# How to Enable Root Login on Your VM (BYOVM) Elestio’s **BYOVM (Bring Your Own VM)** workflow requires **direct root-level SSH access** to the target host. Many cloud providers disable or restrict root login by default; this document outlines how to safely re-enable it while maintaining a strong security posture.

---

#### Architectural Requirement for Root Access Elestio performs **low-level system provisioning and lifecycle management** directly on the host. This includes:

- Writing configuration and state under `/root/` other privileged paths - Installing and managing system packages and daemons - Modifying network configuration, firewall rules, and kernel-adjacent settings - Executing privileged deployment and orchestration tasks

Relying on a non-root user with `sudo` is intentionally avoided due to

- **Inconsistent `sudo` availability and behavior** across distributions and cloud images - **Hard dependencies on root-owned paths** (e.g., `/root`, system-level configs) - **Increased operational complexity** from privilege escalation (TTY requirements, environment differences, edge cases) - **Higher failure surface** during automated provisioning

From an automation and reliability standpoint, **direct root access is deterministic and reduces ambiguity**.

---

#### Security Model: Root Access with SSH Keys Enabling root login is **not inherently insecure** when implemented correctly. Elestio enforces the following security guarantees:

- **Password authentication is permanently disabled** - **Only SSH key-based authentication is permitted** - **Root login is restricted to key-based access (`prohibit-password`)**

##### Implications

- No password-based login is possible under any circumstances - Attack vectors such as brute-force or credential stuffing are eliminated - Access is strictly limited to holders of the corresponding private key

Blocking the root while allowing SSH access to an enabled user does **not materially improve security**. Any compromise of such a user trivially escalates to root (`sudo su`). The **true security boundary is the SSH private key**, not the username.

---

##### Step 1: Remove Provider-Imposed Restrictions Some providers (notably AWS and GCP) inject a forced command `/root/.ssh/authorized_keys` to prevent root login: ```bash no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142" ```

This must be removed. Execute as a privileged non-root user (e.g., `ubuntu`, `ec2-user`): ```bash sudo sed -e "s/echo;sleep 10;exit 142//g" -i /root/.ssh/authorized_keys ``` Validate: ```bash sudo cat /root/.ssh/authorized_keys ``` Expected state: **only raw public key entries, no `command="..."` prefix**.

---

##### Step 2: Configure SSH Daemon Inspect the current configuration: ```bash sudo grep -i PermitRootLogin /etc/ssh/sshd_config ``` Enforce the correct policy: ```bash sudo sed -i 's/^.*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config ``` ##### Semantics

- `prohibit-password` - ✅ (allows) SSH key authentication - ❌ (blocks) password authentication

This is the **recommended and secure baseline configuration**.

---

##### Step 3: Reload SSH Service Apply changes without terminating the active session: ```bash sudo systemctl reload sshd || sudo service ssh reload ```

---

##### Step 4: Validate Root Access From your local environment: ```bash ssh -i /path/to/private_key root@ ``` A successful connection should yield a root shell immediately.

---

##### Provider Behavior Matrix

Provider	Root Access Default	Notes
AWS EC2 (Ubuntu)	Blocked	Requires `authorized_keys` fix
AWS EC2 (Amazon Linux)	Blocked	Requires `authorized_keys` fix
Google Cloud	Blocked	Requires `authorized_keys` fix
Azure	Blocked	Controlled via `sshd_config`
DigitalOcean	Enabled	No action required
Hetzner	Enabled	No action required
Vultr	Enabled	No action required
Linode (Akamai)	Enabled	No action required

For AWS and GCP, **Step 1 is mandatory** in most cases.

---

##### Troubleshooting ##### Root login still denied Check for override files: ```bash sudo grep -r PermitRootLogin /etc/ssh/sshd_config.d/ ``` Ensure all instances are set to: ```text PermitRootLogin prohibit-password ```

---

##### Forced “login as ubuntu” message Indicates the provider-injected restriction is still present. Re-run Step 1 and re-validate `/root/.ssh/authorized_keys`.

---

##### SSH key not accepted Ensure the key exists and permissions are correct: ```bash sudo cat /root/.ssh/authorized_keys ``` If missing: ```bash sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys sudo chmod 600 /root/.ssh/authorized_keys sudo chown root:root /root/.ssh/authorized_keys ```

---

##### Consolidated Execution Block ```bash # Remove provider-enforced root restriction sudo sed -e "s/echo;sleep 10;exit 142//g" -i /root/.ssh/authorized_keys # Enable root login via SSH key only sudo sed -i 's/^.*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config # Normalize any drop-in overrides sudo sed -i 's/^.*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config.d/*.conf 2>/dev/null || true # Reload SSH daemon sudo systemctl reload sshd || sudo service ssh reload ```