This article will help you to set up, configure, and use the remote access protocol "SSH" in combination with your Hetzner product(s).
SSH is a fully encrypted protocol that allows remote access to the shell of UNIX based systems (like Linux, BSD and MacOS). In addition, the protocol's applications include key-based authentication, file transfers and traffic tunneling.
Hetzner products with SSH access:
webhosting (for managing and editing web files and scripts)
- Level 9
- Level 19
- Storage Boxes (non-interactive, only for SCP and Rsync)
- managed servers (custom software installation/configuration and file management)
full root access
- dedicated root servers
- cloud servers
An SSH server is already included in our standard images, which are available as automatic installations via Robot. Or you can get install a customizable one using the Installimage Script in the Rescue System. After the installation has been finished, you can just connect to the installed system via SSH.
If you installed the operating system yourself, you'll probably need to install an SSH service afterwards:
In certain cases, you need to manually start the service after installation. If you use a firewall, you need to open port 22 for SSH.
- With Linux, BSD, and MacOS, SSH is generally already pre-installed or can be easily installed by using your distribution's package manager.
- Since Windows does not come with an SSH client, we recommend downloading the tool
|Windows||PuTTY from greenend.org.uk|
|MacOS||available via command line|
If you use an UNIX system (Linux/BSD/MacOS), the following command will establish the SSH connection for you:
Enter the corresponding user name (usually "root") for
<user>and the IP address or domain of your product for
- If you are using
PuTTY, enter your DNS server name or its IP address. If necessary, select SSH and Port 22 and click on "Open". Then you will be asked to enter your user name (usually
root) and password. Once you enter these correctly, you will be logged in to the system.
The first time you connect to a server, a message prompts you to examine the "fingerprint" of the server and to confirm it. The fingerprint is a condensed version of the server's public key.
The authenticity of host 'example.com (10.0.0.1)' can't be established. RSA key fingerprint is SHA256:DlxqI4BctJqAgyCfyExywbm9a7qdL7nqfMKgoQuGp5w.. Are you sure you want to continue connecting (yes/no)?
Depending on which key you use for the connection, the output will look different. In addition to RSA, the key types DSA, ECDSA and ED25519 are all common ones. But you should no longer use DSA; by default, it is no longer the default option as of OpenSSH 7.
If the following warning appears while you're reconnecting, you should take it seriously:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:DlxqI4BctJqAgyCfyExywbm9a7qdL7nqfMKgoQuGp5w. Please contact your system administrator. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message. Offending ED25519 key in /home/user/.ssh/known_hosts:1 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. Permission denied (publickey,password).
This warning message is displayed when the fingerprint of the target system changes, for example, when you're booting the Rescue system or installing a new operating system. In this case, just remove the wrong fingerprint locally using this command:
ssh-keygen -R <IP_or_domain>
If you haven't connected to a different operating system on the same IP or domain yet, you should take the warning about a man-in-the-middle attack seriously. If you think there might be a man-in-the-middle attack, you should interrupt the connection and you should order a KVM Console so you can check the situation inside the running system.
A ll host keys are automatically regenerated with an automatic installation via Robot or via the Installimage Script in the Rescue System. To replace a key in an installed system, use
ssh-keygen. You can find a list of all available Keys (ssh_host*) under /etc/ssh/
ls -l /etc/ssh total 280 -rw-r--r-- 1 root root 242091 Oct 3 2014 moduli -rw-r--r-- 1 root root 1689 Oct 17 2014 ssh_config -rw-r--r-- 1 root root 2530 Dec 30 10:51 sshd_config -rw------- 1 root root 668 Dec 30 10:44 ssh_host_dsa_key -rw-r--r-- 1 root root 622 Dec 30 10:44 ssh_host_dsa_key.pub -rw------- 1 root root 227 Dec 30 10:44 ssh_host_ecdsa_key -rw-r--r-- 1 root root 194 Dec 30 10:44 ssh_host_ecdsa_key.pub -rw------- 1 root root 432 Dec 30 10:44 ssh_host_ed25519_key -rw-r--r-- 1 root root 114 Dec 30 10:44 ssh_host_ed25519_key.pub -rw------- 1 root root 1675 Dec 30 10:44 ssh_host_rsa_key -rw-r--r-- 1 root root 414 Dec 30 10:44 ssh_host_rsa_key.pub
For example, to renew the ED25519 key, type the following command:
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N Generating public/private ed25519 key pair. /etc/ssh/ssh_host_ed25519_key already exists. Overwrite (y/n)? y Your identification has been saved in /etc/ssh/ssh_host_ed25519_key. Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub. The key fingerprint is: d5:1d:28:01:f7:c5:0f:fb:7b:42:07:08:1f:93:1c:c6 root@your_host The key's randomart image is: +--[ED25519 256]--+ | ..o+o=o | | .o+Eoo. | | .+o+.+ | | . o o .| | S o | | .o| | . o| | o.| | o| +-----------------+
The protocol for handling the file transfer is called SCP. It uses an underlying SSH connection for the fully encrypted authentification and data stream. Hence there also needs to be an SSH server on the opposite system.
You can use SCP in connection with many remote file managers, and also on the Linux, BSD or MacOS shell. Simply use the following command syntax to start a file transfer from your system to another one, or to do the reverse:
scp <source> <destination>
To copy a file from
System-B while logged into
scp /path/to/file holu@System-B:/path/to/destination-file
To copy a file from
System-B while logged into
scp holu@System-B:/path/to/file /path/to/destination-file
To copy a whole directory recursively (with all files and subdirectories in it), you need to append
scp -rp holu@System-B:/path/to/folder/ /path/to/destination-folder/
The SFTP protocol (Secure File Transfer Protocol) has been developed as an alternative to FTPS (TLS encrypted FTP), and in comparison, uses only one connection, which is handled by an encrypted SSH connection. Therefore, a SSH server is required, like with SCP.
You can use SFTP with many remote file managers, and also on the Linux, BSD or MacOS shell. In comparison to SCP, you have to establish the connection first:
Once connected, you will see the
sftp prompt, and using this, you can interact with the remote machine:
sftp holu@your_host.example.com Connected to holu@your_host.example.com. sftp>
Most of the SFTP commands are similar to the commands you would use in the Linux shell. By using the command
?, you should get a list of available commands:
sftp> help Available commands: bye Quit sftp cd path Change remote directory to 'path' chgrp grp path Change group of file 'path' to 'grp' chmod mode path Change permissions of file 'path' to 'mode' chown own path Change owner of file 'path' to 'own' df [-hi] [path] Display statistics for current directory or filesystem containing 'path' exit Quit sftp get [-afPpRr] remote [local] Download file reget [-fPpRr] remote [local] Resume download file reput [-fPpRr] [local] remote Resume upload file help Display this help text lcd path Change local directory to 'path' lls [ls-options [path]] Display local directory listing lmkdir path Create local directory ln [-s] oldpath newpath Link remote file (-s for symlink) lpwd Print local working directory ls [-1afhlnrSt] [path] Display remote directory listing lumask umask Set local umask to 'umask' mkdir path Create remote directory progress Toggle display of progress meter put [-afPpRr] local [remote] Upload file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file rm path Delete remote file rmdir path Remove remote directory symlink oldpath newpath Symlink remote file version Show SFTP version !command Execute 'command' in local shell ! Escape to local shell ? Synonym for help
For more information and examples, please see the SFTP documentation.
The tunneling feature of the SSH protocol, which many people use to encrypt a data stream (as with SCP and SFTP), is also useful for creating a secure VPN-like connection between two systems. For more information, please see the SSH tunneling documentation.