Differences
This shows you the differences between the selected revisions of the page.
| faq_su 2008-07-31 | faq_su 2024-09-09 (current) | ||
| Line 1: | Line 1: | ||
| ====== How do I change user after login (e.g. su root)? ====== | ====== How do I change user after login (e.g. su root)? ====== | ||
| - | You cannot change a user in the middle of file transfer session with neither of protocols WinSCP supports ([[protocols#sftp|SFTP]], [[protocols#ftp|FTP]] and [[protocols#scp|SCP]]). So you need to start with the correct user straight away. | + | None of the protocols ([[sftp|SFTP]], [[ftp|FTP]] and [[scp|SCP]]) supported by WinSCP allow the user to be changed in the middle of file transfer session. You need to start the session with the correct user. |
| ===== Direct Login ===== | ===== Direct Login ===== | ||
| Easiest way is to allow direct login with the user account you need, if it is not allowed already. For accounts such as ''root'', the direct login is typically disabled by default for security reasons. So when enabling it, have security in mind. | Easiest way is to allow direct login with the user account you need, if it is not allowed already. For accounts such as ''root'', the direct login is typically disabled by default for security reasons. So when enabling it, have security in mind. | ||
| - | Particularly with SSH, you may want to keep password authentication (the most vulnerable one) disabled and use e.g. [[public_key|public key authentication]] instead. With OpenSSH server, you can do that by setting ''[[http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config|sshd_config]]'' keyword ''PermitRootLogin'' to ''without-password''·((Even more restrictive option ''forced-commands-only'' may work with SFTP protocol, but it has not been tested.)). | + | Particularly with SSH, you may want to keep password authentication (the most vulnerable one) disabled and use e.g. [[public_key|public key authentication]] instead. With OpenSSH server, you can do that by setting ''[[https://man.openbsd.org/sshd_config|sshd_config]]'' keyword ''PermitRootLogin'' to ''without-password''.((Even more restrictive option ''forced-commands-only'' may work with SFTP protocol, but it has not been tested.)) |
| - | ===== Use sudo on Login ===== | + | ===== [[sudo]] Use sudo on Login ===== |
| - | In some cases you may be able to use ''[[http://www.gratisoft.us/sudo/man/sudo.html|sudo]]'' command straight after login to change a user, before file transfer session starts. | + | In some cases (with Unix/Linux server) you may be able to use ''[[&man_ref(8,sudo)|sudo]]'' command straight after login to change a user, before file transfer session starts. |
| - | [[protocols#ftp|FTP]] protocol does not allow this. | + | [[ftp|FTP]] protocol does not allow this. |
| - | The [[protocols#scp|SFTP]] and [[protocols#scp|SCP]] protocols allow for this, but the actual method is platform dependant. | + | The [[scp|SFTP]] and [[scp|SCP]] protocols allow for this, but the actual method is platform dependent. |
| - | With SFTP protocol, you can use //[[ui_login_sftp#protocol_options|SFTP server]]// option on //SFTP tab// of Login dialog to execute SFTP binary under different user. Under Unix/Linux with OpenSSH server, you can specify: | + | * With SFTP protocol, you can use //[[ui_login_sftp#protocol_options|SFTP server]]// option on //SFTP page// of Advanced Site Settings dialog to execute SFTP binary under a different user. With OpenSSH server, you can specify: \\ <code> |
| + | sudo /bin/sftp-server | ||
| + | </code> Note that SFTP server binary may be located elsewhere((You can see path to SFTP binary in ''Subsystem sftp'' clause in ''/etc/ssh/sshd_config'', unless keyword ''internal-sftp'' is used instead of a path. You may also use ''whereis sftp-server'' command to locate the binary.)) (e.g. in ''/usr/lib/sftp-server'', ''/usr/lib/openssh/sftp-server'' or ''/usr/libexec/openssh/sftp-server''). | ||
| - | sudo su -c /bin/sftp-server | + | * With SCP protocol, you can specify the following command as custom shell on the //[[ui_login_scp#shell|SCP/Shell page]]// of Advanced Site Settings dialog: \\ <code> |
| + | sudo -s | ||
| + | </code> | ||
| - | With SCP protocol under Unix/Linux server, you can specify following command as custom shell on the //[[ui_login_scp#shell|SCP/Shell tab]]// of Login dialog: | + | However you will not be able to provide a password for ''su'' (see [[remote_command#limitations|remote command execution limitations]]). So you may be able to do the above only if you are allowed to do ''sudo su'' without being prompted with password. See ''[[&man_ref(8,sudo)|sudo]]'' documentation to learn how to do that. For example you can add following line to ''[[&man_ref(5,sudoers)|sudoers]]'' file (''/etc/sudoers''): |
| - | sudo su - | + | yourusername ALL=NOPASSWD: ALL |
| - | However typically you will not be able to provide a password for ''su'', see [[remote_command#limitations|remote command execution limitations]]. So you may be able to do the above only if you are allowed to do ''sudo su'' without being prompted with password. See ''[[http://www.gratisoft.us/sudo/man/sudo.html|sudo]]'' documentation to learn how to do that. For example you can add following line to ''[[http://www.gratisoft.us/sudo/man/sudoers.html|sudoers]]'' file (''/etc/sudoers''): | + | The above line is very permissive, it allows user ''yourusername'' connected from anywhere (the first ''ALL'') to run any command (the second ''ALL'') as a ''root'' without being asked for password. So you should restrict it as much as possible. |
| - | ··yourusername ALL=(ALL) NOPASSWD: ALL | + | For example with OpenSSH you may restrict it only to SFTP session by: |
| + | |||
| + | ··yourusername ALL=NOPASSWD: /bin/sftp-server | ||
| + | |||
| + | Note that as WinSCP cannot implement terminal emulation, you need to have ''sudoers'' option ''requiretty'' turned off (which is default). | ||
| - | Note that as WinSCP cannot implement terminal emulation, you need to have ''sudoers'' option ''requiretty'' turned off (what is default). | ||