Pass-through account login through WinSCP

I have a Linux server, where when I connect by PuTTY, I first need to log in using a non-root account (let's say user1), and then issue the command su root or su - root to log in to the root account. I cannot log in directly to the root account as such direct access is blocked for security reasons.

I would like to know how such a setup can be achieved in WinSCP, a GUI file manager for Unix/Linux servers. I have tried tunnelling to the same IP address but this does not work as I believe this attempts a "direct" login to the root account through the tunnel connection established using user1 account. Setting Shell to sudo su - also does not work.

How do I get WinSCP to emulate the su root or su - root indirect login as it can be done in PuTTY?

ADTC

Posted 2014-05-21T04:02:36.620

Reputation: 2 649

Maybe this page will help http://winscp.net/eng/docs/faq_su

– masegaloeh – 2014-05-21T04:35:09.053

Tried it, not working or not sure if I'm doing it right. – ADTC – 2014-05-21T05:13:37.487

The FAQ suggested by @masegaloeh is your only option. So if it does not work, you need to share more details with us [error message, WinSCP log, server log, anything]. The best would be if you start a new specific question about your particular problem. – Martin Prikryl – 2014-05-21T06:15:30.980

The first part of the FAQ solution does not work as I believe sudo -s or any variant of the Shell option that "works" simply kicks me back to the Login window (possibly because of required password entry). As for the second part, I cannot make changes to the sudoers file on the server as this would be a violation of our security protocols. So I guess I can't achieve this without making server-side changes? – ADTC – 2014-05-21T06:24:32.587

Answers

First, allow yourself to sudo su to root from the non-root user you will login as, by adding a line like:

username ALL=NOPASSWD: ALL

or (for better security):

username ALL=NOPASSWD: /bin/sftp-server

to the /etc/sudoers file.

Then using WinSCP with the session file protocol as SCP, in the Settings, choose Environment | SCP/Shell and then choose the shell as sudo su -.

I know you already said you tried sudo su - but it will only work if you have also added the line to the sudoers file. I confirmed this on my server, which has no root login via SSH, and it worked just fine.

I was then able using the GUI to copy files from root that are 0600 (owned by root), and I was able to write to the root directory. Plus, if I opened a terminal window from WinSCP and did id, it showed me as root.

This only worked with SCP as the file protocol. I could not get it to work with SFTP in WinSCP.

sdjuan

Posted 2014-05-21T04:02:36.620

Reputation: 271

Not 100% sure, but wouldn't that allow anyone to connect using that shell, which might be problematic in case the root password is weak (or there's none at all)? – Mario – 2014-05-21T06:46:16.443

You have the solution, but it requires server-side changes (please see comments on the question and the other answer). As I cannot make server-side changes compromising security, I cannot utilize your answer. However, as you have taken time to provide a detailed answer that may help someone else with the same problem and is allowed to do server-side changes to solve it, I will accept your answer. BTW, please improve your answer by changing it to username ALL=NOPASSWD: /bin/sftp-server for better security. – ADTC – 2014-05-21T06:47:37.843

Thanks. It seems that although you are able to sudo su to perform root actions which 'may' include modifying the sudoers file to allow passwordless su to root that some external policy prevents you doing that so you are stuck. Thanks also for the improvement in security suggestion. – sdjuan – 2014-05-21T17:02:17.667

@mario it would allow only the user specified to connect using that shell/winscp session. I use a similar approach but forcing key only authentication with a very strong password for the key so that even if the key is stolen it is relatively safe (nothing is perfect). – sdjuan – 2014-05-21T17:09:44.823

caveat to the security addition /bin/sftp-server that may be distribution dependent. Our server is running gentoo and does not use that. However to restrict to least privilege is always a good idea – sdjuan – 2014-05-21T17:30:19.410

Maybe not quite what you're after, but you could add the command you want to run (eg: sudo su -) in your .bash_profile file so that it's executed as soon as you login.

Mind you, automatically elevating yourself to root all the time kinda defeats the intention that making you think about it will stop you from doing something dangerous by accident - purists will tut.

Linker3000

Posted 2014-05-21T04:02:36.620

Reputation: 25 670

No, I cannot make server changes to solve this. It has to be achieved through WinSCP configuration. Also, I understand the concern but in my case elevation to root is required. What I want to do is achieve it in WinSCP (I can already achieve it in PuTTY). – ADTC – 2014-05-21T06:15:44.370

@ADTC With standard SSH setup you probably won't be able to su to root with WinSCP. You almost always need to do some setup on the server side. Again, see the FAQ in comment to your question. – Martin Prikryl – 2014-05-21T06:17:38.047