Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
TRICK: su to root without a password
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
ectospasm
l33t
l33t


Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA

PostPosted: Sat Aug 06, 2005 1:32 am    Post subject: TRICK: su to root without a password Reply with quote

DISCLAIMER: I do not suggest you do this on a production system for security reasons, unless you like to live dangerously. It is safer, security-wise, not to allow root logins through SSH. DO THIS AT YOUR OWN RISK.

If you couldn't tell from the disclaimer, this actually uses ssh, not su, to login to your machine. It uses public/private key encryption in order to accomplish this. These instructions assume your shell is bash, and they assume you know how to su to root. These are the steps you need to follow:


  1. Install openssh if it's not already installed and configured to allow root logins. It's outside the scope of this post to tell you how, but it should be straightforward. I don't seem to remember doing anything special to enable root logins.

  2. Make sure sshd is running. It should be as simple as this (logged in as root):
    Code:
    # /etc/init.d/sshd start


  3. Logged in as your main user (not root), and create your RSA keys. Type the following in your root home directory:
    Code:
    $ ssh-keygen -t rsa

    Follow the prompts (the defaults should suffice, and I didn't enter a passphrase). Once finished, your new keys will be in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, for your private and public keys, respectively. WARNING: Your private key needs to remain private. If someone gets hold of it, they will be able to login as you, into your root account, without a password. So keep it safe.

  4. su to root now
    Code:
    $ su -


  5. Create the .ssh directory in root's home directory (defaults to /root/) if it's not already created.

  6. Perform the following command:
    Code:
    # cat ~user/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys2

    Replace "user" with your actual main user name. Note that authorized_keys2 probably does not exist, and we'll be creating, not appending to that file if that is the case. We're appending just to be safe. If you want to make sure no one has maliciously added their own key, you can overwrite the file (> instead of >>).

  7. Log out of your root su session (CTRL-D or exit)

  8. Now for the magic part. Test out that the keys actually work:
    Code:
    $ ssh root@localhost

    If all goes to plan you should now be in a root session, without having to type in a password.

  9. "ssh root@login" is a relatively long command to type, compared to "su -". Create an alias in your primary user (not root) .bashrc file. Add this line to the bottom of that file:
    Code:
    alias sup='ssh root@localhost'

    You can change the letters 'sup' to be anything you want. Just make sure there isn't already a command in your path that has that name.

  10. Source the new .bashrc file, like so:
    Code:
    $ . .bashrc

    I hear you can get away with typing "source .bashrc", but I like to type as few keystrokes as possible.

  11. To test your new alias, type the following at your prompt (assuming the alias name is 'sup'):
    Code:
    $ sup

    You, like before, should now be in a root shell without having to type a password.


As long as you can keep your private key safe, this should be relatively secure. There is a little overhead since we're not using a direct login, but the performance hit should be negligible. If you maintain several machines you can append your id_rsa.pub file to each machine's authorized_keys2, and log into them without typing a password. I got the idea for all of this from Linux Server Hacks, hack 66.

I'd like to see a philosophical discussion on whether this is a good idea or not. I'm still undecided. One thing that I definitely do not suggest is generating keys in your root account, and then using this method to allow passwordless logins to other machines. I had done this, and realized it was a bad idea today since if the first machine got rooted, potentially every other machine that has that root's public key would be vulnerable.
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance!
Back to top
View user's profile Send private message
kimchi_sg
Advocate
Advocate


Joined: 26 Nov 2004
Posts: 2915
Location: Singapore

PostPosted: Sat Aug 06, 2005 3:20 am    Post subject: Reply with quote

Sounds like a bad idea to me. :roll:

We could just use sudo for passwordless root logins, after all.
_________________
Murphy's Law of Gentoo installation: If a compile can fail, it will.

MacGillicuddy's Corollary: At the most inopportune time.

Please search and read the FAQs before posting.
Back to top
View user's profile Send private message
ectospasm
l33t
l33t


Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA

PostPosted: Sat Aug 06, 2005 4:09 am    Post subject: Reply with quote

My whole point is not having to type a password. Doesn't sudo require you to type your own password (I don't know, I don't use it)? As long as you can guarantee the safety of your private key, it shouldn't be a problem. Someone would have to have your private key to breach your security. It all depends on how physically secure your box is. YMMV, but no one touches my machine but me.
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance!
Back to top
View user's profile Send private message
Jeremy_Z
l33t
l33t


Joined: 05 Apr 2004
Posts: 671
Location: Shanghai

PostPosted: Sat Aug 06, 2005 6:56 am    Post subject: Reply with quote

I suggest another bad idea :

Configure sudo with no password for all command, just type "sudo su"

:lol:
_________________
"Because two groups of consumers drive the absolute high end of home computing: the gamers and the porn surfers." /.
My gentoo projects, Kelogviewer and a QT4 gui for etc-proposals
Back to top
View user's profile Send private message
pijalu
Guru
Guru


Joined: 04 Oct 2004
Posts: 365

PostPosted: Sat Aug 06, 2005 12:27 pm    Post subject: Reply with quote

ectospasm wrote:
... Doesn't sudo require you to type your own password (I don't know, I don't use it)? ...

FYI:
Code:

%wheel        ALL=(ALL)       NOPASSWD: ALL

in /etc/sudoers
and all wheel users can call sudo without passwd prompt.
Change %wheel by username and only this user will have no passwd sudo
(edit this file using visudo to be a good boy)
Back to top
View user's profile Send private message
irondog
l33t
l33t


Joined: 07 Jul 2003
Posts: 715
Location: Voor mijn TV. Achter mijn pc.

PostPosted: Sat Aug 06, 2005 1:11 pm    Post subject: Reply with quote

Great!!. I hate to type the root password over and over again.

All my desktop boxes have a blank root password and root access disabled for ssh. I like your kind of setup, it a lot safer and does exactly the same thing I got used to. Thnx for the guide!
_________________
Alle dingen moeten onzin zijn.
Back to top
View user's profile Send private message
Sheepdogj15
Guru
Guru


Joined: 07 Jan 2005
Posts: 430
Location: Backyard

PostPosted: Tue Aug 09, 2005 5:14 am    Post subject: Reply with quote

[weird forum error, ignore this post]
_________________
Sheepdog
Why Risk It? | Samba Howto


Last edited by Sheepdogj15 on Tue Aug 09, 2005 7:08 am; edited 1 time in total
Back to top
View user's profile Send private message
Sheepdogj15
Guru
Guru


Joined: 07 Jan 2005
Posts: 430
Location: Backyard

PostPosted: Tue Aug 09, 2005 5:17 am    Post subject: Reply with quote

the only significant risk i see is if someone gets into your user account on that computer. better not leave it unattended. and better have a crack-resistant password.

note that having sshd running will allow people to attempt to log onto your system, remotely. of course, that assumes you don't have the ports blocked by iptables, or something like that. my recommendation would be to just not have sshd running unless you have a real need for it. (sshd is pretty secure in and of itself, it's just that we paranoid sys admins want to have as small of a vulnerability footprint as possible.)
_________________
Sheepdog
Why Risk It? | Samba Howto
Back to top
View user's profile Send private message
Jake
Veteran
Veteran


Joined: 31 Jul 2003
Posts: 1132

PostPosted: Tue Aug 09, 2005 5:40 am    Post subject: Reply with quote

I'm a newb with this sort of stuff, but if sudo is only ever used for nopassword su'ing by a single user, wouldn't the following be sufficient?
Code:
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>

int main() {

if( getuid() == (uid_t)1000 ) {
        setuid( (uid_t)0 );
        setgid( (gid_t)0 );
        execl("/bin/bash", "bash", 0);
        return 0;
}

else {
        printf("sorry\n");
        return 1;
}

}

naturally, you'll want to call that something like easysu.c and do:
Code:
$ gcc -o easysu easysu.c
chown root easysu
chmod u+s easysu
Back to top
View user's profile Send private message
dev-urandom
Apprentice
Apprentice


Joined: 24 Jun 2005
Posts: 260
Location: Huh?

PostPosted: Tue Aug 09, 2005 6:18 am    Post subject: Reply with quote

Well in case you are insistent on being su without password, here's a better suggestion:

Code:

echo "auth       sufficient   pam_wheel.so use_uid trust" >> /etc/pam.d/su
usermod -g wheel myuser


This will make myuser be able to su without any password.

I will not harp on the dangers of being root without any password: This can be akin to nuking your system if don't use it properly.

Whosoever does it should be aware of whatever that could result.
_________________
/earth: file system full.
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Mon Dec 19, 2005 10:39 pm    Post subject: Reply with quote

Thanks for this guys! The first post was interesting and obviously there was effort there but there do seem to be much better ways like using sudo. I'd personally do that. The tiny c code was very cool though and simple enough even for someone with rusty c like me. The easist is probably to 'sudo su' without password and alias it to su as this gets checked first before the path to the actual binary. Then every time you 'su' you get root without a password!
Back to top
View user's profile Send private message
damjanek
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 259
Location: Poland, Poznań

PostPosted: Tue Dec 20, 2005 12:13 am    Post subject: Reply with quote

also
Code:
sudo su -
is very easy way to obtain root privillages.
_________________
$ uname -rms
Darwin 10.0.0 i386
Welcome to Darwin!
#gentoo-pl@freenode and #gentoo.pl@ircnet team
Back to top
View user's profile Send private message
ectospasm
l33t
l33t


Joined: 19 Feb 2003
Posts: 711
Location: Mobile, AL, USA

PostPosted: Tue Dec 20, 2005 1:19 am    Post subject: Reply with quote

I'd agree, sudo is the way to go, but I didn't really use it until after I started this thread.
_________________
Join the adopt an unanswered post initiative today
Join the EFF!
Join the Drug Policy Alliance!
Back to top
View user's profile Send private message
monkey89
Guru
Guru


Joined: 08 Mar 2004
Posts: 596

PostPosted: Tue Dec 20, 2005 2:03 am    Post subject: Reply with quote

damjanek wrote:
also
Code:
sudo su -
is very easy way to obtain root privillages.


Or just type sudo -s to get a shell with sudo.

-Monkey
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3063
Location: Korea

PostPosted: Tue Dec 20, 2005 3:16 am    Post subject: Reply with quote

If you guys are so hung up about having to enter the root password for su you should just never create an account and log in as root all the time.
Back to top
View user's profile Send private message
pijalu
Guru
Guru


Joined: 04 Oct 2004
Posts: 365

PostPosted: Tue Dec 20, 2005 6:28 am    Post subject: Reply with quote

slycordinator wrote:
If you guys are so hung up about having to enter the root password for su you should just never create an account and log in as root all the time.


I like the smell of napalm in the morning...
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3063
Location: Korea

PostPosted: Tue Dec 20, 2005 6:47 am    Post subject: Reply with quote

pijalu wrote:
slycordinator wrote:
If you guys are so hung up about having to enter the root password for su you should just never create an account and log in as root all the time.


I like the smell of napalm in the morning...


Apocalypse Now? :lol:

But seriously, if you want to enter "su" and not be prompted for a password you might as well just log in as root all the time because the reason you use "su" is because if your box is compromised the person can only do the commands that the logged in user can do. And surely, they would try "su" :roll:
Back to top
View user's profile Send private message
pijalu
Guru
Guru


Joined: 04 Oct 2004
Posts: 365

PostPosted: Tue Dec 20, 2005 7:41 am    Post subject: Reply with quote

slycordinator wrote:

Apocalypse Now? :lol:

But seriously, if you want to enter "su" and not be prompted for a password you might as well just log in as root all the time because the reason you use "su" is because if your box is compromised the person can only do the commands that the logged in user can do. And surely, they would try "su" :roll:


I agree on the "got root" point, but lMHO, on a _desktop_ (and if configured correctly... eg no need for apache user to be able to sudo...Note: on a production machine, the problem is different), this is just a matter of choice, a personal balance between "risk" and ease of use...
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Tue Dec 20, 2005 10:31 am    Post subject: Reply with quote

actually not, you might do something accidentally when you are at a command prompt and therefore by 'su'ing to it you put yourself in the more careful frame of mind, them exit the su when you are finished, so there is a difference and running as root is a very bad idea....

so yes, security wise, it's rubbish, but if you're not worried about security and want ease of use while still not accidentally breaking things, this is as good a solution as any, just have a strong user account password!
Back to top
View user's profile Send private message
cornet
n00b
n00b


Joined: 11 Mar 2003
Posts: 12

PostPosted: Sun Dec 25, 2005 11:13 pm    Post subject: Reply with quote

Root on external listening ssh is bad, especially if you still allow password auth.

Ok here is an outline of how to do this safely which is suitable for production use.

The method goes as follows:

Setup a 2nd sshd listening on a different port (say 2222)

The configuration of this should be as follows:
* Listen ONLY on localhost
* Allow root login
* Allow key auth
* Disable password auth
* Disable usePam

Now add your keys to /root/.ssh/authorized_keys as described in the original post.

Right now we create 2 short shell scripts, which should be placed in your path somewhere.

The first is the root script which is the equivelent of "su -"
Code:

#!/bin/sh

ssh -p 2222 root@localhost "$@"


The second is the rootdo sciript which works like sudo
Code:

#!/bin/sh
 
 D=`pwd`
 root cd $D\&\&"$@"


Now how to use this setup.

Say the box in question is called "myserver".

You basically forward your ssh-agent to "myserver", (google if you don't know about ssh-agent)

This can be done in 2 ways.

1. On the command line
Code:

ssh -A myserver


2. Via ~/.ssh/config, into which you add the following
Code:

Host myserver
  ForwardAgent yes



Now you can ssh to myserver and issue the command
Code:

root

to get a root shell :)

or
Code:

rootdo <some command>

to just run a command as root.


Now there is a security consideration with this.
... From the ssh man page:
Code:

             Agent forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             agent's Unix-domain socket) can access the local agent through
             the forwarded connection.  An attacker cannot obtain key material
             from the agent, however they can perform operations on the keys
             that enable them to authenticate using the identities loaded into
             the agent.


This basically means that any one else with root access to the box that you are forwarding your agent to can hijack your ssh agent session and use it to ssh to any boxes on which you are keyed on!
So basically don't do on this on a box where you don't know who has root access.

I have an ebuild file that installs the scripts and sets up the 2nd ssh server (which just involves duplicating /etc/init.d/ssh and pointing it at new configs and pid files)

Oh and definitly don't use keys without a passphrase on them for this!!. Using ssh-agent means you only have to type in the passphrase for your keys once per session (when you leave your workstation either lock it with xlock or do unload your keys from the agent then reload them when you get back)

Cornet
Back to top
View user's profile Send private message
nesl247
Veteran
Veteran


Joined: 15 Jun 2004
Posts: 1614
Location: Florida

PostPosted: Mon Dec 26, 2005 12:57 am    Post subject: Reply with quote

Why not do this

Open /etc/pam.d/su

Uncomment:
Code:
auth       sufficient   pam_wheel.so use_uid trust


Save. Then add the user to the wheel group and anyone in the wheel group no longer needs to use a password for root.
Back to top
View user's profile Send private message
cornet
n00b
n00b


Joined: 11 Mar 2003
Posts: 12

PostPosted: Mon Dec 26, 2005 10:45 am    Post subject: Reply with quote

nesl247 wrote:
Why not do this

Open /etc/pam.d/su

Uncomment:
Code:
auth       sufficient   pam_wheel.so use_uid trust


Save. Then add the user to the wheel group and anyone in the wheel group no longer needs to use a password for root.


Its not a good idea for a few reasons:

* Root access is secured by only a single password, somone finds out your password then they have full access.
(Note with the ssh method i described someone needs to get your key and know the passphrase - I have a 40+ char passphrase on mine)

* That method makes it impossble to log into the box and not easily be able to have a root shell. This could easily go wrong (i've seen install scripts try to su - and if that works then install the software, not what you want if you're not expecting it!)

Cornet
Back to top
View user's profile Send private message
humbletech99
Veteran
Veteran


Joined: 26 May 2005
Posts: 1229
Location: London

PostPosted: Mon Dec 26, 2005 2:06 pm    Post subject: Reply with quote

I agree, I think it's bad idea to do this since you are losing control for minimal increase in ease of use, I would personally just put up with the password, su to root and use the root shell for as long as I want because at least then you are aware of the risks. Otherwise you might get a nasty surprise one day... but it's entirely down to personal choice, a compromise between security and laziness...
Back to top
View user's profile Send private message
andyfaeglasgow
Apprentice
Apprentice


Joined: 09 Sep 2004
Posts: 170

PostPosted: Mon Dec 26, 2005 2:58 pm    Post subject: Reply with quote

You can actually do this without using ssh or sudo by configuring pam.

Check out /etc/pam.d/su. If you uncomment one of the lines in there, wheel users can su to root without any password required. If someone is sitting on your machine as a wheel user you're in trouble anyway.
Back to top
View user's profile Send private message
sundialsvc4
Guru
Guru


Joined: 10 Nov 2005
Posts: 436

PostPosted: Mon Dec 26, 2005 3:14 pm    Post subject: Reply with quote

The basic idea of this post is a good one .. using RSA keys for security in SSH .. but the concept is somewhat mis-applied when it is used to "log on to root (no less...) without a password."

The strongest way to use SSH, by far, is to use the Level-2 protocol with "digital certificates only." Those can be issued without a password but it is safer to put a password on them. SSH, however, is programmed to use only certificates, not the "challenge/response' (password) authentication method. And, it's programmed not to allow direct access to root.

Anyone with a dictionary can crack most passwords... but they can't "crack" a digital certificate. It is a very secure keying mechanism that can be made very simple for its authorized holders -- even password-free. But it's much stronger than passwords.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum