The Linux Page

Setting up a Digital Ocean Droplet

Introduction

When I create a new DigitalOcean droplet I have to run a few commands that I don't otherwise use very much at all so I was thinking that adding them here would make it easier to remember.

Creating a New Key with ssh-keygen

I use the same key for each group of computers I manage there. Each time I create a new group, I create a new key with the ssh-keygen command as so:

% ssh-keygen -t rsa
...
Enter file in which to save the key (/home/alexis/.ssh/id_rsa): ...
...

WARNING: as we can see ssh-keygen asks you to write the resulting keys using the default filename. I think that's quite dangerous since you could end up overwriting it. Please be very careful.

Whenever I'm asked to enter the filename to the key, I enter a path to a special sub-folder to avoid problems with my other work which uses my default SSH key. This way I can have many keys that do not create problems. Just like you have a different password for each one of your remote accounts, you should have a different key. Only, when you work on a cluster, I use the same key for the whole cluster making it a bit easier on myself.

You then end up with two files: a private key (filename used as is) and a public key (filename ends with .pub).

IdentityFile /home/alexis/.ssh/other_keys/cluster_five_rsa
IdentityFile /home/alexis/.ssh/other_keys/cluster_five_rsa.pub

The .pub file is the one you give DigitalOcean. If you ever make the mistake to give away your private key, it has to then be considered compromised and a new key generated. However, make sure the new key works on all your servers before you remove the old key from said computers. Then verify each system to make sure they were not tampered with.

Finally, you can reference the key in your local computer .ssh/config file as in:

% vim ~/.ssh/config
...

Host cluster_five
  HostName 1.2.3.4
  User alexis
  PasswordAuthentication no
  HostbasedAuthentication no
  IdentitiesOnly yes
  IdentityFile /home/alexis/.ssh/other_keys/cluster_five_rsa

...

Note that with that setup I turn off the possibility to use the password to log in ("PasswordAuthenticaion no".) If you want to be able to enter a password in case the key breaks, then you should keep "yes" for that option. Obviously, you can edit your .ssh/config file at any time and change such settings accordingly.

WARNING: if you create the Host entry in your .ssh/config file before your first access as root (see below), you may not be able to access the droplet properly. I think it should work, though.

First DigitalOcean Server Access

First, if you setup an SSH key on DigitalOcean before you create a droplet, then you will be able to access the server root account with SSH.

% ssh -l root -i <path-to-key> <ip-address>

IMPORTANT NOTE: Although you will have access with an SSH key, the system will ask you for a root password if you use the wrong key. So make sure to use the -i option if you have multiple keys and the one you uploaded on DigitalOcean is different (not your default key). In our example above, that would be:

% ssh -l root -i /home/alexis/.ssh/other_keys/cluster_five_rsa ...

WARNING: You're going to be accessing your droplet as the root user. Please be very careful. You probably want to avoid using copy & paste, for example.

Create a User

The shell then gives you the ability to create a user, because it is much safer to use a user under your name instead of just and only access the root account. However, you most certainly want to make that user part of the sudo group and setup a password so you can actually use sudo:

% useradd -m -s /bin/bash -G sudo alexis

The password could be defined using the -p command line option of useradd, however, that is not safe and you need to first encrypt the password...

Instead we use the passwd command as in:

% passwd alexis

Since you are root, this command allows you to enter a new password for the specified user (alexis here) without having to do any more than that.

Copy Key to New User Account

The account is nearly ready. Now you probably want to copy your SSH key in there. Assuming it is the same as the one you installed for the root account, then you can this:

% cp -r ~/.ssh ~alexis
% cd ~alexis
% chown -R alexis:alexis .ssh

If you have a partner and added his key as well, you may want to edit the authorized_keys file and remove that other key(s) (i.e. only keep yours in your account):

% vim .ssh/authorized_keys

If that's the case, you probably want to create an account for your partner(s) too and set them up in a similar way.

Clean Up Root Account

Once that is done, make sure to remove the key from the root account:

% cd
% rm -rf .ssh

Please make sure you are deleting the root keys, not the new user's (hence the cd command). Then try to connect with your user from your computer and try a sudo command such as apt-get or cat of files such as /etc/shadow which are protected (only root can look at them.) If that works, you're probably all good.

If you setup a root password, you probably want to edit it out. This is done by editing the shadow file and replacing the encrypted password with an asterisk:

% vim /etc/shadow
root:*:1:2:3:4:::

Only replace the second field. Fields are separated by colons. You may use the passwd command with the -d option to delete the password, but that does not prevent using the root account, which is generally considered bad.