Running a cost effective business is always an important thing, and for a few years I had a re-seller account with a UK company.
They were a brilliant company to work with, always on hand to provide support, but they couldn’t provide me with exactly what I needed, nor could I justify the large expense when I couldn’t recuperate it from my clients.
I had a few clients who used/needed dedicated servers, so I had gained a fair amount of experience through this, and after some research and trial runs, I finally settled on DigitalOcean because it was the easiest and cheapest service out there.
I know there are cheaper and “better” providers out there, but I tried so many and a lot had hidden costs, support was terrible, and quite frankly made working with the servers more of a chore. DigitalOcean, in my opinion, just made it a whole lot easier.
I’m not paid for this article, but if you do want to set up your own DigitalOcean account, you can use this link and I’ll get a kickback from it.
Or contact me and I’ll manage it all for you.
What was the problem
After trying to help a friend fix their computer, I think I may have inadvertently infected my own computer with the same problem. It could have been a coincidence, but I had to reinstall the OS on my main system, and with that, I lost the SSH Keys I used to access my servers.
So, here I am… locked out of my own systems, and the only access I have is through a in-browser console/terminal which was sluggish and not very reliable.
My services were up and running, everything was running fine, but I could not access the files on the server; it wasn’t a good situation.
DigitalOcean has a section where you can paste your SSH Keys, so whenever you start a new Droplet, they are automatically added to the Droplet.
DigitalOcean also, by default, allows you to login via a username and password, which a) isn’t the most secure method, and b) needs to be reset.
Now, I’m not sure if I had forgotten my password or if I was ever given the chance to set one, but when I lost access using SSH, I needed to reset the password in order to log into the in-browser console.
You may be thinking “wait, why did you lose access if you can login with a username and password?“; well, simply put, I disabled that method of access to increase security, so the only way was using SSH Keys.
So, the solution?
After hours of research and trial and error, I came across this article which helped me figure out a way to gain easy access to the droplets again.
The in-browser console was not fun to use; practically unusable because of the glitches and bugs. So the main focus was to enable access remotely once again.
Here are the steps which I follow:
- Log into the droplet via the in-browser console
- Edit the sshd_config file (/etc/ssh/sshd_config)
- Change PasswordAuthentication to Yes
- Save and quit
- Reload SSH (using reload ssh)
This will allow you to log in remotely using the username and password. Now I can copy and paste my SSH Key(s) directly into the server.
This was impossible using the in-browser console as the key was not copied over correctly.
- Edit the authorized_keys file (in ~/.ssh)
- Copy and paste your local SSH Key into this file (at the end of the file)
You will now be able to log into the Droplet remotely with the SSH Key, once we disable access via Password again.
To do that, follow the first set of steps, but this time set PasswordAuthentication to No.
Once reloaded, you should be able to access the Droplet again, securely, using the SSH Key only.
Why restrict access with SSH Keys?
Although no solution is perfect, disabling password authentication restricts anyone with the password from gaining access to the server. I believe that DigitalOcean is secure enough as to stop people from gaining access via the in-browser console, but say someone finds out my password for a Droplet; they can simply log in from anywhere and do anything.
SSH Keys create a link between the computer and the server, so as long as there is a link there, the server will allow access from that computer. If there is no link, access is denied.
So, even if someone gets the password, there is no link between computer and server.