo	`emerge -av openssh`
Windows	Microsoft documentation
MacOS	`systemsetup -setremotelogin on`

In certain cases, you need to manually start the service after installation. If you use a firewall, you need to open port 22 for SSH.

How do I get an SSH client?

With Linux, BSD, and MacOS, SSH is generally already pre-installed or can be easily installed by using your distribution's package manager.
Since Windows does not come with an SSH client, we recommend downloading the tool PuTTY.

Operating System	Installation
Debian/Ubuntu	`apt install openssh-client`
CentOS/RHEL	`yum install openssh-clients`
SuSE	`zypper in openssh`
Arch Linux	`pacman -S openssh`
Gentoo	`emerge -av openssh`
Windows	PuTTY from greenend.org.uk
MacOS	available via command line

How do I use my SSH client to connect to a server?

If you use an UNIX system (Linux/BSD/MacOS), the following command will establish the SSH connection for you:
```
ssh <user>@<IP_or_domain>
```
Enter the corresponding user name (usually "root") for <user> and the IP address or domain of your product for <IP_or_domain>.
If you are using PuTTY, enter your DNS server name or its IP address. If necessary, select SSH and Port 22 and click on "Open". Then you will be asked to enter your user name (usually root) and password. Once you enter these correctly, you will be logged in to the system.

How do I ensure that I am connecting to the right server?

The first time you connect to a server, a message prompts you to examine the "fingerprint" of the server and to confirm it. The fingerprint is a condensed version of the server's public key.

The authenticity of host 'example.com (10.0.0.1)' can't be established.
RSA key fingerprint is SHA256:DlxqI4BctJqAgyCfyExywbm9a7qdL7nqfMKgoQuGp5w..
Are you sure you want to continue connecting (yes/no)?

Depending on which key you use for the connection, the output will look different. In addition to RSA, the key types DSA, ECDSA and ED25519 are all common ones. But you should no longer use DSA; by default, it is no longer the default option as of OpenSSH 7.

With the automatic installation via Robot, the fingerprints are displayed and transmitted additionally by email. When activating the Rescue system, these fingerprints are also displayed on Robot.

If the following warning appears while you're reconnecting, you should take it seriously:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:DlxqI4BctJqAgyCfyExywbm9a7qdL7nqfMKgoQuGp5w.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /home/user/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle
attacks.
Permission denied (publickey,password).

This warning message is displayed when the fingerprint of the target system changes, for example, when you're booting the Rescue system or installing a new operating system. In this case, just remove the wrong fingerprint locally using this command:

ssh-keygen -R <IP_or_domain>

If you haven't connected to a different operating system on the same IP or domain yet, you should take the warning about a man-in-the-middle attack seriously. If you think there might be a man-in-the-middle attack, you should interrupt the connection and you should order a KVM Console so you can check the situation inside the running system.

How do I create a new SSH host key?

A ll host keys are automatically regenerated with an automatic installation via Robot or via the Installimage Script in the Rescue System. To replace a key in an installed system, use ssh-keygen. You can find a list of all available Keys (ssh_host*) under /etc/ssh/

ls -l /etc/ssh
total 280
-rw-r--r-- 1 root root 242091 Oct  3  2014 moduli
-rw-r--r-- 1 root root   1689 Oct 17  2014 ssh_config
-rw-r--r-- 1 root root   2530 Dec 30 10:51 sshd_config
-rw------- 1 root root    668 Dec 30 10:44 ssh_host_dsa_key
-rw-r--r-- 1 root root    622 Dec 30 10:44 ssh_host_dsa_key.pub
-rw------- 1 root root    227 Dec 30 10:44 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    194 Dec 30 10:44 ssh_host_ecdsa_key.pub
-rw------- 1 root root    432 Dec 30 10:44 ssh_host_ed25519_key
-rw-r--r-- 1 root root    114 Dec 30 10:44 ssh_host_ed25519_key.pub
-rw------- 1 root root   1675 Dec 30 10:44 ssh_host_rsa_key
-rw-r--r-- 1 root root    414 Dec 30 10:44 ssh_host_rsa_key.pub

For example, to renew the ED25519 key, type the following command:

ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N
Generating public/private ed25519 key pair.
/etc/ssh/ssh_host_ed25519_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.
Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.
The key fingerprint is:
d5:1d:28:01:f7:c5:0f:fb:7b:42:07:08:1f:93:1c:c6 root@your_host
The key's randomart image is:
+--[ED25519 256]--+
|        ..o+o=o  |
|         .o+Eoo. |
|          .+o+.+ |
|         .  o o .|
|        S      o |
|               .o|
|              . o|
|               o.|
|                o|
+-----------------+

How can I transfer files via SSH?

SCP

The protocol for handling the file transfer is called SCP. It uses an underlying SSH connection for the fully encrypted authentification and data stream. Hence there also needs to be an SSH server on the opposite system.

You can use SCP in connection with many remote file managers, and also on the Linux, BSD or MacOS shell. Simply use the following command syntax to start a file transfer from your system to another one, or to do the reverse:

scp <source> <destination>

To copy a file from System-A to System-B while logged into System-A:

scp /path/to/file holu@System-B:/path/to/destination-file

To copy a file from System-A to System-B while logged into System-B:

scp holu@System-B:/path/to/file /path/to/destination-file

To copy a whole directory recursively (with all files and subdirectories in it), you need to append -rp:

scp -rp holu@System-B:/path/to/folder/ /path/to/destination-folder/

SFTP

The SFTP protocol (Secure File Transfer Protocol) has been developed as an alternative to FTPS (TLS encrypted FTP), and in comparison, uses only one connection, which is handled by an encrypted SSH connection. Therefore, a SSH server is required, like with SCP.

You can use SFTP with many remote file managers, and also on the Linux, BSD or MacOS shell. In comparison to SCP, you have to establish the connection first:

sftp <user>@<IP_or_domain>

Once connected, you will see the sftp prompt, and using this, you can interact with the remote machine:

sftp holu@your_host.example.com
Connected to holu@your_host.example.com.
sftp>

Most of the SFTP commands are similar to the commands you would use in the Linux shell. By using the command help or ?, you should get a list of available commands:

sftp> help
Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'
chgrp grp path                     Change group of file 'path' to 'grp'
chmod mode path                    Change permissions of file 'path' to 'mode'
chown own path                     Change owner of file 'path' to 'own'
df [-hi] [path]                    Display statistics for current directory or
                                   filesystem containing 'path'
exit                               Quit sftp
get [-afPpRr] remote [local]       Download file
reget [-fPpRr] remote [local]      Resume download file
reput [-fPpRr] [local] remote      Resume upload file
help                               Display this help text
lcd path                           Change local directory to 'path'
lls [ls-options [path]]            Display local directory listing
lmkdir path                        Create local directory
ln [-s] oldpath newpath            Link remote file (-s for symlink)
lpwd                               Print local working directory
ls [-1afhlnrSt] [path]             Display remote directory listing
lumask umask                       Set local umask to 'umask'
mkdir path                         Create remote directory
progress                           Toggle display of progress meter
put [-afPpRr] local [remote]       Upload file
pwd                                Display remote working directory
quit                               Quit sftp
rename oldpath newpath             Rename remote file
rm path                            Delete remote file
rmdir path                         Remove remote directory
symlink oldpath newpath            Symlink remote file
version                            Show SFTP version
!command                           Execute 'command' in local shell
!                                  Escape to local shell
?                                  Synonym for help

For more information and examples, please see the SFTP documentation.

How do I use SSH to create a tunnel?

The tunneling feature of the SSH protocol, which many people use to encrypt a data stream (as with SCP and SFTP), is also useful for creating a secure VPN-like connection between two systems. For more information, please see the SSH tunneling documentation.