DigitalOcean

Report this

What is the reason for this report?
Question

ed25519 ssh keys being ignored, new droplet defaults to user password without emailing passwords

Posted on October 15, 2016
Security
Getting Started
Miscellaneous
Debian
Ubuntu
rutiloxide

By rutiloxide

  1. I want to create a new droplet using this public key using the ed25519 implementation of EdDSA: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwTWZxxf3EPVd5SSlDTDMfU2Ub2L0zdDZI/4Tb0qqNZ root@syops-main

I add it by checking the checkbox while creating a new droplet.

  1. I try connecting to the droplet using the key, the ssh login defaults to password login.

a). DigitalOcean is not emailing me the root password. (I double checked, and emails from DigitalOcean never land in my spam folder, which I did check just in case).

b). This key works with multiple servers I use (Arch Linux, Funtoo Linux).

c). I double checked that the public key is correct in the DigitalOcean security page.

d) RSA keys work just fine

After creating a droplet with an RSA key and normally login in: 3. Adding with ssh-copy-id -f -i id_ed25519.pub root@[droplet-ip-address} works with that key. Removing the RSA key from the .ssh/authorized_hosts file then completes the workaround.

I’m asking here for awareness (of the problem and the workaround), does someone else experience the same problem?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Marko Mudrinić
Marko Mudrinić
October 15, 2016

Accepted Answer

Hi @rutiloxide,

ssh-ed25519 keys are not being ignored. To make sure, I just spin up a test Droplet with one and it is working flawless.

When you try to login to your server using ssh root@ip-address, by default it will try to read for SSH keys in ~/.ssh/ (/home/sammy/.ssh/). If it is not in default place you should use ssh -i /path/to/id_ed25519 root@ip-address. So before continuing make sure this is correct.

When you create Droplet with SSH key - DigitalOcean will NOT e-mail you Root password. With keys you login without any password, so they don’t want to send passwords over mail as they look on it as not so secure way.

Beside DigitalOcean security page, make sure you selected key on Droplet creation! This is how it should look on Droplet creation.

So as I tested, it works without any problem, just like RSA key.

You can learn more about SSH keys in tutorial about it. In case you’re using Windows, this one should help you. Also if you are using Windows, make sure you selected key in Putty

0
rutiloxide
rutiloxide
October 22, 2016

Anyway, I don’t have the time to figure out what’s happening, I’ve noticed some unusual things when I’m using ECC keys, so it’s probably something upstream. It’s working fine now, I don’t have the time to test it on multiple distros and versions though to investigate properly.

0
rutiloxide
rutiloxide
October 15, 2016

@xMudrii Hi!

That’s nice. It’s working now with a Debian 8.6 and Ubuntu 16.04 droplet. Didn’t work an hour ago though. Or a couple of weeks ago. If somebody is hotpatching this now, hi!

In the context of my opening post, since I successfuly used a rsa key with a droplet and then added the key with the ssh-copy-id command, you could have deduced that I knew what I was doing. Do you really think I didn’t read that guide? How do you suppose I’ve been using ssh keys with my other servers? That means a dozen ssh logins a day with the same ssh key and the same default ssh command:

# ssh username@host.mydomain.com

from the same fully-updated Parabola GNU/Linux box. It’s working at the moment with another server, so for the extremely paranoid, it shouldn’t be an error on my side.

I’m just a little bit suspicious that such an error happens only when I’m creating droplets, and only when I use an ed25519 key.

And of course, DigitalOcean doesn’t email me a password if I use ssh keys, from which you could also deduce that DigitalOcean does process the key. This invalidates your whole “add an ssh” checkbox theory.

Well thank you for the answer, but its mostly not needed. If it works on one droplet, that doesn’t really convince me. The correct answer is testing.

I’ll write a script to test with all the available droplet platforms I’m using and a couple of good encryption algorithms just to be sure. If a script fails for one of the encryption algorithms or platforms, I’ll know for sure.

I’m not approving an answer until a week is passed. I want a cause, not a symptom gone. I don’t want a script for autodeploying droplets to fail because of some random error.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.