I am thinking of disabling the root user for my digital ocean 1-click app. However, iff a user uses a password for ssh, my user does not get that password and they can only ssh through the user I create in my image and with the password I set for the user during cloud-init, which is the Droplet ID. I feel removing root login is best practice, however, Digital Ocean orients a lot of actions towards the root user… Are there best practices from Digital Ocean in this regard? Or is documenting this discrepency suffient and users will be happy I did not allow root logins?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Get our newsletter
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
I left the root user. My application uses it’s own user. Digital Ocean users can use all the functionality around the root user and not interrupt my user and the application.
Hi @zaxary,
Making the root user only accessible with SSH keys should be enough in this case. Another thing which you might want to try is, if not already, deny all incoming traffic to your SSH port unless allowed for a certain IP address. That way you’ll make sure nobody can SSH to your server unless you’ve allowed their IP address.
Regards, KFSys