Question

How can I automate changing the initial root password?

I am writing a script to migrate droplets from an old OS to a new OS.

The script uses the API to create a new droplet from an image (a snapshot of a partially configured system based on Ubuntu 22 that has already had its initial password changed), and the image has an SSH key for root to allow my script to SCP files to the new server and run some commands via SSH.

The problem is that the SCP and SSH commands fail with the message

You are required to change your password immediately (administrator enforced).
WARNING: Your password has expired.
Password change required but no TTY available.

Is there a way that I can automate changing the initial password to prevent this from happening (presumably via the API), or a different way I should be doing this?

Thanks!


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Well it’s a bit of a hacky workaround, but eventually I got it to work with the following steps:

  1. Create a .sh file containing sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow
  2. Include the .sh file in the base image, and allow it to be run as sudo with no password by another user
  3. Once the new droplet has booted, ssh as the other user and sudo run the .sh file

After that, I am able to ssh/scp as root without being asked for the password reset. The first thing I do is to ssh as root and remove the .sh file.

I also tried adding #/bin/sh;sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow; to user_data but that didn’t seem to work. My guess is that the initial root password is set after user_data is run, overwriting the change.

Hi @rclaypool,

I think using the API will get you only the password_reset option which sends a new root password to your e-mail.

As for the SCP and SSH connection, it shouldn’t be using PasswordAuthenitcation if you already have an SSH key added. Maybe the SSH key you are using is not correct?