gndo
By:
gndo

web console login after ssh-only logins

December 29, 2014 4.4k views

I just setup another droplet, but this time I used the SSH key that I previously uploaded to the digitalocean control panel. The good news is now root login works flawlessly when used directly by my local tools (such as Filezilla and Putty). The bad news is that I can no longer use the DO web console since I can't tell it to use the SSH key I've uploaded. Did I miss some setup with the DO web console to use the uploaded ssh key?

It looks like the only option to use the DO web console (once you've converted existing login accounts to ssh-only logins) is to set up an account that does not use ssh-only login but instead uses the traditional login+password method, then su to root. Is that correct?

3 Answers

You can still use the web console but you will need to set a password for your root user. With your ssh server configured only for key-based authentication this will not change the way you login via ssh but it will let you log into the console. Just log into your droplet via ssh and run

passwd

After creating your new password you will be able to log into the web console while continuing to use your key to log in via ssh.

  • Welp, using a password for root is vulnerable to brute force attacks, which is why I purposely changed to ssh-only login for the new droplet. I was posting the original question because I believe this may be a deficiency in the design of the DO web console, but wasn't sure if I missed something in the control panel setup.

    Thanks anyways. Also, you may want to check your log files for brute force attacks if you are using your prescribed solution. It should also show up as many failed root login attempts whenever you log in as root.

  • @gndo The web console in the control panel does not connect via SSH. It is more akin to plugging a monitor and keyboard directly into the server. In order to both protect SSH from brute force attacks and allow logins via the web console, you will need to explicitly disable password authentication for SSH and add a password to your user for use in the console.

    Edit the file /etc/ssh/sshd_config and make sure that PasswordAuthentication is set to no Then restart SSH for the change to take effect: sudo service ssh restart

    Check out the section titled "Disabling Password Authentication on your Server" in this tutorial for all the info.

    SSH, or secure shell, is the most common way of administering remote Linux servers. Although the daemon allows password-based authentication, exposing a password-protected account to the network can open up your server to brute-force attacks. In this guide, we demonstrate how to configure your server with SSH keys, which is the recommended authentication method. These are much more difficult for attackers to work around, giving you a more secure login mechanism.
  • [quick edit logname]

    Spot on. Good to know that the web console is like the old serial port to the server. Also, thanks for reminding me that the default value is 'Yes' for PasswordAuthentication and should be changed explicitly. The Ubuntu /var/log/auth.log file looks better because ssh clients with the wrong credentials get kicked out before getting a password attempt.

    Thanks.

Have another answer? Share your knowledge.