Question
Can I "circumvent" DO's built in password setup system when initializing droplets?
I would like to manually set my ssh keys from a bash script provided in user data and disable the first time login password change request when logging with my ssh keys. Is this possible?
Here’s what I’m doing so far:
#!/bin/bash
root_ssh_key="ssh-rss ..."
ssh_port=22
sshd_config="/etc/ssh/sshd_config"
sudo_user="dev"
sudo_user_home="/home/${sudo_user}"
sudo_user_ssh_key="ssh-rss ..."
# ########################
# updates
setup_updates() {
echo "Running updates..."
# get updates and install
sudo apt-get update
sudo apt-get dist-upgrade -y
}
# ########################
# user account
setup_account() {
echo "Configuring user account..."
# add the specified '$sudo_user'
sudo adduser $sudo_user --disabled-password --gecos ""
# add '$sudo_user' to the sudo group
sudo gpasswd -a $sudo_user sudo
# add sudo permissions
echo "$sudo_user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
#
# ssh access
#
ssh_folder=${sudo_user_home}/.ssh
# create .ssh folder restrict permissions
sudo mkdir -p -v $ssh_folder
sudo chmod 700 $ssh_folder
authorized_keys_file=${ssh_folder}/authorized_keys
# create an authorized_keys's file
sudo touch $authorized_keys_file
# write the ssh keys to the user's authorized_keys file and restrict permissions
echo $sudo_user_ssh_key > $authorized_keys_file
sudo chmod 600 $authorized_keys_file
# set $sudo_user as the owner of the folder
sudo chown -R ${sudo_user}:sudo $ssh_folder
# set port and disable authentication with passwords
sudo sed -i -e "/^Port/s/^.*$/Port ${ssh_port}/" $sshd_config
sudo sed -i -e '/^PasswordAuthentication/s/^.*$/PasswordAuthentication no/' $sshd_config
sudo sed -i -e '/^PermitRootLogin/s/^.*$/PermitRootLogin without-password/' $sshd_config
# allow root and $sudo_user to connect
sudo echo -e "\nAllowUsers root $sudo_user" >> $sshd_config
# restart
sudo service ssh restart
# set root ssh keys
echo $root_ssh_key > "/root/.ssh/authorized_keys"
}
# ########################
# setup firewall
#
setup_firewall() {
echo "Setting up ufw..."
# defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing
# exceptions
sudo ufw allow ${ssh_port}/tcp
sudo ufw allow http
sudo ufw allow https
# start on boot
sed -i -e '/^ENABLED/s/^.*$/ENABLED=yes/' /etc/ufw/ufw.conf
# enable
sudo ufw enable
}
# ########################
# main
#
main() {
echo "Initializing droplet as $USER..."
# check if user is root
if [ "$UID" -ne 0 ] ; then
echo "Must be root to run this script."
exit 1
fi
# setup_updates
setup_account
setup_firewall
echo "Droplet initialized."
echo "Rebooting..."
sudo shutdown -r now
}
main
I’m able to immediately login with my dev account. But I would like to prevent that first time password change request for the root. How can I do this without providing my root ssh key outside of this script?
Add a comment
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.