Enabling SSH and su from root to user for GridPane System Users

DISCLAIMER

The following commands change how your GridPane server functions. This may void any support provide by GridPane, use at your own discretion. If you contact GridPane support, inform them that you made these changes.

UPDATED 03-24-2020

If you’ve ever tried to SSH into a GridPane system user, you’ll see the following error.

<strong>UPDATED 03-24-2020</strong>

I have to apologize on how this article was originally written, it was done hastily and didn’t really cover the major issue. So I’ve updated it now to be accurate.

Allowing SSH Access to GridPane System Users

Note

If you change the password or add/delete the SSH key for the system user, it will undo your changes below.

If you’re looking to give a developer or user access to SSH instead of the default scp-only that GridPane institutes for each system user. Then you will need to follow these instructions.

Removing SFTP Restriction Configuration

GridPane restricts users to only SCP connections by using the sshd configuration “ForceCommand”. Furthermore to restrict access to files outside of the system users’ home directory, the sshd configuration option “ChrootDirectory” is used.

The configuration is within /etc/ssh/sshd_config and below is an example

Shell

You can simply comment out the “ForceCommand internal-sftp” option on line 3 or remove the configuration for the entire user. And then restart ssh by typing the following.

Shell

Removing Chroot Configuration

If you now try to login via SSH as a system user, you will be greeted with the following error.

Shell

This is due to the fact that when you login as a GridPane system user, you’re chrooted into your home directory. You can read more about chroot, how to set it up and extend it further at https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/

We can simply comment out or remove line 4 within the sshd config for the specific system user. Eventually having the configuration file looking like this the following, if you also removed the SFTP restriction configuration previously in this article (line 3).

Shell

Now just restart the SSH daemon.

Shell

Now you should be able to use Putty or ssh command to login as the system user without any issues. Until you want to create files in your home folder, that’s another issue.

Updating Home Directory Permission

So you can SSH in as a GridPane system user, but you can’t create files in your home directory. This isn’t too bad, but let’s say we want to create and modify files in our home directory.

Simply change the ownership of the GridPane system users’ home directory as root. Here’s an example of what it will look like by default, the user and group root have ownership.

Shell

So let’s change the ownership to the GridPane system user and group to wpinfo from root.

Shell

Now you shouldn’t have any issues with writing to your home directory.

Securing SSH

The changes above lessen security, however, you can look into using rbash

https://www.ostechnix.com/how-to-limit-users-access-to-the-linux-system/

There are other methods available, such as building each user their own chroot environment. But that can become cumbersome.

https://www.tecmint.com/restrict-ssh-user-to-directory-using-chrooted-jail/

Allowing SU to User from Root

UPDATE 03/24/2020

As per GridPane, this is no longer an issue and you can freely ‘su -‘ into system users from root without issues. I’m leaving this guide up just for reference.

If you’ve ever tried to ‘su -‘ into a GridPane system user, you’ll see the following error. Sometimes this is all I do from the root user, versus logging into each individual user. I will explain my reasoning one day. If you want to SSH into a GridPane system user, I’ve added it to the end of this article.

Shell

Removing ACL restrictions on /bin and /dev

The main reason you’re having the issue above is due to an ACL permission that was added to /bin and /dev that restricts you from starting a shell within /bin or accessing /dev. The latter is more of an annoyance each time you run a command, so I thought I would add it in.

Fixing ACL Permissions on /bin

This is due to /bin being restricted by an ACL

Shell

You can remove the ACL and then you should be able to log in via SSH to the system user and run “su – user” as root to impersonate a system user.

Shell

Fixing ACL Permissions on /dev

You may also warnings about /dev, there is also an acl placed on /dev

Shell

Fixing Permissions on /home

There are also improper permissions on /home, it’s owned by root:root

Shell

You simply need to chown the folder as the system user.

Shell
0 Shares:
You May Also Like