The primary method for authenticating to FreeBSD servers on the DigitalOcean platform is with SSH keys. While logging in with SSH keys provides a number of security advantages over password-based authentication, situations can occur that effectively lock you out of your own server. In these cases, you can set up a password so that you can log into your server using the DigitalOcean Droplet Console.
When you include an SSH key in your Droplet during the creation process, for security reasons, the user account on your server is not configured with a password.
However, there are some situations where you will have to log in using unconventional means. For instance, if your SSH key is lost or destroyed or if your server’s internal network settings are misconfigured, you will not be able to authenticate using SSH keys.
With most operating systems offered by DigitalOcean, if this happens, users will create a password for the Droplet in the DigitalOcean Control Panel by clicking on Access and then Reset Root Password in the Droplet’s administration page:
For most operating systems, this will generate a new password and email it to you. You can then use this password with SSH or through the Droplet console, which provides out-of-band access if your Droplet’s networking is not working correctly.
However, this feature is not available for FreeBSD and a different procedure is necessary.
To set or reset a password for a user account in FreeBSD, we will be rebooting the Droplet from the DigitalOcean Control Panel. We will then be switching over to the Droplet console in order to boot the server into single-user mode. Here, we can mount the filesystem and set a password for our account.
The rest of the guide will outline the step-by-step process needed to set or reset a password for your FreeBSD server. You can take these steps if you are ever locked out of your server.
The first step in setting or resetting your FreeBSD password is to power off your server. The problem with this requirement is that, most of the time, you will not have command line access to your server if you are attempting this procedure.
If, for some reason you do have command line access to your server, initiating a shutdown from the command line is the best way to turn off your server:
sudo shutdown -p now
If, like most users in this situation, you do not have command line access to your Droplet, you should shut down your system through the Power Off button on the Droplet-specific menu in the control panel.
This button will attempt to gracefully shut down your Droplet as if you had issued the command we mentioned above. If this does not work, a hard power down will be issued.
Either way, your server should be off, allowing us to move on to the next step.
The Droplet console is a virtual console interface that emulates a physical connection to your server. Because of this, you can login to your Droplet even if the server’s networking is misconfigured.
Another advantage of the Droplet console is that it presents a boot menu when we turn the server on. By taking advantage of this, we can boot into single-user mode.
Single-user mode is a special administrative mode that can only be accessed with a physical connection to the server. It allows the root user to log in without a password. External networking, non-essential services, and additional logins are all disabled. Since the Droplet console emulates a physical connection, we can boot into single-user mode.
The procedure we will be using requires you to quickly perform a few sequential actions. You must:
2key on your keyboard to select the second boot option (single-user mode) before the boot menu times out
You will have to complete the above procedure in a few seconds, so be sure you know what to do before you begin.
Choose Access from the Droplet-specifc menu, click the Power On button. Once the Droplet is powered on, click the the Launch Console button.
You will then be taken to the Droplet console, where your Droplet should be reaching the boot menu. When the boot menu loads, quickly press
2 to select single-user mode. Your server will begin to boot into the restricted, single-user administration mode.
You will see messages scroll past as FreeBSD boots into single-user mode. At the end, you will see a message like this:
ENTER at the prompt to start up a shell session.
At this point, you have access to a limited shell environment. However, the filesystem that contains the password information is mounted read-only, meaning that we cannot adjust the passwords.
We can remount the root filesystem in read/write mode by typing:
mount -u /
This will give us access to the system’s password database, allowing us to set a new password.
Note: If this command fails with a message stating “Filesystem is not clean”, your server was not able to shut down correctly. If this is the case, skip down to the section titled “Troubleshooting: Cleaning Up the Filesystem after an Improper Shutdown”.
If the above command succeeded, we can then tell FreeBSD to remount all filesystems, which will give us synchronous access:
With this procedure complete, we can now reset the passwords for our server.
Once our filesystem is mounted, we can set or reset any of the account passwords on the system using the
To set or reset a password for the default
freebsd user account, you can type:
You will be asked to select and confirm a new password for the account. This account is set up with
sudo privileges by default, so typically, this is the only password you need to set.
If, instead, you need to set a password for the
root user account, you can do so by typing:
Again, you will need to select and confirm the password in order for this operation to succeed.
Once you have set the passwords you need, you can exit the single-user environment by typing:
FreeBSD will leave single-user mode and take your server through the rest of the normal boot process. At this point, you can continue to log in using the password you configured with the console, or you can log in using SSH (assuming you have not restricted password logins for SSH sessions).
If this procedure worked for you, then you can finish this guide here. If you were unable to mount the filesystem in read/write mode earlier, continue on to the next section.
Sometimes, when you power your Droplet off from the DigitalOcean Control Panel, the graceful shutdown procedure fails. This can occur for a variety of reasons, most often due to conditions within the server itself.
If this happens, a hard power off is run instead. This can lead to an inconsistent disk state that prevents normal mounting. When you attempt to mount the filesystem in read/write mode, you will see an error like this:
In order to fix the filesystem, you must run the
Note: Running the
fsck command can occasionally result in data corruption when used on active disks. For this reason, we are initiating an
fsck on an unmounted filesystem to minimize this risk. Problems can still occur in scenarios where there was significant data being written to disk at the time of the power off event. Most users will not experience any issues, but it is always a possibility when a hard power off occurs.
In order to fix the inconsistency, we can attempt to automatically correct the errors by typing:
The system will check the filesystem, at times requiring you to type
y to accept a suggested action. It is typically best to accept these solutions, as there is not much in the way of an alternative for fixing these disk issues.
Once the filesystem check completes, it will be marked as clean:
At this point, you can continue with the procedure outlined above as normal. The condensed steps that you need to take are below.
Mount the filesystem:
mount -u / mount -a
Set the password for the accounts you need:
# To set the freebsd user account password, type: passwd freebsd # To set the root user password, type: passwd
After setting passwords for the required accounts, exit single-user mode to resume the normal boot sequence:
If you run into any issues while completing the process, open a support ticket through the DigitalOcean Control Panel to request assistance.