root user best practice.

Posted August 18, 2020 838 views

I am thinking of disabling the root user for my digital ocean 1-click app. However, iff a user uses a password for ssh, my user does not get that password and they can only ssh through the user I create in my image and with the password I set for the user during cloud-init, which is the Droplet ID.
I feel removing root login is best practice, however, Digital Ocean orients a lot of actions towards the root user…
Are there best practices from Digital Ocean in this regard?
Or is documenting this discrepency suffient and users will be happy I did not allow root logins?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

I left the root user.
My application uses it’s own user.
Digital Ocean users can use all the functionality around the root user and not interrupt my user and the application.

Hi @zaxary,

Making the root user only accessible with SSH keys should be enough in this case. Another thing which you might want to try is, if not already, deny all incoming traffic to your SSH port unless allowed for a certain IP address. That way you’ll make sure nobody can SSH to your server unless you’ve allowed their IP address.


  • Howdy,
    Thank you for your reply.
    I may have not explained this properly.
    My 1-click app is FOR the Digital Ocean Marketplace, HarperDB is a database,

    When creating the 1-click app for Digital Ocean Marketplace, I am concerned for the users to let them or others allow access for a root user. However, much of the Droplet configuration in the digital ocean console revolves around root users, iff the user changes the password, the digital ocean backend updates the root user password.

    During image creation, I create a user, ubuntu.
    IFF during droplet 1-click deployment the user selects the ssh key option, the cloud-config script transfers ssh data to the ubuntu user, that works great!

    IFF the users select the password option during 1-click deployment, that password is for root, and the user cannot ssh with root, currently, because I have set sshd_config PermitRootLogin no.

    The Ubuntu user has a password for sudo and login, which is created from the droplet id during deployment. I am documenting this in the README.

    I am just uncertain of the best practice here, with regard to root users because of the options provided during deployment, password, or ssh key.

    I can document that when deploying HarperDB 1-click application to use ssh key and not select password.
    However, was curious on the community opinion.

    Your time is appreciated.
    Thank you.