WPCloud Deploy Documentation

Root User Passwords

You can set or change your root user password under the USERS tab for a server.  However, before you do that, there are some things to note about passwords and root users:

  1. Some server providers do not allow SSH logins for root users with just a password.
  2. Some server providers DO allow SSH logins for root users with just a password.  We do not change this setting when creating the server.  You can, however, change it yourself by editing the etc/ssh/sshd_config file or by using the point-and-click interface we provide (instructions at the bottom of this document).
  3. WPCD does not login to your server with a password – it uses SSH public-private key-pairs.  So the absence or presence of a password for the root user does not make a difference in the day-to-day operations of the dashboard.
  4. If you lock yourself out of your server (eg: by using fail2ban or other firewalls without whitelisting your IP address), the only way back in might be using a root user password and the basic console from your server providers’ dashboard.  So, if you’re messing around with firewalls, fail2ban or similar utilities, we recommend that you generate a password for your root user and enable ssh/sshd password authentication for the root/sudo user.

***For most server providers, if you do not set a password for your root user and you are locked out, you will NOT be able to regain access to your server and there is nothing we can do about it!***

Below is some information about the default configuration for server providers.


The following server providers do not allow SSH logins for root users with just passwords:

  • DigitalOcean
  • Exoscale
  • Upcloud (servers provisioned after August 2021)

These providers have effectively set the PermitRootLogin config option in etc/ssh/sshd_config to prohibit-password.

You should consider setting a password for these servers so that you can recover if you lock yourself out of the server and need to use the providers’ recovery console.

The following server providers allow SSH logins for root users with passwords:

  • Linode
  • Vultr
  • Upcloud (servers provisioned before August 2021)
  • Hetzner

This means that you probably should disable the the root password authentication capability for servers from these providers or install the fail2ban utility on them.


The following server providers will allow you a direct SSH connection from their dashboard without needing a password or key-pair:

  • AWS EC2
  • AWS Lightsail
  • Google

This means that if you ever lock yourself out of your server you will always have a way to get back in – if you can login to the providers’ dashboard.


The following providers do not allow logins for root users with passwords at all – not from a console and not via SSH.

  • Alibaba

Try not to lock yourself out of these servers because you have no options to get back into them!


Enabling or Disabling Password Authentication

You can disable password authentication on SSH logins for the root or primary SUDO user.  To do this:

  • Go to WPCloudDeploy->Cloud Servers and click on the server for which this action will apply
  • Click on the USERS tab
  • Click on either the ENABLE PASSWORD AUTHENTICATION or DISABLE PASSWORD AUTHENTICATION button.

As mentioned earlier in this document, certain server providers already disable SSH password authentication for the root user.


Availability

Changing root user passwords from the UI is available in WPCD V 4.6.0 or later.  For prior versions you must log in via ssh and change it from the command line.


 

Share: