How can I automate changing the initial root password?

I am writing a script to migrate droplets from an old OS to a new OS.

The script uses the API to create a new droplet from an image (a snapshot of a partially configured system based on Ubuntu 22 that has already had its initial password changed), and the image has an SSH key for root to allow my script to SCP files to the new server and run some commands via SSH.

The problem is that the SCP and SSH commands fail with the message

You are required to change your password immediately (administrator enforced).
WARNING: Your password has expired.
Password change required but no TTY available.

Is there a way that I can automate changing the initial password to prevent this from happening (presumably via the API), or a different way I should be doing this?


Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Well it’s a bit of a hacky workaround, but eventually I got it to work with the following steps:

  1. Create a .sh file containing sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow
  2. Include the .sh file in the base image, and allow it to be run as sudo with no password by another user
  3. Once the new droplet has booted, ssh as the other user and sudo run the .sh file

After that, I am able to ssh/scp as root without being asked for the password reset. The first thing I do is to ssh as root and remove the .sh file.

I also tried adding #/bin/sh;sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow; to user_data but that didn’t seem to work. My guess is that the initial root password is set after user_data is run, overwriting the change.

Site Moderator
Site Moderator badge
September 26, 2022

Hi @rclaypool,

I think using the API will get you only the password_reset option which sends a new root password to your e-mail.

As for the SCP and SSH connection, it shouldn’t be using PasswordAuthenitcation if you already have an SSH key added. Maybe the SSH key you are using is not correct?

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.