How to disable root login on a DigitalOcean droplet | Dafacto

The personal website of Matt Henderson.

How to disable root login on a DigitalOcean droplet

27 January 2016

When you create a droplet (virtual private server) at DigitalOcean, the service sends you an email containing the login password of the root user. The problem with this setup is the risk that your server gets compromised through a brute-force password-guessing login attack.

DigitalOcean provides a more secure alternative, if you first add your SSH public key to your DigitalOcean account settings. In this case, when DigitalOcean creates your droplets, it will disable root login with password, and configure the server so that you can login as root using only your ssh key.

I only learned about this safer option after having created my droplet, and so I spent a little time trying to figure out how to rectify things i.e. I wanted to add my SSH key to the server, and disable root login with password.

Surprisingly, I had to piece together instructions from a couple of articles, as well as getting some support from our company’s system administrator, and so I thought I’d post a summary here for the benefit of others:

Step 1: Copy your SSH key to the DigitalOcean server. (You do this from your local computer, and this assumes you already have an ssh key locally.)

cat ~/.ssh/ | ssh root@[your_server] "cat >> ~/.ssh/authorized_keys"

Step 2: Edit the file /etc/ssh/sshd_config, setting the PermitRootLogin setting to “without-password”. I used Transmit’s “Edit in Transmit” feature to do this. Also, don’t, as I did, confuse this file with the similarly-named “ssh_config”.

PermitRootLogin without-password

Step 3: Login to the server as root, and restart sshd:

service ssh restart

After sshd restarts, you should be able to login as root without entering a password, and your server should now be a bit more secure.

Enjoy this article? — You can find similar content via the category and tag links below.

Questions or comments? — Feel free to email me using the contact form below, or reach out on Twitter.