1

I have a Linux server, where when I connect by PuTTY, I first need to log in using a non-root account (let's say user1), and then issue the command su root or su - root to log in to the root account. I cannot log in directly to the root account as such direct access is blocked for security reasons.

I would like to know how such a setup can be achieved in WinSCP, a GUI file manager for Unix/Linux servers. I have tried tunnelling to the same IP address but this does not work as I believe this attempts a "direct" login to the root account through the tunnel connection established using user1 account. Setting Shell to sudo su - also does not work.

How do I get WinSCP to emulate the su root or su - root indirect login as it can be done in PuTTY?

Improve this question
4
  • Maybe this page will help winscp.net/eng/docs/faq_su
    – masegaloeh
    Commented May 21, 2014 at 4:35
  • Tried it, not working or not sure if I'm doing it right.
    – ADTC
    Commented May 21, 2014 at 5:13
  • The FAQ suggested by @masegaloeh is your only option. So if it does not work, you need to share more details with us [error message, WinSCP log, server log, anything]. The best would be if you start a new specific question about your particular problem.
    – Martin Prikryl
    Commented May 21, 2014 at 6:15
  • The first part of the FAQ solution does not work as I believe sudo -s or any variant of the Shell option that "works" simply kicks me back to the Login window (possibly because of required password entry). As for the second part, I cannot make changes to the sudoers file on the server as this would be a violation of our security protocols. So I guess I can't achieve this without making server-side changes?
    – ADTC
    Commented May 21, 2014 at 6:24

2 Answers 2

Reset to default
2

First, allow yourself to sudo su to root from the non-root user you will login as, by adding a line like:

username ALL=NOPASSWD: ALL

or (for better security):

username ALL=NOPASSWD: /bin/sftp-server

to the /etc/sudoers file.

Then using WinSCP with the session file protocol as SCP, in the Settings, choose Environment | SCP/Shell and then choose the shell as sudo su -.

I know you already said you tried sudo su - but it will only work if you have also added the line to the sudoers file. I confirmed this on my server, which has no root login via SSH, and it worked just fine.

I was then able using the GUI to copy files from root that are 0600 (owned by root), and I was able to write to the root directory. Plus, if I opened a terminal window from WinSCP and did id, it showed me as root.

This only worked with SCP as the file protocol. I could not get it to work with SFTP in WinSCP.

Improve this answer
5
  • Not 100% sure, but wouldn't that allow anyone to connect using that shell, which might be problematic in case the root password is weak (or there's none at all)?
    – Mario
    Commented May 21, 2014 at 6:46
  • You have the solution, but it requires server-side changes (please see comments on the question and the other answer). As I cannot make server-side changes compromising security, I cannot utilize your answer. However, as you have taken time to provide a detailed answer that may help someone else with the same problem and is allowed to do server-side changes to solve it, I will accept your answer. BTW, please improve your answer by changing it to username ALL=NOPASSWD: /bin/sftp-server for better security.
    – ADTC
    Commented May 21, 2014 at 6:47
  • Thanks. It seems that although you are able to sudo su to perform root actions which 'may' include modifying the sudoers file to allow passwordless su to root that some external policy prevents you doing that so you are stuck. Thanks also for the improvement in security suggestion.
    – sdjuan
    Commented May 21, 2014 at 17:02
  • @mario it would allow only the user specified to connect using that shell/winscp session. I use a similar approach but forcing key only authentication with a very strong password for the key so that even if the key is stolen it is relatively safe (nothing is perfect).
    – sdjuan
    Commented May 21, 2014 at 17:09
  • caveat to the security addition /bin/sftp-server that may be distribution dependent. Our server is running gentoo and does not use that. However to restrict to least privilege is always a good idea
    – sdjuan
    Commented May 21, 2014 at 17:30
0

Maybe not quite what you're after, but you could add the command you want to run (eg: sudo su -) in your .bash_profile file so that it's executed as soon as you login.

Mind you, automatically elevating yourself to root all the time kinda defeats the intention that making you think about it will stop you from doing something dangerous by accident - purists will tut.

Improve this answer
2
  • No, I cannot make server changes to solve this. It has to be achieved through WinSCP configuration. Also, I understand the concern but in my case elevation to root is required. What I want to do is achieve it in WinSCP (I can already achieve it in PuTTY).
    – ADTC
    Commented May 21, 2014 at 6:15
  • @ADTC With standard SSH setup you probably won't be able to su to root with WinSCP. You almost always need to do some setup on the server side. Again, see the FAQ in comment to your question.
    – Martin Prikryl
    Commented May 21, 2014 at 6:17

Not the answer you're looking for? Browse other questions tagged .