How to Enable Root Login on Your VM (BYOVM)
# How to Enable Root Login on Your VM (BYOVM)
Elestio's BYOVM (Bring Your Own VM) feature requires **root SSH access** to your server.
Some cloud providers disable root login by default as a misguided security measure. This guide explains how to re-enable it and why it is safe to do so when SSH key authentication is in place.
---
## Why Elestio Requires Root Access
Elestio installs and manages software directly on your server. This includes:
- Writing files to `/root/` and system directories
- Installing packages and system services
- Configuring networking and firewalls
- Running privileged operations during deployment
Non-root users — even those with `sudo` — are not sufficient because:
- `sudo` availability varies between distributions and providers
- Many configuration paths are hardcoded to `/root/`
- Privilege escalation adds unnecessary complexity and failure points
---
## Is Enabling Root Login a Security Risk?
**No — as long as password authentication is disabled.**
Elestio keeps password login **disabled at all times** and uses **SSH key authentication exclusively**. This means:
- No password can ever be used to log in as root, even if root login is enabled
- Only someone who holds the correct private SSH key can connect
- Brute-force and credential-stuffing attacks are completely ineffective
Blocking root while still allowing key-based SSH login on another user provides no meaningful security benefit — an attacker who compromises a sudoer account can simply `sudo su` to root anyway. The real protection is the SSH key, not the username.
---
## Step 1 — Remove the Provider's Root Block in `authorized_keys`
Some providers (notably AWS EC2, Google Cloud, and others) inject a command at the start of the root `authorized_keys` file that immediately terminates any root SSH session:
```
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142"
```
Run this command **as a non-root sudoer** (e.g. `ubuntu`, `ec2-user`) to strip it out:
```bash
sudo sed -e "s/echo;sleep 10;exit 142//g" -i /root/.ssh/authorized_keys
```
Then verify the file looks clean:
```bash
sudo cat /root/.ssh/authorized_keys
```
It should now contain only the plain public key lines, with no `command="..."` prefix.
---
## Step 2 — Allow Root Login in `sshd_config`
Check the current SSH daemon configuration:
```bash
sudo grep -i "PermitRootLogin" /etc/ssh/sshd_config
```
If it shows `PermitRootLogin no` or `PermitRootLogin forced-commands-only`, change it to:
```bash
sudo sed -i 's/^.*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
```
`prohibit-password` (also written as `without-password` on older systems) means:
- Root login via SSH key → **allowed** ✓
- Root login via password → **blocked** ✓
This is the safest setting and what Elestio requires.
---
## Step 3 — Reload the SSH Daemon
Apply the change without dropping your current session:
```bash
sudo systemctl reload sshd || sudo service ssh reload
```
---
## Step 4 — Test Root Access
From your local machine, test that root login now works with your SSH key:
```bash
ssh -i /path/to/your/key root@YOUR_SERVER_IP
```
You should get a root shell. If it still fails, see the troubleshooting section below.
---
## Provider-Specific Notes
| Provider | Default root status | Non-root user |
|---|---|---|
| AWS EC2 (Ubuntu) | Blocked via `authorized_keys` | `ubuntu` |
| AWS EC2 (Amazon Linux) | Blocked via `authorized_keys` | `ec2-user` |
| Google Cloud | Blocked via `authorized_keys` | varies |
| DigitalOcean | Root enabled by default | — |
| Hetzner | Root enabled by default | — |
| Azure | Blocked via `sshd_config` | `azureuser` |
| Vultr | Root enabled by default | — |
| Linode / Akamai | Root enabled by default | — |
For **AWS EC2** and **Google Cloud**, Step 1 (the `authorized_keys` fix) is almost always required in addition to Step 2.
---
## Troubleshooting
**Still getting `Permission denied` after the steps above?**
Check if there is a drop-in sshd config file overriding the main one:
```bash
sudo grep -r "PermitRootLogin" /etc/ssh/sshd_config.d/
```
If found, edit the relevant file and set it to `prohibit-password`.
**Getting `Please login as user "ubuntu"` message and then disconnected?**
The `authorized_keys` block is still present. Repeat Step 1 and verify the file contents again.
**SSH key not accepted for root?**
Make sure your public key is present in `/root/.ssh/authorized_keys`:
```bash
sudo cat /root/.ssh/authorized_keys
```
If it is missing, copy it from the non-root user:
```bash
sudo cp ~/.ssh/authorized_keys /root/.ssh/authorized_keys
sudo chmod 600 /root/.ssh/authorized_keys
sudo chown root:root /root/.ssh/authorized_keys
```
---
## Quick Reference — All Steps in One Block
```bash
# 1. Remove provider root block from authorized_keys
sudo sed -e "s/echo;sleep 10;exit 142//g" -i /root/.ssh/authorized_keys
# 2. Allow root login via SSH key
sudo sed -i 's/^.*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
# 3. Fix any drop-in overrides (if present)
sudo sed -i 's/^.*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config.d/*.conf 2>/dev/null || true
# 4. Reload SSH daemon
sudo systemctl reload sshd || sudo service ssh reload
```
Once root SSH access is confirmed, you can proceed with connecting your VM to Elestio at:
**https://dash.elest.io/vm/byovm**