Saturday, 23 November 2013

How to create a user to ssh to the server and then only have super user permission to switch to root user?

I don't want to ssh to my linux server as root user. So I have disabled the direct root login through ssh. I am using a less privileged user to ssh to the server. But I don't want to give him sudo privilege. The only privileged command this user (less privileged user) should be able to run is to switch to root user. How can I achieve this?

I'm using Amazon Linux (which is actually centos based) in my ec2 instance. It comes with 'ec2-user' which has no password and but has sudo privilege and uses ssh key for login. I want to use password login for other users (and don't want to use ssh key for them)[So I can't disable password login "PasswordAuthentication  no" field in sshd_config file]. But I also want to set password for 'ec2-user' as I don't want to use sudo command without password. I have used below setup to achieve this.


NOTE: While doing the below steps, please make sure that you have opened a terminal and logged in to the ec2 instance and became root. Never close this terminal or log out of root user. Do below steps by connecting to the ec2 instance using another terminal. If you have messed up any of the command, there is a chance that you will be locked out of your server permanently.  I hope you understand what you are doing and I won't be responsible if you have locked out of your server. These steps are intended for advanced users and also a note to myself.

1. Log in to the ec2 instance as 'ec2-user' using ssh key and became root by running "sudo -s" command which won't prompt for password.

2. Setup password for root user using "passwd" command. Verify this password by opening another terminal and ssh to ec2 instance as root user (without ssh key)

3. Disable direct root login through ssh by changing the below line in /etc/ssh/sshd_config file

PermitRootLogin yes

to

PermitRootLogin no

Restart sshd service using the below command

/etc/init.d/sshd restart

Now try again to login as root user using password and it won't work. So we have successfully disabled ssh root login

4. Set up password for 'ec2-user' using the command "passwd ec2-user" . Run this command as root user.

Now we have set up password for 'ec2-user' and 'root' user.  Verify the 'ec2-user' password by logging in to ec2 instance without ssh key in another terminal and it will prompt for ec2-user password.

5. Edit the below two files as root user and comment out below lines.

Open /etc/sudoers.d/cloud-init and comment out below line and save it

# ec2-user ALL=ALL:NOPASSWD ALL

Open /etc/sudoers file and comment out the same

# ec2-user ALL=ALL:NOPASSWD ALL

Then before saving the /etc/sudoers file, add below lines to make 'ec2-user' to give privilege to switch to root user

##Below two lines make sure that ec2-user is able to switch to root user
##but not able to run any other privileged commands
Cmnd_Alias SU=/bin/su
ec2-user ALL=SU

Save the file.

Then you can open another terminal and connect to the ec2 instance as ec2-user (without using ssh key). Then type below command to switch to root user.

su - root

Then give root user's password and you will become root.

If you try, sudo -s as ec2-user, it will show error message as 'ec2-user' is not allowed to run this command.

This will make sure that if somebody need to do any administrative task in the server, he need to have ec2-user password as well as root user password.

Hope it helps somebody.


No comments:

Post a Comment