- Remote login as root in ubuntu
- 10 Answers 10
- Как разрешить пользователю root заходить по SSH в системах Linux Ubuntu
- С использованием сертификата
- По паролю
- How do I run a command as the system administrator (root)
- 4 Answers 4
- Running a shell command as root
- sudo (preferred when not running a graphical display)
- su
- Logging in as root
- Single User Mode
- Other programs
- Calife
- Op
- Super
- Running a graphical command as root
- PolicyKit (preferred when using GNOME)
- KdeSu, KdeSudo (preferred when using KDE)
- Other programs
- Obsolete methods
- Manually via one of the shell-based methods
- Editing a file as root
Remote login as root in ubuntu
It is a security risk to enable root login via ssh. Because, malicious programs may attempt brute force login on root@some-server. And if they succeed they can do what they want.
You want to login as root. You don’t need to. Login using your personal account and use sudo as needed.
10 Answers 10
check the /etc/ssh/sshd_config whether the configure PermitRootLogin yes below # Authentication: . If not yes , it doesn’t permit login as root.
Then, restart ssh service to apply the changes: sudo service sshd restart
For Ubuntu 23.04 sudo service ssh restart
By default, the Root account password is locked in Ubuntu.
Please keep in mind, a substantial number of Ubuntu users are new to Linux. There is a learning curve associated with any OS and many new users try to take shortcuts by enabling the root account, logging in as root, and changing ownership of system files.
It talks at length about why it’s been done this way.
Enabling the root account:
To enable the Root account (i.e. set a password) use:
Use at your own risk!
Logging in to X as root may cause very serious trouble. If you believe you need a root account to perform a certain action, please consult the official support channels first, to make sure there is not a better alternative.
Do not enable the root account. Do not set a password for the root account.
A better way is to allow root login using public key authentication, not with password. The reasoning is explained in the Debian mailing list archives.
- Open /etc/ssh/sshd_config and check if PermitRootLogin is set to yes . If not, then set it to yes and restart ssh with sudo service ssh restart
- Create the .ssh directory in root’s home if it doesn’t exist and make sure it has strict permissions:
sudo -i mkdir -p .ssh sudo -i chmod 700 .ssh
cat id_rsa.pub | sudo -i tee -a .ssh/authorized_keys sudo -i chmod 600 .ssh/authorized_keys
With this setup you should be able to login as root using your private key.
If you have previously enabled the root account, make sure to disable it now:
Как разрешить пользователю root заходить по SSH в системах Linux Ubuntu
Обновлено: 04.03.2023 Опубликовано: 07.01.2017
По умолчанию, в некоторых системах Linux (например, Ubuntu) для суперпользователя root вход по SSH с использованием пароля не работает. При попытке подключиться можно увидеть сообщение «access denied» или «permission denied». Такая настройка необходима для обеспечения большей безопасности системе. Однако, если требуется предоставить возможность подключаться по SSH от пользователя root, необходимо выполнить нижеописанное.
* Инструкция подойдет для большинства UNIX-систем.
С использованием сертификата
Система настроена таким образом, чтобы можно было подключиться под пользователем root с использованием сертификата. Рассмотрим, как это сделать.
На любом компьютере с Linux сгенерируем пару ключей командой:
. будет создано 2 файла id_ed25519.pub и id_ed25519. Содержимое файла id_ed25519.pub фиксируем.
Идем на наш целевой компьютер Ubuntu. Создаем каталог:
Вставляем в него содержимое файла id_ed25519.pub.
Теперь с компьютера, где были созданы сертификаты можно зайти на компьютер с Ubuntu:
Теперь с использованием ключа из файла id_ed25519 можно подключиться к нашему компьютеру Ubuntu без пароля.
По паролю
Для начала, необходимо создать пароль пользователю root следующей командой:
После нажатия Enter вводим дважды пароль.
Теперь открываем настройки SSH:
и редактируем параметр PermitRootLogin — задаем значение yes:
* если параметр закомментирован, снимаем комментарий.
** по умолчанию, значение может быть without-password или prohibit-password — оно разрешает вход для root средствами GSSAPI (не парольной аутентификации), например, смарт-карты или отпечатка пальца.
systemctl restart ssh || systemctl restart sshd
или в старых версиях без systemd:
service ssh restart || service sshd restart
How do I run a command as the system administrator (root)
I need to run a command with administrative privileges. Someone said I should run a command as root. How do I do this?
4 Answers 4
The main two commandline possibilities are:
- Use su and enter the root password when prompted.
- Put sudo in front of the command, and enter your password when prompted.
Running a shell command as root
sudo (preferred when not running a graphical display)
This is the preferred method on most systems, including Ubuntu, Linux Mint, (arguably) Debian, and others. If you don’t know a separate root password, use this method.
Sudo requires that you type your own password. (The purpose is to limit the damage if you leave your keyboard unattended and unlocked, and also to ensure that you really wish to run that command and it wasn’t e.g. a typo.) It is often configured to not ask again for a few minutes so you can run several sudo commands in succession.
sudo service apache restart
If you need to run several commands as root, prefix each of them with sudo . Sometimes, it is more convenient to run an interactive shell as root. You can use sudo -i for that:
$ sudo -i # command 1 # command 2 . # exit
Instead of sudo -i , you can use sudo -s . The difference is that -i reinitializes the environment to sane defaults, whereas -s uses your configuration files for better or for worse.
For more information, see the sudo website, or type man sudo on your system. Sudo is very configurable; for example it can be configured to let a certain user only execute certain commands as root. Read the sudoers man page for more information; use sudo visudo to edit the sudoers file.
su
The su command exists on most unix-like systems. It lets you run a command as another user, provided you know that user’s password. When run with no user specified, su will default to the root account.
su -c 'service apache restart'
The command to run must be passed using the -c option. Note that you need quotes so that the command is not parsed by your shell, but passed intact to the root shell that su runs.
To run multiple commands as root, it is more convenient to start an interactive shell.
$ su # command 1 # command 2 . # exit
On some systems, you need to be in group number 0 (called wheel ) to use su . (The point is to limit the damage if the root password is accidentally leaked to someone.)
Logging in as root
If there is a root password set and you are in possession of it, you can simply type root at the login prompt and enter the root password. Be very careful, and avoid running complex applications as root as they might do something you didn’t intend. Logging in directly as root is mainly useful in emergency situations, such as disk failures or when you’ve locked yourself out of your account.
Single User Mode
Single user mode, or run-level 1, also gives you root privileges. This is intended primarily for emergency maintenance situations where booting into a multi-user run-level is not possible. You can boot into single user mode by passing single or emergency on the kernel command line. Note that booting into single-user mode is not the same as booting the system normally and logging in as root. Rather, the system will only start the services defined for run-level 1. Typically, this is the smallest number of services required to have a usable system.
You can also get to single user mode by using the telinit command: telinit 1 ; however, this command requires you to already have gotten root privileges via some other method in order to run.
On many systems booting into single user mode will give the user access to a root shell without prompting for a password. Notably, systemd -based systems will prompt you for the root password when you boot this way.
Other programs
Calife
Calife lets you run commands as another user by typing your own password, if authorized. It is similar to the much more widespread sudo (see above). Calife is more light-weight than sudo but also less configurable.
Op
Op lets you run commands as another user, including root. This not a full-blown tool to run arbitrary commands: you type op followed by a mnemonic configured by the system administrator to run a specific command.
Super
Super lets you run commands as another user, including root. The command must have been allowed by the system administrator.
Running a graphical command as root
PolicyKit (preferred when using GNOME)
Simply prefix your desired command with the command pkexec . Be aware that while this works in most cases, it does not work universally.
See man pkexec for more information.
KdeSu, KdeSudo (preferred when using KDE)
kdesu and kdesudo are graphical front-ends to su and sudo respectively. They allow you to run X Window programs as root with no hassle. They are part of KDE. Type
kdesu -c 'command --option argument'
and enter the root password, or type
kdesudo -c 'command --option argument'
and enter your password (if authorized to run sudo ). If you check the “keep password” option in KdeSu, you will only have to type the root password once per login session.
Other programs
Ktsuss (“keep the su simple, stupid”) is a graphical version of su.
Beesu is a graphical front-end to the su command that has replaced Gksu in Red Hat-based operating systems. It has been developed mainly for RHEL and Fedora.
Obsolete methods
gksu and gksudo are graphical front-ends to su and sudo respectively. They allow you to run X Window programs as root with no hassle. They are part of Gnome. Type
gksu command --option argument
and enter the root password, or type
gksudo command --option argument
and enter your password (if authorized to run sudo ).
gksu and gksudo are obsolete. They have been replaced by PolicyKit in GNOME, and many distributions (such as Ubuntu) no longer install them by default. You should not depend on them being available or working properly.
Manually via one of the shell-based methods
Use one of the methods in the «running a shell command as root section». You will need to ensure that neither the DISPLAY environment variable nor the XAUTHORITY environment get reset during the transition to root. This may require additional configuration of those methods that is outside the scope of this question.
Overall, this is a bad idea, mostly because graphical applications will read and write configuration files as root, and when you try to use those applications again as your normal user, those applications won’t have permission to read their own configurations.
Editing a file as root
It should be noted that sudo will only work if (1) it’s installed and (2) if your use is in the sudoers file and it allowed to perform the operation.
In either case, you will be prompted for the root password. For more information, see the manual page.
Since the question was not Linux specific, here’s how you achieve the same goal in Solaris 9+ (or Trusted Solaris 8):
Solaris, since version 9, has included a suite of tools affectionately referred to as RBAC, or Role Based Access Control.
The gist of RBAC is that through the granting of Authorizations and Rights, to Users and/or Role, or the granting of Roles to Users, you can create incredibly fine grained models for who can run what with which privileges.
Essentially, you identify authorization in /etc/security/auth_attr, then grant them to users or roles in /etc/user_attr.
You define profiles in /etc/security/prof_attr. You then associate commands with those profiles in /etc/security/exec_attr, followed by assigning those profiles to users in the /etc/user_attr file.
Once those things are done, you actually run pfexec to execute the command with privileged or authorizations that are granted to that user for that command.
The nice thing about RBAC is that there are no additional privileges granted to the command itself, or the user, only to the combination of user + command. So it’s safer than making a binary +s, or just using sudo to make a user be able to execute pretty much anything. (I know that you can lock down sudo, but in my experience most people don’t)
Another advantage of RBAC is that you can make root a role account, and assign that role to users who are able to become root with the ‘su’ command and the root password. The root user will also be able to log in in Single User Mode, which is better (in my opinion) than the Linux model where you can disable the root password passwd -d root , or lock the root account passwd -l root , both of which make logging in as root quite hard when something goes wrong.
Ben Rockwood has a great blog post on RBAC that can be read at Using RBAC on (Open)Solaris.