(Bug) Create droplet with SSH then disable SSH for root

December 28, 2015 2.6k views
Ubuntu Security

I found a bug when I followed the first steps to creating a securing the server.

The problem :

You don’t know the password for root when creating a droplet with an ssh key

Reproduce the problem :

  1. Create a droplet with an ssh key
  2. Connect to server with ssh key
  3. Create a new user and add ssh connection
  4. Disable ssh for root (security measure)
  5. Try to do sudo with the new user

You’re asked to enter a password for root but DigitalOcean didn’t send the password by email because I created the droplet with an ssh key.

  • Weird since it should ask password of the new user.. Is that username on sudoer list?

  • Yes I added the new user to sudo group, but without a password.

    I created a .ssh folder on the home directory with a authorized_keys file containing my public key

  • I just noticed the option to reset root password from Access menu of the droplet.

  • You have to exit your login session and re-login in in order to pick up the new sudo group membership permissions. (or use Userify, but that will only do the user creation part… disabling root is still recommended.)

1 Answer

Hey there,

That’s not really a bug: it works this way across pretty much every Linux distribution. “sudo” asks for the current user’s password (if a password at all), not the root password. “su” is what asks for the root password.

Generally, what we recommend is setting a password for the new user when you create the root user, but keeping passwords disabled over SSH. This way, you have a password you can use when sudo-ing and logging in through our VNC Console, but SSH remains secure. That’s how I set up most of my droplets, and it works quite nicely.

I hope that helps! :)

Platform Support Specialist

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!