Skip to main content
Bob Swinkels
  1. Blog/

Hetzner Cloud: Disable Root and Add User

·2 mins
Table of Contents

About Hetzner #

Hetzner is a professional web hosting provider and experienced data center operator with extremely competitive pricing and generous traffic limits regarding services like Amazon Web Services and Digital Ocean.

Their Cloud offering makes it possible to spin up a server fast and cheaply. For example, a server with one intel vCPU, 2 GB RAM, 20 GB Disk space, and 20 TB monthly traffic only costs €4,15 per month (at the time of writing).

You can use this referral link to try out Hetzner and receive €20,- in cloud credits when you sign-up for an account.

Cloud-init configuration #

When you spin up a Cloud instance, there is an option to add user data. Here you can paste a cloud-init configuration for the newly created server.

Using this method, it is possible to directly disable root login and create a new user with ssh access and passwordless sudo upon server creation.

Replace in code below <<USER NAME>> with the username and <<PUBLIC SSH KEY FOR USER>> with the public ssh key for the user to be created.

#cloud-config
users:
  - name: root
    lock_passwd: true
  - name: <<USER NAME>> # Replace with username
    groups: users, admin
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - <<PUBLIC SSH KEY FOR USER>> # Replace with public ssh key for the user

chpasswd:
      expire: false

runcmd:
  - sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -e '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -i '$a AllowUsers <<USER NAME>>' /etc/ssh/sshd_config # Replace with username

power_state:
  mode: reboot
  condition: True

(Update 2022-12-10) Adding a Fresh Docker Installation #

If you want to set up Docker immediately, you can cloud-config file as follows.

Replace in code below <<USER NAME>> with the username and <<PUBLIC SSH KEY FOR USER>> with the public ssh key for the user to be created.

#cloud-config
groups:
  - docker

users:
  - name: root
    lock_passwd: true
  - name: <<USER NAME>> # Replace with username
    groups: users, admin, docker
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - <<PUBLIC SSH KEY FOR USER>> # Replace with public ssh key for the user

chpasswd:
      expire: false

packages:
  - apt-transport-https
  - ca-certificates
  - curl
  - gnupg-agent
  - software-properties-common

runcmd:
  - sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
  - sed -i -e '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
  - sed -i '$a AllowUsers <<USER NAME>>' /etc/ssh/sshd_config # Replace with username
  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
  - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  - apt-get update -y
  - apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
  - systemctl start docker
  - systemctl enable docker

power_state:
  mode: reboot
  condition: True