How Ubuntu cloud version enforces the "no root login" over ssh?
Solution 1
Old question, but no one really answered you and I have had the same question: Where does this configuration come from?
It originates from cloudinit, precisely in cc_ssh.py
within /usr/lib/python2.7/dist-packages/cloudinit/config
This in turn is directly dependant on the file /etc/cloud/cloud.cfg
. The you find a line disable_root: true
.
You should be able to override it by adjusting your user-data and add line disable_root: false
.
Your cloud-provider should make the user-data configurable.
Solution 2
Assuming your sshd configuration has PermitRootLogin yes
.
sudo grep "login as the ubuntu user" /root/.??*
However the link Mike Scott provided is one I strongly recommend you read thoroughly and take heed of.
ROOT SSH
Finally, if you wish to circumvent the Ubuntu security standard and revert to the old practice of allowing ssh and rsync as root, this command will open it up for a new instance of the official Ubuntu images:
ssh -i KEYPAIR.pem ubuntu@HOSTNAME 'sudo cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/'
This is not recommended, but it may be a way to get existing EC2 automation code to continue working until you can upgrade to the sudo practices described above.
I keep root SSH logins disabled because any public facing server with SSH enabled will be battered continuously day and night by root login attempts from criminal botnets.
Elsewhere the documentations warns
Enabling the Root account is rarely necessary. Almost everything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent Root login, the best alternative is to simulate a Root login shell using the following command...
sudo -i
Solution 3
The answer is here: http://alestic.com/2009/04/ubuntu-ec2-sudo-ssh-rsync
Copy the authorized_keys file from the ubuntu account to the root account. Password login is disabled, so you have to have a valid ssh key to log in to any account.
Related videos on Youtube
Comments
-
Maxim Veksler over 1 year
I'm looking to tweak ubuntu cloud version default setup where is denies root login.
Attempting to connect to such machine yields:
maxim@maxim-desktop:~/workspace/integration/deployengine$ ssh [email protected] The authenticity of host 'ec2-204-236-252-95.compute-1.amazonaws.com (204.236.252.95)' can't be established. RSA key fingerprint is 3f:96:f4:b3:b9:4b:4f:21:5f:00:38:2a:bb:41:19:1a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ec2-204-236-252-95.compute-1.amazonaws.com' (RSA) to the list of known hosts. Please login as the ubuntu user rather than root user. Connection to ec2-204-236-252-95.compute-1.amazonaws.com closed.
I would like to know in what configuration file the root blocking via ssh is configured and how I can change the printed message?
-
Maxim Veksler over 13 yearsssh certificate only authentication is enabled on all EC2 linux instances, this is the only method remote access is obtained to the machine. Obviously I am able to login into the node otherwise the mentioned message would not print. Please also note: cat /etc/ssh/sshd_config | grep -i root PermitRootLogin yes
-
Maxim Veksler over 13 yearsThanks. cat /root/.ssh/authorized_keys contains a notice to open echo instead of bash shell. Can't image why I couldn't find it myself. Thank you.
-
RubenLaguna over 8 yearsWhat cloud-init does is to add a line in
/root/.ssh/authorized_keys
in the formno-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10" ssh-rsa xxxxxx
. So even ifPermitRootLogin yes
the ssh command will fail to get a working shell.