Question

What Happens to SSH Public and Private Keys When you "Rebuild" a Droplet?

Posted November 27, 2020 212 views
Ubuntu 20.04

Hey all, I was having some issues with the configuration of my Ubuntu 20 LTS server that I was going to use to host my Django website, so I decided to use the “Rebuild” dashboard command to wipe my droplet. However, there are some SSH concepts that are a bit murky that I need clearing up as I cannot log into my server anymore [Getting Permission denied (publickey)].

It is my understanding that, when you initially create your droplet using Digital Ocean, you can use the dashboard tool (the one in Account – Settings – Security) to go though the process of setting a Putty SSH key or an Open-SSH key. I had no issues with this during my initial setup of my droplet (I chose to use Putty). Now, is this next statement correct as it may point to a gap or lack of understanding in my knowledge of how SSH works.

If you “Rebuild” your droplet. You can never use the dashboard SSH tool as it can only be used during Initial creation of your droplet.

The evidence for this statement is here:
https://www.digitalocean.com/docs/droplets/how-to/add-ssh-keys/to-existing-droplet/ “For security reasons, you can’t add or modify the SSH keys on your Droplet using the control panel after you create it, but you have several options to add and modify them via the command line. ”

Does this statement apply even when you Rebuild your droplet?

I have another question that may be connected to the above section. When I Rebuilt my droplet I would expect all ssh keys etc. to be completely destroyed. However, if I use Git Bash on my local computer and type ssh root@[my servers ip address assigned by digitalocean], I get a warning about the identity of the host not being able to be establishd and am prompted yes or no to continue connecting. When I choose yes, I get
“Permission Denied (publickey).”

That must mean that my previous statement is false. It seems like there is already a ssh public key on my newly Rebuilt Droplet. I would expect, if it were true that all SSH information is deleted upon Rebuild, that It would ask me for a password.

In sum my two questions are:

  1. What is the connection between the Digital Ocean SSH key dashboard? Once you create your droplet, is the dashboard never applicable again, and any changes to your SSH keys for that droplet must be made via the command line?
  2. Are SSH keys deleted upon a Rebuild as it seems like I still have some sort of public key private key authentication on my droplet even after the Rebuild.

Thanks in advance everyone, looking forward to this SSH authentication cleared up so I can continue focusing on the deployment of my website.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi,
From my experience…

1. If you create your original droplet with ssh public key marked on the dashboard, then your rebuilt droplet will have the same public key installed in location /root/.ssh/authorized_keys. Note, that you need to ssh rebuilt droplet as root, at least for the first time. Due to official DO doc, you need to remove a fingerprint of your original droplet from known_hosts file before you ssh your rebuilt droplet for the first time.

ssh-keygen -f /root/.ssh/known_hosts -R your_droplet_ip

Then you can try to ssh your rebuilt droplet. I strongly recommend specifying a private key with parameter -i and absolute path leading to it. You will avoid possible problems related to the forgotten settings made in the past, e.g. in /root/.ssh/config file.

ssh -i /root/.ssh/your_private_key root@your_droplet_ip

2. Public key which was marked on the dashboard during creation of original droplet is preserved on the rebuilt droplet in location /root/.ssh/authorized_keys. If you create a sudoer and configure it for sshing (copy public key from root’s location or create another one) on an original droplet, this sudoer will not exist on rebuilt droplet as well as its home directory and public key you configure for it.

If you create an original droplet with ssh password authentication, you will have just ssh password authentication on rebuilt droplet. It happens even then, when you reconfigure ssh authentication from password to public/private key on your original droplet.
Note, that you will have to reset a root password on rebuilt droplet before your first log in, since your originally entered ssh password is not stored within your DO account and cannot be restored on rebuilt droplet.

Submit an Answer