After successfully setting up SSH Key Authentication and disabling password access to my server, I can still log in as either ‘newuser’ or root using DigitalOcean’s console access. Is this normal? It seems very risky.
The console of your droplet is the virtual server equivalent of being directly attached to the server’s physical keyboard and monitor ports - it is not an SSH interface.
This tutorial describes its use:
I know this is over a year old, but I wanted to leave this here if you or some other future Googler finds it useful.
Someone recently-ish gained access to my saved passwords in Google and was thus able to access my DigitalOcean account, reset my root password, and login via the console.
As a result I decided to implement this: https://github.com/shitchell/response-test
It detects if the login session is coming from a physical TTY (which the online console appears to be), and if so, presents a customizable challenge phrase/response (glorified second password). If they get it wrong, they’re dropped into a pseudo shell that mimics /bin/sh but with broken commands so that it appears not that they’ve been locked out, but that the system is just horribly broken.