DO Ideas 2

Display root password in control panel, not email

It would be *much* better to have a checkbox option at instance creation time to only generate/display root password on-screen, but not send via (plaintext) email. Much more secure.

Also, a key-only (e.g., no passwords allowed) checkbox option for VM access would be awesome.

Thanks!

  • K White
  • Sep 11 2018
  • Attach files
  • Adam W. Dace commented
    September 11, 2018 19:29

    I'm honestly not sure this is the best idea, in terms of security.
    True, emailing the password around may be a bit of "security by obscurity"
    but so far it's served me very well.

    I don't mean to be a nay-sayer, but I think root access should be taken very seriously.

    Check your e-mail and change that password, boys and girls! :)

  • Harder commented
    September 11, 2018 19:29

    When opting not to use SSH keys when creating a new droplet, it would be good if you would display the new IP and the temporary password on your site as as soon as the droplet has been created rather than sending them out via email. This way both options would be secure.

    The temporary password would be marked as such and the user could then delete it on your server after changing it on the droplet (which I believe you enforce when first logging in).

  • Jesse Jones commented
    September 11, 2018 19:29

    Gathering feedback for two years? Looks like there's plenty of feedback already to be had...

  • Ian commented
    September 11, 2018 19:29

    Any news about it?

  • Anonymous commented
    September 11, 2018 19:29

    When will ist be implemented?

  • Anonymous commented
    September 11, 2018 19:29

    Sending the password for the VM via email is unsecure and not very comfortable.
    It would be great, if the password, either can be set, when the VM is created, or can be seen in the interface (one?).

  • Tyler commented
    September 11, 2018 19:29

    I believe new images (at least one I deployed recently, even from a snapshot), force you to change the root password upon logging into SSH for the first time... so probably a moot point now, since you are forced to change it to your own unique password upon first use of the droplet.

    However, either displaying it in the web browser (like another digital ocean competitor) upon creation of the droplet would be handy either by default, or as an option (checkbox) during creation could still be handy, especially if we don't want it in our email at all, instead, if sending an email, maybe just provide a link to a knowledgebase article with instructions on resetting the password if you lose it/forget it/otherwise can't login.

  • Dmitry Pashkevich commented
    September 11, 2018 19:29

    Since one can always get shell access via web panel in case they lock themselves out of the box, there's really no reason to use passwords at all by default.

  • Dmitry Pashkevich commented
    September 11, 2018 19:29

    This really made me freak out when I created my first droplet! Sending out a root password via email, seriously?

    The saddest part is that the people that *DO* understand the security risk would immediately change/disable root password, but regular people would just keep the root access hanging in their gmail inbox!

    Please address this issue responsibly.

  • Pablo commented
    September 11, 2018 19:29
  • Pablo commented
    September 11, 2018 19:29

    This is already an option; simply by setting up SSH keys & saving them to your DigitalOcean Control Panel:

    1.) https://www.digitalocean.com/community/articles/how-to-use-ssh-keys-with-digitalocean-droplets

    2.) https://www.digitalocean.com/community/articles/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps (see the "Automate the Creation of New Droplets" section)

  • Anonymous commented
    September 11, 2018 19:29

    Has there been any progress on this? While I agree it should be routine to change the root password on a new install. In the scenario where you are being actively targeted someone could be monitoring your email/network and have malware deployed to the server before you've even read the email.

  • Anonymous commented
    September 11, 2018 19:29

    I use ssh keys wherever possible for my server administration. I was very happy to find that adding an ssh key in the panel prior to deployment causes the random root password not to be e-mailed. Upon deploying my droplet, the first thing I did was to login as root using my ssh key, create a non-privileged user and allow that user sudo when needed. It is then possible to entirely disable password login as root using the standard sshd configuration from within the VM. If desired, I can even copy my authorized ssh key to my non-privileged user account and use it to login without a password as the normal user as well, thereby only requiring a password to execute commands with sudo.

  • Cameron Eagans commented
    September 11, 2018 19:29

    In fact, key-only should be the default. This is a much more secure setup. If you want password auth, you should have to go out of your way to enable it.

  • Sasha Shepherd commented
    September 11, 2018 19:29

    I disagree. The first thing the user should do is IMMEDIATELY change the root password to something high security (in fact, you shouldn't be logging in with root anyway).

    Emailing it in plaintext encourages changing it right away.

  • Moisey Uretsky commented
    September 11, 2018 19:29

    We're going to move ahead with this one and move it to the planning stage.

    Thanks for the feedback!

  • Jonathan Tittle commented
    September 11, 2018 19:29

    SSH Keys are great, though disabling root log-in altogether is also a best-practice. Simply create an unprivileged user, give the user the ability to switch to root via su / sudo, and test that it works.

    If you're extremely concerned about security, there's always two-factor authentication, which can be done through various methods, though one I've been testing is Duo Security.

    https://www.duosecurity.com/

    You'll need a little time to do the setup, though two-factor is much more secure. Of course, if you're on an already compromised system, none of the three options really matter as a simple backdoor will circumvent them all.

  • Moisey Uretsky commented
    September 11, 2018 19:29

    This one is a tough call our policy is what Jonathan outlined - basically if you aren't using SSH keys we recommend updating the root password after you receive it.

    For any kind of automated provisioning SSH keys are the preferred method.

    And overall SSH keys are many times more secure than any form of a root password which should only be used for console access.

  • Jonathan Tittle commented
    September 11, 2018 19:29

    Since there's quite a few comments on this one, I'll ask. Why does it matter if the default root password is sent via e-mail when your Droplet is setup?

    Changing the root password for any VPS, whether the password is sent via e-mail or not, should be one of the first steps you take before doing anything else. The passwords that are sent out are short, and while semi-random, are not, in my opinion, meant to be used except to gain first-time access.

    This is simply standard protocol. Changing any password you're provided with is always a best-practice, regardless of whether it's a root password, or password for another service :-).

  • Junior Grossi commented
    September 11, 2018 19:29

    I think the better way will be work with SSH keys too. It will improve secure and will be easier.

  • Moisey Uretsky commented
    September 11, 2018 19:29

    Using SSH keys with the control panel currently you will not be emailed a root password as the SSH keys are used instead.

  • Sean commented
    September 11, 2018 19:29

    You could have as a creation requirement the pasting of a ssh public key, and have that inserted into the /root/.ssh/authorized_keys file. Also reset the defaults of sshd_config to "UsePam no"

  • Moisey Uretsky commented
    September 11, 2018 19:29

    Also please note that if you use SSH keys we do not email any root passwords.

  • Anonymous commented
    September 11, 2018 19:29

    This is really important, and adding a checkbox really isn't enough. Best bet is to disable sending root passwords by email entirely.

  • Moisey Uretsky commented
    September 11, 2018 19:29

    Great suggestion we had another request for this and we will implement for customers that are no longer trial accounts.