How can I automate changing the initial root password?

I am writing a script to migrate droplets from an old OS to a new OS.

The script uses the API to create a new droplet from an image (a snapshot of a partially configured system based on Ubuntu 22 that has already had its initial password changed), and the image has an SSH key for root to allow my script to SCP files to the new server and run some commands via SSH.

The problem is that the SCP and SSH commands fail with the message

You are required to change your password immediately (administrator enforced).
WARNING: Your password has expired.
Password change required but no TTY available.

Is there a way that I can automate changing the initial password to prevent this from happening (presumably via the API), or a different way I should be doing this?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Well it’s a bit of a hacky workaround, but eventually I got it to work with the following steps:

  1. Create a .sh file containing sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow
  2. Include the .sh file in the base image, and allow it to be run as sudo with no password by another user
  3. Once the new droplet has booted, ssh as the other user and sudo run the .sh file

After that, I am able to ssh/scp as root without being asked for the password reset. The first thing I do is to ssh as root and remove the .sh file.

I also tried adding #/bin/sh;sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow; to user_data but that didn’t seem to work. My guess is that the initial root password is set after user_data is run, overwriting the change.

Site Moderator
Site Moderator badge
September 26, 2022

Hi @rclaypool,

I think using the API will get you only the password_reset option which sends a new root password to your e-mail.

As for the SCP and SSH connection, it shouldn’t be using PasswordAuthenitcation if you already have an SSH key added. Maybe the SSH key you are using is not correct?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel