Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Does DigitalOcean preserve snapshots of deleted droplets? Question Question
Is there a DigitalOcean Free Trial Available? Question Question

Question

root user best practice.

Posted August 18, 2020 625 views
DigitalOcean

I am thinking of disabling the root user for my digital ocean 1-click app. However, iff a user uses a password for ssh, my user does not get that password and they can only ssh through the user I create in my image and with the password I set for the user during cloud-init, which is the Droplet ID.
I feel removing root login is best practice, however, Digital Ocean orients a lot of actions towards the root user…
Are there best practices from Digital Ocean in this regard?
Or is documenting this discrepency suffient and users will be happy I did not allow root logins?

Add a comment
zaxary
By:
zaxary

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
Does DigitalOcean preserve snapshots of deleted droplets? Question Question
Is there a DigitalOcean Free Trial Available? Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
zaxary February 17, 2021

I left the root user.
My application uses it’s own user.
Digital Ocean users can use all the functionality around the root user and not interrupt my user and the application.

Reply Report
KFSys August 18, 2020

Hi @zaxary,

Making the root user only accessible with SSH keys should be enough in this case. Another thing which you might want to try is, if not already, deny all incoming traffic to your SSH port unless allowed for a certain IP address. That way you’ll make sure nobody can SSH to your server unless you’ve allowed their IP address.

Regards,
KFSys

Reply Report
  • zaxary August 18, 2020

    Howdy,
    Thank you for your reply.
    I may have not explained this properly.
    My 1-click app is FOR the Digital Ocean Marketplace, HarperDB is a database, www.harperdb.io

    When creating the 1-click app for Digital Ocean Marketplace, I am concerned for the users to let them or others allow access for a root user. However, much of the Droplet configuration in the digital ocean console revolves around root users, iff the user changes the password, the digital ocean backend updates the root user password.

    During image creation, I create a user, ubuntu.
    IFF during droplet 1-click deployment the user selects the ssh key option, the cloud-config script transfers ssh data to the ubuntu user, that works great!

    IFF the users select the password option during 1-click deployment, that password is for root, and the user cannot ssh with root, currently, because I have set sshd_config PermitRootLogin no.

    The Ubuntu user has a password for sudo and login, which is created from the droplet id during deployment. I am documenting this in the README.

    I am just uncertain of the best practice here, with regard to root users because of the options provided during deployment, password, or ssh key.

    I can document that when deploying HarperDB 1-click application to use ssh key and not select password.
    However, was curious on the community opinion.

    Your time is appreciated.
    Thank you.

    Reply Report

Related

Looking for something else?

Ask a new question Search for more help