Question

How can I automate changing the initial root password?

I am writing a script to migrate droplets from an old OS to a new OS.

The script uses the API to create a new droplet from an image (a snapshot of a partially configured system based on Ubuntu 22 that has already had its initial password changed), and the image has an SSH key for root to allow my script to SCP files to the new server and run some commands via SSH.

The problem is that the SCP and SSH commands fail with the message

You are required to change your password immediately (administrator enforced).
WARNING: Your password has expired.
Password change required but no TTY available.

Is there a way that I can automate changing the initial password to prevent this from happening (presumably via the API), or a different way I should be doing this?

Thanks!


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Well it’s a bit of a hacky workaround, but eventually I got it to work with the following steps:

  1. Create a .sh file containing sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow
  2. Include the .sh file in the base image, and allow it to be run as sudo with no password by another user
  3. Once the new droplet has booted, ssh as the other user and sudo run the .sh file

After that, I am able to ssh/scp as root without being asked for the password reset. The first thing I do is to ssh as root and remove the .sh file.

I also tried adding #/bin/sh;sudo sed -i 's/^root:.*$/root:*:16231:0:99999:7:::/' /etc/shadow; to user_data but that didn’t seem to work. My guess is that the initial root password is set after user_data is run, overwriting the change.

KFSys
Site Moderator
Site Moderator badge
September 26, 2022

Hi @rclaypool,

I think using the API will get you only the password_reset option which sends a new root password to your e-mail.

As for the SCP and SSH connection, it shouldn’t be using PasswordAuthenitcation if you already have an SSH key added. Maybe the SSH key you are using is not correct?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.