Skip to content
d-centralize handbook

Recover SSH access to a Hetzner server

Use this when a server is still there, but your SSH keys are gone from authorized_keys.

This is written for the Hetzner web console flow. If the server is a dedicated machine in Robot instead of Hetzner Cloud, use the equivalent Robot actions for password reset, rescue mode, and console access.

We intentionally do not use one fully copy-pastable command here. The Hetzner web terminal may mangle pasted characters such as |, >, $, -, and _, and it may even get upper and lower case wrong. The split steps below are more reliable than a single clever one-liner.

Fast path: reset root access and fix authorized_keys

Section titled “Fast path: reset root access and fix authorized_keys”

Use this when the server still boots normally.

  1. Open the server in Hetzner.
  2. Reset the root password.
  3. Open the web console for the server.
  4. Log in as root with the new password.

Once you are in, re-add your own public key.

Encode your public key locally

Section titled “Encode your public key locally”

Encode the .pub file on your own machine first. Pasting the raw key into the web console is often unreliable.

Linux and macOS:

Terminal window
base64 < ~/.ssh/id_ed25519.pub

This produces wrapped output over multiple short lines, which is easier to copy and paste into the browser terminal.

Decode it on the server

Section titled “Decode it on the server”

In the Hetzner web console, browser paste tends to work best with right click, then Paste.

Start by saving the pasted base64 text to a temporary file:

Terminal window
tee /tmp/key.b64

Then:

  • Right click -> Paste.
  • Paste the full base64 block.
  • Press Enter.
  • Press Ctrl-D.

Now run these one by one:

Terminal window
openssl base64 -d -in /tmp/key.b64 -out /tmp/key.pub
dd if=/tmp/key.pub of=/root/.ssh/auth oflag=append conv=notrunc

Then press Tab to expand auth to authorized_keys, verify it looks right, and press Enter.

Finally:

Terminal window
rm /tmp/key.b64 /tmp/key.pub

If you normally log in as a non-root user, append the key to that user’s ~/.ssh/authorized_keys instead.

After that you should be able to log in over SSH again.

Troubleshooting

Section titled “Troubleshooting”
  • If upper and lower case seem reversed in the Hetzner web console, click the Ctrl+Alt+Del button in the lower right. After that, typing should usually be normal again.

Notes

Section titled “Notes”
  • openssl base64 -d avoids shell constructs like |, >>, <<<, and $(), which the Hetzner web console may paste incorrectly.
  • dd appends to authorized_keys without using shell redirection syntax.
  • Using auth plus Tab avoids having to type or paste the _ in authorized_keys, which may also get mangled.