Skip to content

Instantly share code, notes, and snippets.

@mildsunrise

mildsunrise/hetzner-storage-box-auth.md

Last active October 27, 2025 01:44
Show Gist options
  • Save mildsunrise/743b17d376c4d416aee238034edbbe36 to your computer and use it in GitHub Desktop.
Save mildsunrise/743b17d376c4d416aee238034edbbe36 to your computer and use it in GitHub Desktop.
Download ZIP
Explanation of how SSH keys work in Hetzner storage boxes
Raw
hetzner-storage-box-auth.md

Making Hetzner Storage Box authentication make sense

The documentation for this is pretty terrible and we had to figure this out by trial and error.

The storage box has a password, which is secret and random if not provided. It can be reset to an arbitrary one in the console ("Reset password" in the dropdown menu). Cannot be disabled. It's the only way to use WebDAV and SMB. Always accepted by SSH (and thus SFTP) on either port. It is the only way to recover a storage container you have locked yourself out of after losing SSH keys.

The SSH server on port 22 rejects shell, but it allows spawning the SFTP backend. Requests for any other command or subsystem seem to fail, so it seems to be made specifically for SFTP use.

The SSH server on port 23 offers a limited shell (rsh) with rsync, restic and a few other whitelisted commands. No redirections, pipes or other common shell features you'd expect. (dd is whitelisted, so you can use it as a substitute for cat > file or cat >> file.) SFTP and rclone serve restic backends are also available on this port, so it seems to be pretty much equivalent to port 22 if you use it for SFTP (other than the keys difference explained below).

Main user (on both ports) is the Hetzner owner username. It is possible to create limited users within a container box with RW or RO access scoped in subdirectories, which you can potentially use for locking things down. It's also possible to enable/disable services per limited user.

.ssh/authorized_keys

Both SSH ports read this file when doing SSH key authentication, but port 22 only uses keys in RFC4716 format (---- BEGIN SSH2 PUBLIC KEY ----) while port 23 only uses keys in the old OpenSSH format (single line beginning with ssh-*). Keys of both formats can be freely mixed in the file.

A key in RFC4716 format looks like:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "clientuser@clienthost"
AAAAC3NzaC1lZDI1NTE5AAAAIGEwd8YakaLoMVWJ18Xm9JB4KAlUAg7XcgoCtRzQZ2ee
---- END SSH2 PUBLIC KEY ----

While a key in the old format looks like:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGEwd8YakaLoMVWJ18Xm9JB4KAlUAg7XcgoCtRzQZ2ee clientuser@clienthost

Restricting commands a key can execute

Port 23 obeys the command field in an .ssh/authorized_keys entry if present (it will always use it as the command to spawn, ignoring what was supplied by the user in the exec/subsystem call). So for example, to only grant a key access to the restic append-only backend:

command="rclone serve restic --stdio --append-only MyResticRepo" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeTjZY1DdK4e5inDkFUkcjU3zqKZQMgGjv3ij1kf0y3 BackupUploader
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment