Mdthbs

I want to be able to use SFTP to edit files that require root permissions.

I'm using SSH Key based authentication - rsa key on smart card.

If the system requires sudo to perform root level commands, How do I get around this?

Can I create a way of bypassing sudo for SFTP only?

Is there a way to keep sudo & key authentication.

I'm using windows to connect to Ubuntu. I need this to work with Mac connecting to Ubuntu as well.

I understand how to do SSH Tunneling to admin the system services. Currently, I use root user login directly, but password login is disabled. I didn't understand how to use sudo and SFTP at same time. It seems to be a best practice to require login as a non-root user and then require use of sudo since the logs will record who was given escalated privileges for each command.

Should I concern myself with this when using Key based authentication or is this a trivial difference in security/logging? It seems like Key based authentication records user's serial number in the logs, and you can have multiple keys for the root user to identify each user. This seems to be the same effect as using sudo to me. Am I wrong?

SFTP is a command access to file operations, with the restrictions from the account you use. You must use ssh for make more administrative operations, making impossible use sudo and SFTP at same time. If you need access to the entire disk without restriction using SFTP, do it using the root account. Anyway you can make a login with root on sftp and ssh at same time, of course, using two different sessions.

The security keys improve the security and make more easy the logging, not requiring keyboard input. Only helps to make login, you can had several passwords for every account user and had the same effect.

EDIT: I forgot: you can create another account with the same effect than root if you assign the user id to 0, but not had any sense, being dangerous in the same way. Could give some obfuscation if somebody try to login like root, but apart of that, not had much sense.

Calling the subsystem with sudo worked for me.

To an Ubuntu host for example:

sftp -s "sudo /usr/lib/openssh/sftp-server" targethost.fqdn

Beyond what @MartinVonWittich suggested in the comments above you could setup a dedicated SSH key pair just for this activity and add them to the root user's /root/.ssh/authorized_keys file limiting their scope to just a single command.

# User backup's $HOME/.ssh/authorized_keys file

command="/usr/libexec/openssh/sftp-server" ssh-dss AAAAC8ghi9ldw== backup@host

This would allow another system with the corresponding key to this pair to SFTP into this system as root. You'd still have a record of this connection in your syslog and/or secure.log files (assuming your distro provides this level of logging).

NOTE: Whomever accesses the server in this method would have cartes blanche access, so use it wisely. Better still continue reading and combine this capability with chroot and read only access, to construct tighter restrictions and targeted access to specific locations as root.

chroot & readonly

The other technique you could exploit here would be to limit the SFTP connection so that it was chrooted into specific locations as root, based on which SSH key was used. See my answer to this U&L Q&A titled: "Restrict password-less backup with SFTP" for more details.

You can also control sftp-server through its switches -R and -d.

 -d start_directory

         specifies an alternate starting directory for users.  The pathname 

         may contain the following tokens that are expanded at runtime: %%

         is replaced by a literal '%', %h is replaced by the home directory

         of the user being authenticated, and %u is replaced by the user‐

         name of that user.  The default is to use the user's home 

         directory.  This option is useful in conjunction with the 

         sshd_config(5) ChrootDirectory option.



 -R      Places this instance of sftp-server into a read-only mode.  

         Attempts to open files for writing, as well as other operations 

         that change the state of the filesystem, will be denied.

I had a similar problem in that I wanted to use vimdiff to edit configuration files on a group of mostly similar hosts, with cssh and sudo and you may be able to adapt my solution to your workflow.

sudoedit (part of sudo) allows you to use any editor as a regular user to edit a file that you don't have write permission for and you can specify the editor with an environment variable. sudoedit copies the file(s), invokes the editor with the names of the copy(s) and waits for the editor to exit, then copies the modified copy back to where it was. so I created an 'editor' that doesn't edit, just notes the file for later use and waits and a wrapper around vimdiff that uses that marker.

the first file is ~/.bin/redit

#!/usr/bin/perl -w

use strict;

use warnings;

use Sys::Hostname;

my $file = $ENV{HOME}.'/.var/redit/'.hostname();

sub cmkdir($){

    my $_=shift;

    mkdir $_ unless -d $_;

}

cmkdir $ENV{HOME}.'/.var/';

cmkdir $ENV{HOME}.'/.var/redit/';

foreach (@ARGV){

    my $fh;

    open $fh, '>', $file.'na' or warn;

    print {$fh} $_;

    close $fh;

    symlink $_, $file or die;

    print;

    <STDIN>;

    unlink $file or die;

    unlink $file.'na' or die;

}

the second is ~/.bin/redit1

#!/usr/bin/perl -w

use strict;

use warnings;

use Sys::Hostname;

my $h=hostname();

@ARGV=qw(host1 host2 host3 host4) unless @ARGV;

print join " ", qw(gvimdiff), $ENV{HOME}.'/.var/redit/'.$h, map {'scp://'.$_.'/.var/redit/'.$_} grep {$_ ne $h} @ARGV;

exec qw(gvimdiff), $ENV{HOME}.'/.var/redit/'.$h, map {'scp://'.$_.'/.var/redit/'.$_} grep {$_ ne $h} @ARGV;

The way I use them is I use cssh to open a connection to all four hosts and then use a command like EDITOR=~/.bin/redit sudoedit /etc/conf/file and then In a different window run ~/.bin/redit1, make my changes, save and exit, switch back to cssh and press enter to commit the changes and exit sudoedit (unless I am editing more than one file in which case redit advances to the next file in the list and you run redit1 again for the next file.)

Since what you are doing is less complicated you don't need redit1 due to only working with one remote host, you can just point your sftp editor at host:.var/redit/host or equivalent.

What I do is use scp instead of (s)ftp, and change the shell to sudo su - in WinSCP this is in AdvancedSCPShell, but this only works with the scp protocol.

Simple approach I followed was to just sftp and put the files on a stage area ( mkdir new directory where you have permissions on the server ) and then ssh again to move the files from there to destination with sudo cp or sudo mv.