- Manual server management
- ➟ Documentation guidelines
-
Technical background
-
Related links
-
Standards
-
Reference documents
-
-
Installation / configuration procedures
-
Problems, critical steps
...
├── env.template
├── 030HelloSshPublicKey
│ ├── main.tf
│ ├── providers.tf
│ ├── Readme.md
│ └── variables.tf
└── Modules
├── HostMetaData
...
└── SshKnownHosts
...export TF_VAR_login_user=devops
export TF_VAR_ssh_login_public_key=add_your_provider_token
export TF_VAR_hcloud_token=add_your_provider_token
export TF_VAR_dns_secret=add_your_ds_server_secretTo be copied, edited and used by Terraform.
- Manual server management
- ➟ Hetzner cloud administration GUI
-
Sign up at https://accounts.hetzner.com/signUp.
Note
ID card may be required, but no payment.
-
Activate 2-factor authentication!
-
Confirm your newly created account at your Moodle course.
-
Upon confirmation by your lecturer a Hetzner project space e.g. »g01« corresponding to your Moodle group number should be visible after login.
Protect your server by creating a firewall.
|
|
|
|
Upon hitting »Create and buy« you'll receive an E-Mail containing
your server's IP and root password. You may otherwise reset root's
password in the GUI's rescue tab.
$ ssh root@95.216.187.60 The authenticity of host '95.216.187.60 (95.216.187.60)' can't be established. ED25519 key fingerprint is SHA256:vpV7B+l9RLQ+SwTMqtkk7YbICBhyhi2OP780+WVEFMY. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '95.216.187.60' (ED25519) to the list of known hosts. root@95.216.187.60's password: You are required to change your password immediately (administrator enforced). ... The list of available updates is more than a week old. To check for new updates run: sudo apt update Changing password for root. Current password: New password: Retype new password:
-
Select your server within your Hetzner project
-
Hit the >_ symbol in the upper right left of the actions button.
-
Login using your emailed credentials.
Tip
You may copy text into the console by disabling GUI-mode and re-enabling it subsequently.
- Manual server management
- ➟ Using ssh
- ➟ Public / private key pair
- ➟ Using ssh
-
Password based logins being notoriously prone to attacks.
Solution: Use public/private key based ssh login.
-
No updates: Software state of a most likely outdated installation image.
Solution: Create a public/private key pair.
|
A good passphrase should have at least 15, preferably 20 characters and be difficult to guess. It should contain upper case letters, lower case letters, digits, and preferably at least one punctuation character. No part of it should be derivable from personal information about the user or his/her family. |
$ ssh-keygen -a 256 -t ed25519 ❶ -C "goik@hdm-stuttgart.de" Generating public/private ed25519 key pair. Enter file in which to save the key (/home/foo/.ssh/id_ed25519): Created directory '/home/foo/.ssh'. Enter passphrase (empty for no passphrase): ❷ Enter same passphrase again: Your identification has been saved in /home/foo/.ssh/id_ed25519 ❸ Your public key has been saved in /home/foo/.ssh/id_ed25519.pub ❹ ...
id_ed25519 |
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACDZrjJrxfC/gCHcAhu6CROIxAps/tP8hNsNgM1RgyTL0wAAAKiPQ5vcj0Ob 3AAAAAtzc2gtZWQyNTUxOQAAACDZrjJrxfC/gCHcAhu6CROIxAps/tP8hNsNgM1RgyTL0w AAAECjW290zPFjh2srRIloZdaO49cs7hgQ7A7lmG8Z+SVDjdmuMmvF8L+AIdwCG7oJE4jE Cmz+0/yE2w2AzVGDJMvTAAAAImdvaWtAbWFydGluLXBjLWRhY2hib2Rlbi5mcml0ei5ib3 gBAgM= -----END OPENSSH PRIVATE KEY----- |
| (private key) | |
id_ed25519.pub |
ssh-ed25519 AAAAC3NzaC1 ... Cmz+0/yE2w2AzVGDJMvT goik@hdm-stuttgart.de |
| (public key) |
~/.ssh$ cd ~/.ssh /home/foo/.ssh cat id_ed25519.pub >> authorized_keys ❶ mistudent@w10m:~/.ssh$ ls -al drwxr-xr-x 2 student mi 0 Okt 17 17:45 . drwxr-xr-x 32 student mi 0 Okt 17 17:44 .. -rw-r--r-- 1 student mi 396 Okt 17 17:45 authorized_keys ❷ -rw------- 1 student mi 1675 Okt 17 17:38 id_ed25519 ❸ -rw-r--r-- 1 student mi 396 Okt 17 17:38 id_ed25519.pub ❹
goik@martin-hdm-desktop:~$ scp .ssh/id_ed25519.pub root@37.27.32.138:/tmp ❶ root@37.27.32.138's password: id_ed25519.pub 100% 103 3.7KB/s 00:00 goik@martin-hdm-desktop:~$ ssh root@37.27.32.138 ❷ root@37.27.32.138's password: ... root@debian-4gb-hel1-2:~# cat /tmp/id_ed25519.pub >> ~/.ssh/authorized_keys ❸ root@debian-4gb-hel1-2:~# exit ❹ goik@martin-hdm-desktop:~$ ssh root@37.27.32.138 ❺ ... Last login: Tue Apr 8 13:38:42 2025 from 141.62.31.244
Caution
This is about MONEY
-
Delete your server including the IPv4 address and possibly volumes: All three are being billed on a per hour basis.
-
You may optionally delete your firewall.
>ssh root@learn.mi.hdm-stuttgart.de Enter passphrase for key '/home/goik/.ssh/id_ed25519': root@learn:~# exit logout Connection to learn.mi.hdm-stuttgart.de closed. >ssh root@klausur.mi.hdm-stuttgart.de Enter passphrase for key '/home/goik/.ssh/id_ed25519': root@klausur:~# exit logout Connection to klausur.mi.hdm-stuttgart.de closed.
-
Install ssh-agent or related on your system: Your passphrase will be cached per session.
-
Optional: Connect your password manager to the agent.
Example: KeepassXC SSH Agent integration.
>printenv |grep SSH_AUTH_SOCK SSH_AUTH_SOCK=/run/user/21100/keyring/ssh >ps aux|grep ssh-agent goik 6671 ... /usr/bin/ssh-agent -D -a /run/user/21100/keyring/.ssh >ls -al /run/user/21100/keyring/ssh srwxr-xr-x. 1 goik goik 0 Apr 12 09:58 /run/user/21100/keyring/ssh
Note: The “s” in
srwxr-xr-x indicates a
domain socket.
- Manual server management
- ➟ Using ssh
- ➟ Agent forwarding
- ➟ Using ssh
goik@local> ssh root@learn.mi.hdm-stuttgart.de Linux learn 6.5.13-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.5.13-1 (2024-02-05T13:50Z) x86_64 ... root@learn:~# ssh klausur.mi.hdm-stuttgart.de root@klausur.mi.hdm-stuttgart.de: Permission denied (publickey).
-
Copy private key
~/.ssh/id_ed25519to intermediate host (and re-enter passphrase there). -
Enable agent forwarding.
Note
Agent authentication socket on originating client host required.
# File ~/.ssh/config goik@local ... Host learn.mi.hdm-stuttgart.de ForwardAgent yes # Forward ssh agent # to remote host. ... |
goik@local> ssh root@learn.mi.hdm-stuttgart.de Linux learn 6.5.13-1-pve #1 SMP ... ... root@learn:~# root@learn:~# ssh klausur.mi.hdm-stuttgart.de Linux klausur 6.8.8-4-pve #1 SMP ... ... root@klausur:~# |
- Manual server management
- ➟ Using ssh
- ➟ Port forwarding
- ➟ Using ssh
# Implicit for ssh-L localhost:2000:localhost:3306 ... # ssh -L 2000:localhost:3306 HostB # Mysql DB Server
# Originating host # $ telnet localhost:2000 Trying ::1... Connected to localhost. Escape character is '^]'. DHost '127.0.0.1' is not allowed to connect to this MariaDB server
- Manual server management
- ➟ Using ssh
- ➟ X11 forwarding
- ➟ Using ssh
- Manual server management
- ➟ Using ssh
- ➟ Network data transfer using scp, rsync and ssh
- ➟ Using ssh
$ md5sum README.md 64e1d4b7f8fbf99219020b5e931db986 README.md $ scp README.md root@www.medieninformatik.cloud:/tmp README.md $ ssh root@www.medieninformatik.cloud Last login: Mon Oct 13 13:58:12 2025 from 141.62.20.174 root@applix:~# md5sum /tmp/README.md 64e1d4b7f8fbf99219020b5e931db986 /tmp/README.md
$ tree hello hello/ ├── pom.xml └── src └── main └── java └── start └── App.java $ rsync -av --delete -e ssh hello root@www.medieninformatik.cloud:/tmp sending incremental file list hello/ hello/pom.xml hello/src/ hello/src/main/ hello/src/main/java/ hello/src/main/java/start/ hello/src/main/java/start/App.java sent 3,115 bytes received 82 bytes 2,131.33 bytes/sec total size is 2,769 speedup is 0.87
- Manual server management
- ➟ Prerequisites
Bash Guide for Beginners
-
Vim Introduction and Tutorial
The definitive guide, also available at SafariOnline
-
Public/private keys, pass phrases
-
Trusted hosts
-
Port forwarding
-
X11 forwarding
-
ssh agent
- Manual server management
- ➟ Ubuntu /
Debian Package management
- ➟ Prerequisites
- ➟ Ubuntu /
Debian Package management
-
Debian package management introduction and reference.
-
15 Practical Examples of “dpkg commands” for Debian Based Distros
-
Sample:
firefox_75.0-2_amd64.deb -
Archive containing:
-
Files
-
Pre- and post installation scripts
-
trigger
-
-
Query installed, install / update from file system and purge packages, i.e.:
> dpkg -i skypeforlinux-64.deb
> dpkg -l apt* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/... +++-======================-=====================... ii apt 2.0.2 amd64... ii apt-config-icons 0.12.10-2 all un apt-config-icons-hidpi <none> <none> un apt-doc <none> <none> un apt-listbugs <none> <none> ...
-
Low level package management
-
Dependency unaware
|
#> apt update ❶ Hit:1 http://security.debian.org buster/updates InRelease ... 4 packages can be upgraded #> apt upgrade ❷ ... The following packages will be upgraded: libldap-2.4-2 libldap-common libssl1.1 openssl ... Get:1 http://security.debian.org buster/updates/main ... Get:2 http://security.debian.org buster/updates/main ... |
Problems:
-
“Not available here”
-
Version outdated
-
Needing “bleeding edge” version