jdschulz
By:
jdschulz

How to regain access to droplet after losing public key and removing root ssh via password?

November 28, 2016 73 views
DigitalOcean Ubuntu

So, for security reasons I'm planning on disabling SSH via password, and only accepting SSH login via my public key by adding the following to my /etc/ssh/sshd_config:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

So my question is...how do I regain access if I lose my public key? Can I re-enable SSH login via root with password if I login to my Droplet's Console? Or is there some other way to accomplish this?

2 Answers
xMudrii November 29, 2016
Accepted Answer

Yes, you can regain access to Droplet even if you lose public key and don't have SSH root access enabled.

In case that happens, you need to resort to Web Console.
Why does Web Console work even with SSH root disabled? Reason is because Web Console is not SSH, look at Console as interface that you would get if you attach keyboard and monitor directly to server (Droplet).
Things in sshd_config applies only to SSH session, so Console still works.

In Console you can use root user or non-root user if you created it in Initial Server Set Up.
If you have only root account and you used SSH key on Droplet Creation then you don't have root password (because it's not emailed when you use SSH key on Creation). In that case, first you need to Reset Root Password by going to Control Panel, Droplet, Access, Reset Root Password.
In case you have non-root account or you have root password use it as normal.

Then you can enable password root access or use Console to copy key. It can be hard to copy key in Console as copy and paste don't work in it so a SSH (or ssh-copy-id if you have) it would be better.

To add a new SSH key, you need to add public key content to ~/.ssh/authorized_keys.

When you start a new server, there are a few steps that you should take every time to add some basic security and give you a solid foundation. In this guide, we'll walk you through the basic steps necessary to hit the ground running with Ubuntu 16.04.

I was curious about this too, so I created a droplet (Ubuntu 16.04) and tested.

Even though I was locked out via ssh:
Permission denied (publickey).

I was still able to access the Droplet Console with the password.

I don't know if this is the same for every OS though.

The 6th post in the comments on this article, from a MOD, would lead you to believe you can always do this, but... I dunno...

https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-digitalocean-droplets

by Etel Sverdlov
This guide is for Mac OS X and Linux users. Learn how to use SSH Keys with DigitalOcean Droplets.
Have another answer? Share your knowledge.