SSH Root Access on Managed Servers
For security, SSH root login on Jolt Managed servers (cPanel and Plesk) is configured with PermitRootLogin prohibit-password. This means the root account can only log in using an SSH public key — root login with a password is refused, even if the password is correct.
Customer-level SSH accounts (cPanel users, Plesk subscriptions) are unaffected by this policy and continue to support password and key authentication as configured in the control panel.
This article explains how to generate a key pair, install the public key so it grants root access, and what to do if you lock yourself out.
1. Generating an SSH key pair
You need a key pair: a private key that stays on your computer, and a public key that gets uploaded to the server. Never share the private key.
ed25519 (recommended)
On macOS or Linux
Open Terminal and run:
ssh-keygen -t ed25519 -C "your-email@example.com"
Press Enter to accept the default location (~/.ssh/id_ed25519). You’ll be prompted for a passphrase — set a strong one; it protects the key if your laptop is lost.
This produces two files:
~/.ssh/id_ed25519— private key (keep secret)~/.ssh/id_ed25519.pub— public key (this is what you upload)
Show the public key with:
cat ~/.ssh/id_ed25519.pub
Copy the entire single line, starting with ssh-ed25519.
On Windows
Option A — Built-in OpenSSH (Windows 10/11): open PowerShell and run the same ssh-keygen -t ed25519 -C "..." command. Files are saved to C:\Users\<you>\.ssh\. Display the public key with type $env:USERPROFILE\.ssh\id_ed25519.pub.
Option B — PuTTYgen: download PuTTY, open PuTTYgen, choose EdDSA / Ed25519, click Generate, set a passphrase, then Save private key (.ppk, for use with PuTTY) and copy the public key shown in the upper text box. That text — the OpenSSH-format line at the top of the PuTTYgen window — is what you paste into cPanel/Plesk, not the contents of the saved .pub file, which uses a different format.
RSA 4096 (alternative)
If you’re using older tooling that doesn’t support ed25519 — for example a legacy backup script, an old version of PuTTY, or certain enterprise SSO/key-management systems — generate an RSA key instead.
macOS / Linux / Windows OpenSSH:
ssh-keygen -t rsa -b 4096 -C "your-email@example.com"
Default file locations:
~/.ssh/id_rsa— private key~/.ssh/id_rsa.pub— public key
Display the public key with cat ~/.ssh/id_rsa.pub (or type %USERPROFILE%\.ssh\id_rsa.pub on Windows).
PuTTYgen: select RSA, set the key size to 4096 in the bits field at the bottom, then Generate. Save the private key as .ppk and copy the OpenSSH-format public key from the top text box (same as the ed25519 flow).
Which should I choose?
| ed25519 | RSA 4096 | |
|---|---|---|
| Security | Strong | Strong |
| Key length | ~80 chars | ~720 chars |
| Speed | Fast | Slower |
| Compatibility | OpenSSH 6.5+ (2014) and PuTTY 0.68+ (2017) | Universal |
| Recommendation | Default choice | Use only if ed25519 isn’t supported by your tooling |
Both are accepted by cPanel WHM and Plesk. Don’t generate RSA below 3072 bits and don’t use DSA or ECDSA-nistp256 — these are either weak or have known issues and may be rejected by the server’s SSH configuration.
2. Installing the public key for root access
The public key must be placed in /root/.ssh/authorized_keys on the server. The control panels expose this through their UIs.
cPanel / WHM
- Log in to WHM as root (or contact support — see below).
- Go to Home → Security Center → Manage root’s SSH Keys.
- Click Import Key.
- Give the key a name (e.g.
laptop-2026). - Leave the private key field blank.
- Paste the public key (the
ssh-ed25519 AAAA…orssh-rsa AAAA…line) into the public key box. - Click Import.
- Back on Manage root’s SSH Keys, click Manage Authorization next to the imported key, then Authorize. The key is now active.
Plesk
- Log in to Plesk as the admin (or contact support).
- Go to Tools & Settings → SSH Keys Manager (under “Security”). On older Plesk versions this may appear as Server Management → SSH Keys.
- Click Add Key.
- Paste the public key into the field.
- Save.
If your Plesk version doesn’t expose an SSH Keys manager for the admin user, support can install the key directly into /root/.ssh/authorized_keys for you.
3. Testing the key
From your local machine:
ssh -p <port> root@<server-hostname>
You should be prompted for the key passphrase (not the server’s root password) and then logged in. If it asks for a password, the key isn’t being offered — check that the private key is in ~/.ssh/ and that file permissions are 600.
For PuTTY users: load the .ppk file under Connection → SSH → Auth → Credentials.
4. Locked out? Contact support
If you can’t access WHM/Plesk to install the key, or you’ve removed your only working key by mistake, don’t panic. Open a support ticket and:
- Include the server hostname.
- Attach or paste the public key (
ssh-ed25519 AAAA…orssh-rsa AAAA…line) you want installed. - Confirm you’re authorised on the account.
Our team will install the key into /root/.ssh/authorized_keys and confirm once it’s active. We will never ask you for your private key — only the public one.
Summary
Step 1: Generate a key pair locally (ssh-keygen -t ed25519, or -t rsa -b 4096 for legacy tooling)
Step 2: Keep the private key safe; copy the public key
Step 3: Install the public key via WHM Manage root’s SSH Keys or Plesk SSH Keys Manager
Step 4: Test with ssh -p <port> root@<server>
Step 5: If locked out, contact Jolt support with your public key
Password-based root SSH is disabled by policy and will not be re-enabled. Customer SSH accounts inside cPanel/Plesk are not affected by this and continue to work as normal.