How can I log on as root to a cloud instance?

ssh configuration cloud
8,994

Solution 1

Have a look at the /root/.ssh/authorized_keys file. Most likely you will find something like this:

root@instance-00:~# cat /root/.ssh/authorized_keys 
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAA...= user@host

(This was taken from a different cloud provider, but the configuration seems to be identical to Amazon's).

Just delete everything in front of ssh-rsa and you should be able to login as root remotely (of course, everything other people have already told you about this not being a best practice still applies!)

If you are really lazy, you can just overwrite the authorized_keys file using the one from the ubuntu user: 

root@instance-00:~# cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/authorized_keys

And just in case you are curious about how that prefix got there, the same Python code you have already found (/usr/lib/python3/dist-packages/cloudinit/config/cc_ssh.py) has the answer in apply_credentials. Note how it sets the prefix for the authorized keys:

if disable_root:
    if not user:
        user = "NONE"
    key_prefix = disable_root_opts.replace('$USER', user)
else:
    key_prefix = ''

Solution 2

It is highly recommended to block remote root login to a server (security reasons).

The recommended way is to login as regular user, and use sudo in order to gain root access.

The ultimate sudo command which will provides you full root access for every command is:

sudo bash

For a specific command which should be executed as root you can use:

sudo specific-command

Example for a command which will be executed as root:

sudo ls -lsa /root

Note: If you want to change amazon policy and permit root login, you use the answers from amazon-ec2-root-login SO Q&A

Refer to the following to set root login:

sudo -s (to become root)
vi /root/.ssh/authorized_keys

Delete the lines at the begining of the file until you get to the words ssh-rsa.

vi /etc/ssh/sshd_config

Set the variable PermitRootLogin to PermitRootLogin without-password (without quotes)

sudo /etc/init.d/sshd restart
Share:
8,994

Related videos on Youtube

James Smith
Author by

James Smith

Updated on September 18, 2022

Comments

  • James Smith
    James Smith over 1 year

    I can log in successfully to my cloud instance as user 'ubuntu' via SSH but cannot log in as user 'root'. There are several posts extant concerned with altering the ssh config in order to allow root access although none have worked from me. For example, I have made the usual changes to the /etc/ssh/sshd_config file, namely:

    #Authentication
PermitRootLogin yes

    This had no effect.

    Now, the message I get when I try to log in as 'root' is:

    Please login as the user "ubuntu" rather than the user "root".

    Grepping for "Please login", I found in the '/usr/lib/python3/dist-packages/cloudinit/config/cc_ssh.py' file (of all places), the following lines:

    DISABLE_ROOT_OPTS = (
"no-port-forwarding,no-agent-forwarding,"
"no-X11-forwarding,command=\"echo \'Please login as the user \\\"$USER\\\""
" rather than the user \\\"root\\\".\';echo;sleep 10\"")

    I can't make much of this. I'm guessing that this Python script was run when the instance was first created and is responsible for some additional SSH settings somewhere that are blocking me from logging in as 'root'.

    It seems to me that the offending ssh configuration directives are 'no-X11-forwarding' and the other two. I've come to this conclusion since they seem to be associated with the offending message.

    I'm guessing that the command directive instructs the ssh daemon to show this message when the associated directives are violated. Am I on the right track?

    One thing I should add to this is that I am aware of the arguments against logging in as root user. However, this is a private instance and I will be the only user. I need ssh access as 'root' because the deployment scripts I have need to run as root in order to avoid complications.

    Update: The python script mentioned below is part of the Ubuntu CloudInit package.

    Further update: Here are the contents of the /etc/pam.d/sshd file...

    # PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password

    ...and the contents of the /etc/ssh/sshd_config file...

    # Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

    ...as requested.

    • muru
      muru about 6 years
      This is a problem with Amazon's VPS configuration, whatever that is, and should be raised with their customer support
    • James Smith
      James Smith about 6 years
      Please see the update. This is not an EC2 specific problem, it is a cloud related problem. The SSH settings appear to have been enforced by Ubuntu's own CloudInit package.
    • muru
      muru about 6 years
      Nominated for reopening. Please add the contents of sshd_config, /etc/pam.d/sshd to the post.
    • James Smith
      James Smith about 6 years
      That's a good idea. My next thought was whether another set of ssh settings were overriding the standard ones. I will add the additional information later when I have a moment.
  • James Smith
    James Smith about 6 years
    Hi. I'm aware of the arguments against root access, however it is (essentially) a private instance and I will be the only user. So I'm saying it's okay to be able to ssh in as root.
  • Yaron
    Yaron about 6 years
    @JamesSmith - updated my answer with a suggested way to allow root login to amazon ec2
  • James Smith
    James Smith about 6 years
    Okay, I had my doubts but gave it a go. There is no authorized_keys file for root presently so I couldn't do that step. I did change the sshd configuration as you suggested and restarted but it made no difference. I'm convinced something is overriding the sshd configuration, or at least taking precedence. That's why I grepped for (and at least partially uncovered the reason behind) the message.
  • Yaron
    Yaron about 6 years
    @JamesSmith - regarding the authorized_keys files, in order to login into a remote ssh server using keys, you should place authorized_keys files in the .ssh folder, which will include the public ssh keys of the users which can ssh into that account
  • Yaron
    Yaron about 6 years
    @JamesSmith - see this Q&A regarding ssh keys

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is a quick ssh command to know the system info/configuration
How to solve: "Connect to host some_hostname port 22: Connection timed out"?
How to speed up SSH login?
How can I allow SSH password authentication from only certain IP addresses?
Why don't Page U/Down, Home/End work in less on Solaris over ssh from Ubuntu?
How do I SSH into my Samba file server?
Mounting an Amazon EC2 instance on Mac OS X
Why does google CloudShell not have the same subnet IP address as my vm instance? Cannot ssh, but can get serial port login: prompt
Can I regenerate the rsa key for SSH access to a Cisco router? Or should I completely erase the SSH config?
Regular Expression matching in ssh config