{"id":1237,"date":"2026-05-07T09:55:28","date_gmt":"2026-05-07T09:55:28","guid":{"rendered":"https:\/\/www.jolt.co.uk\/help\/ssh-root-access-on-managed-servers\/"},"modified":"2026-05-07T10:17:44","modified_gmt":"2026-05-07T10:17:44","slug":"ssh-root-access-on-managed-servers","status":"publish","type":"post","link":"https:\/\/www.jolt.co.uk\/help\/ssh-root-access-on-managed-servers\/","title":{"rendered":"SSH Root Access on Managed Servers"},"content":{"rendered":"\n<p>For security, SSH root login on Jolt Managed servers (cPanel and Plesk) is configured with <code>PermitRootLogin prohibit-password<\/code>. This means <strong>the root account can only log in using an SSH public key<\/strong> \u2014  root login with a password is refused, even if the password is correct.<\/p>\n\n\n\n<p>Customer-level SSH accounts (cPanel users, Plesk subscriptions) are unaffected by this policy and continue to support password and key authentication as configured in the control panel.<\/p>\n\n\n\n<p>This article explains how to generate a key pair, install the public key so it grants root access, and what to do if you lock yourself out.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">1. Generating an SSH key pair<\/h2>\n\n\n\n<p>You need a <strong>key pair<\/strong>: a <em>private key<\/em> that stays on your computer, and a <em>public key<\/em> that gets uploaded to the server. Never share the private key.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ed25519 (recommended)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">On macOS or Linux<\/h4>\n\n\n\n<p>Open Terminal and run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keygen -t ed25519 -C \"your-email@example.com\"\n<\/code><\/pre>\n\n\n\n<p>Press Enter to accept the default location (<code>~\/.ssh\/id_ed25519<\/code>). You&#8217;ll be prompted for a passphrase \u2014 set a strong one; it protects the key if your laptop is lost.<\/p>\n\n\n\n<p>This produces two files:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>~\/.ssh\/id_ed25519<\/code>\u00a0\u2014\u00a0<strong>private key<\/strong>\u00a0(keep secret)<\/li>\n\n\n\n<li><code>~\/.ssh\/id_ed25519.pub<\/code>\u00a0\u2014\u00a0<strong>public key<\/strong>\u00a0(this is what you upload)<\/li>\n<\/ul>\n\n\n\n<p>Show the public key with:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat ~\/.ssh\/id_ed25519.pub\n<\/code><\/pre>\n\n\n\n<p>Copy the entire single line, starting with <code>ssh-ed25519<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">On Windows<\/h4>\n\n\n\n<p><strong>Option A \u2014 Built-in OpenSSH (Windows 10\/11):<\/strong> open PowerShell and run the same <code>ssh-keygen -t ed25519 -C \"...\"<\/code> command. Files are saved to <code>C:\\Users\\&lt;you&gt;\\.ssh\\<\/code>. Display the public key with <code>type $env:USERPROFILE\\.ssh\\id_ed25519.pub<\/code>.<\/p>\n\n\n\n<p><strong>Option B \u2014 PuTTYgen:<\/strong> download PuTTY, open PuTTYgen, choose <strong>EdDSA \/ Ed25519<\/strong>, click <strong>Generate<\/strong>, set a passphrase, then <strong>Save private key<\/strong> (<code>.ppk<\/code>, for use with PuTTY) and copy the public key shown in the upper text box. That text \u2014 the OpenSSH-format line at the top of the PuTTYgen window \u2014 is what you paste into cPanel\/Plesk, <strong>not<\/strong> the contents of the saved <code>.pub<\/code> file, which uses a different format.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">RSA 4096 (alternative)<\/h3>\n\n\n\n<p>If you&#8217;re using older tooling that doesn&#8217;t support ed25519 \u2014 for example a legacy backup script, an old version of PuTTY, or certain enterprise SSO\/key-management systems \u2014 generate an RSA key instead.<\/p>\n\n\n\n<p><strong>macOS \/ Linux \/ Windows OpenSSH:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keygen -t rsa -b 4096 -C \"your-email@example.com\"\n<\/code><\/pre>\n\n\n\n<p>Default file locations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>~\/.ssh\/id_rsa<\/code>\u00a0\u2014\u00a0<strong>private key<\/strong><\/li>\n\n\n\n<li><code>~\/.ssh\/id_rsa.pub<\/code>\u00a0\u2014\u00a0<strong>public key<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Display the public key with <code>cat ~\/.ssh\/id_rsa.pub<\/code> (or <code>type %USERPROFILE%\\.ssh\\id_rsa.pub<\/code> on Windows).<\/p>\n\n\n\n<p><strong><a href=\"https:\/\/puttygen.com\/#Download_PuTTYgen_on_Windows\">PuTTYgen<\/a>:<\/strong> select <strong>RSA<\/strong>, set the key size to <strong>4096<\/strong> in the bits field at the bottom, then <strong>Generate<\/strong>. Save the private key as <code>.ppk<\/code> and copy the OpenSSH-format public key from the top text box (same as the ed25519 flow).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Which should I choose?<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><\/th><th>ed25519<\/th><th>RSA 4096<\/th><\/tr><\/thead><tbody><tr><td>Security<\/td><td>Strong<\/td><td>Strong<\/td><\/tr><tr><td>Key length<\/td><td>~80 chars<\/td><td>~720 chars<\/td><\/tr><tr><td>Speed<\/td><td>Fast<\/td><td>Slower<\/td><\/tr><tr><td>Compatibility<\/td><td>OpenSSH 6.5+ (2014) and PuTTY 0.68+ (2017)<\/td><td>Universal<\/td><\/tr><tr><td>Recommendation<\/td><td><strong>Default choice<\/strong><\/td><td>Use only if ed25519 isn&#8217;t supported by your tooling<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Both are accepted by cPanel WHM and Plesk. Don&#8217;t generate <strong>RSA below 3072 bits<\/strong> and don&#8217;t use <strong>DSA<\/strong> or <strong>ECDSA-nistp256<\/strong> \u2014 these are either weak or have known issues and may be rejected by the server&#8217;s SSH configuration.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Installing the public key for root access<\/h2>\n\n\n\n<p>The public key must be placed in <code>\/root\/.ssh\/authorized_keys<\/code> on the server. The control panels expose this through their UIs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">cPanel \/ WHM<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in to\u00a0<strong>WHM<\/strong>\u00a0as root (or contact support \u2014 see below).<\/li>\n\n\n\n<li>Go to\u00a0<strong>Home \u2192 Security Center \u2192 Manage root&#8217;s SSH Keys<\/strong>.<\/li>\n\n\n\n<li>Click\u00a0<strong>Import Key<\/strong>.<\/li>\n\n\n\n<li>Give the key a name (e.g.\u00a0<code>laptop-2026<\/code>).<\/li>\n\n\n\n<li>Leave the\u00a0<strong>private key<\/strong>\u00a0field blank.<\/li>\n\n\n\n<li>Paste the\u00a0<strong>public key<\/strong>\u00a0(the\u00a0<code>ssh-ed25519 AAAA\u2026<\/code>\u00a0or\u00a0<code>ssh-rsa AAAA\u2026<\/code>\u00a0line) into the public key box.<\/li>\n\n\n\n<li>Click\u00a0<strong>Import<\/strong>.<\/li>\n\n\n\n<li>Back on\u00a0<strong>Manage root&#8217;s SSH Keys<\/strong>, click\u00a0<strong>Manage Authorization<\/strong>\u00a0next to the imported key, then\u00a0<strong>Authorize<\/strong>. The key is now active.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Plesk<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in to Plesk as the admin (or contact support).<\/li>\n\n\n\n<li>Go to\u00a0<strong>Tools &amp; Settings \u2192 SSH Keys Manager<\/strong>\u00a0(under &#8220;Security&#8221;). On older Plesk versions this may appear as\u00a0<strong>Server Management \u2192 SSH Keys<\/strong>.<\/li>\n\n\n\n<li>Click\u00a0<strong>Add Key<\/strong>.<\/li>\n\n\n\n<li>Paste the\u00a0<strong>public key<\/strong>\u00a0into the field.<\/li>\n\n\n\n<li>Save.<\/li>\n<\/ol>\n\n\n\n<p>If your Plesk version doesn&#8217;t expose an SSH Keys manager for the admin user, support can install the key directly into <code>\/root\/.ssh\/authorized_keys<\/code> for you.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Testing the key<\/h2>\n\n\n\n<p>From your local machine:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -p &lt;port&gt; root@&lt;server-hostname&gt;\n<\/code><\/pre>\n\n\n\n<p>You should be prompted for the <strong>key passphrase<\/strong> (not the server&#8217;s root password) and then logged in. If it asks for a password, the key isn&#8217;t being offered \u2014 check that the private key is in <code>~\/.ssh\/<\/code> and that file permissions are <code>600<\/code>.<\/p>\n\n\n\n<p>For <strong><a href=\"https:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/latest.html\">PuTTY<\/a><\/strong> users: load the <code>.ppk<\/code> file under <strong>Connection \u2192 SSH \u2192 Auth \u2192 Credentials<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Locked out? Contact support<\/h2>\n\n\n\n<p>If you can&#8217;t access WHM\/Plesk to install the key, or you&#8217;ve removed your only working key by mistake, <strong>don&#8217;t panic<\/strong>. Open a support ticket and:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Include the server hostname.<\/li>\n\n\n\n<li>Attach or paste the\u00a0<strong>public key<\/strong>\u00a0(<code>ssh-ed25519 AAAA\u2026<\/code>\u00a0or\u00a0<code>ssh-rsa AAAA\u2026<\/code>\u00a0line) you want installed.<\/li>\n\n\n\n<li>Confirm you&#8217;re authorised on the account.<\/li>\n<\/ol>\n\n\n\n<p>Our team will install the key into <code>\/root\/.ssh\/authorized_keys<\/code> and confirm once it&#8217;s active. We will never ask you for your private key \u2014 only the public one.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p>Step 1: Generate a key pair locally (ssh-keygen -t ed25519, or -t rsa -b 4096 for legacy tooling)<br>Step 2: Keep the private key safe; copy the public key<br>Step 3: Install the public key via WHM\u00a0<strong>Manage root&#8217;s SSH Keys<\/strong>\u00a0or Plesk\u00a0<strong>SSH Keys Manager<\/strong><br>Step 4: Test with\u00a0<code>ssh -p &lt;port> root@&lt;server><\/code><br>Step 5: If locked out, contact Jolt support with your public key<\/p>\n\n\n\n<p>Password-based root SSH is disabled by policy and will not be re-enabled. Customer SSH accounts inside cPanel\/Plesk are not affected by this and continue to work as normal.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>For security, SSH root login on Jolt Managed servers (cPanel and Plesk) is configured with PermitRootLogin prohibit-password. This means the root account can only log in using an SSH public key \u2014 root login with a password is refused, even if the password is correct. Customer-level SSH accounts (cPanel users,&hellip;<\/p>\n","protected":false},"author":13,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,8],"tags":[],"class_list":["post-1237","post","type-post","status-publish","format-standard","hentry","category-access","category-security"],"_links":{"self":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts\/1237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/comments?post=1237"}],"version-history":[{"count":3,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts\/1237\/revisions"}],"predecessor-version":[{"id":1240,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/posts\/1237\/revisions\/1240"}],"wp:attachment":[{"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/media?parent=1237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/categories?post=1237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jolt.co.uk\/help\/wp-json\/wp\/v2\/tags?post=1237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}