SSH keys are our recommended method of authentication for Droplets on DigitalOcean. Password authentication is disabled by default on Droplets created with an SSH key because it increases the Droplet’s overall security. However, it also means that if you lose your SSH key, you will need to use the Droplet console to restore SSH access.
On any version of Ubuntu, Debian, CentOS, or Fedora 27, the overall process to restore access will be:
After that, you’ll be able to log into the Droplet via SSH again by using the new
root password. You can also then re-add new SSH keys.
On FreeBSD, Fedora 28, Fedora Atomic, CoreOS, and RancherOS, which are operating systems with internally-managed passwords, it’s currently not possible to externally reset the root password. If you lose access in this case, we instead recommend creating a snapshot of that Droplet and redeploying to a new Droplet to which you have access.
First, you’ll need to force the Droplet to generate a new root password.
Navigate to the control panel. From the project the Droplet is in, or from the main navigation’s Droplets page, locate the Droplet. Click the Droplet’s name to open its detail page, then select Access in the left navigation.
Some operating systems use internally-managed passwords, which means you cannot reset the root password from the control panel. In these cases, you’ll see the following message in the Reset root password section:
This Droplet’s root password is managed internally and cannot be changed from the control panel. Please SSH into the Droplet to manage it.
See How to Recover from Lost SSH Keys for additional steps you’ll need to take.
Click Reset Root Password to send an email to the address associated with your DigitalOcean account. You can use the password provided to log in to your Droplet through the console.
Even though you have a root password for the Droplet, if you try to log in via SSH using that password right now, you’ll get a
Permission denied (publickey) error. This is because password authentication is still disabled on the Droplet. To fix that, you need to log in via the Droplet console and update its SSH configuration.
There are detailed instructions on how to connect to Droplets with the Droplet console for a more explicit walkthrough, but here’s a brief summary:
On the Droplet’s detail page, in the same Access tab, click the Launch Console button.
At the login prompt, enter
root as the username.
At the subsequent password prompt, enter the root password you were sent via email. Most distributions will prompt you to enter the password twice, but some (like Fedora 27) will not.
The web console supports pasting text with
Ctrl+v on Windows or
Command+v on Mac, so you don’t have to retype the password from the email.
Enter a new root password to replace the one that was emailed to you, then enter that same new password again.
Once you confirm the new password, you will be logged in as
root in the Droplet console, which gives you access to the Droplet’s SSH configuration.
To enable password authentication on your Droplet, you need to modify a line in its SSH config file, which is
/etc/ssh/sshd_config using your preferred text editor, like
vim. Find the line that reads
PasswordAuthentication no line and change it to
PasswordAuthentication yes, then save and exit the file.
Because the SSH daemon only reads its configuration files when it’s first starting, you need to restart it for these changes to take effect. The command to do this depends on your operating system:
|Operating System||SSH Restart Command|
|Ubuntu 15.4 and up||
After you restart the SSH daemon, you can connect to the Droplet via SSH as
root with the newly-created root password. You can also then create a new SSH keypair and add it to the Droplet.