WinSCP connect to Amazon AMI EC2 Instance changing user after login to "root"

Question

I followed instructions here carefully however I haven't get this working right. Here is what I did:

Run WinSCP enter Hostname (Elastic IP of my Instance)
enter username "ec2-user"
enter public key file
chose SCP for the protocol
Under SCP/Shell settings I chose "sudo su -"
Hit Login
WinSCP asks me for passphrase key, Hit OK
Shows up this error

Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

NOTE: This works on Putty

Hi Aivan. You might have better luck at http://superuser.com. — Matt Solnit, Jun 20 '11 at 16:39
It might help to have a more detailed picture of what's going wrong. WinSCP can produce logs: http://winscp.net/eng/docs/logging — Peter, Jun 20 '11 at 22:35
I have the same problem have you found the solution I didnt get the below one thanks — ReThink, Aug 25 '12 at 21:25
succeed with https://blog.jamesbayley.com/2014/01/28/how-to-connect-as-root-using-winscp/ — iMath, Oct 13 '18 at 08:44

score 10 · Answer 1 · answered Aug 05 '14 at 01:38

With credit to this post and this AWS forum thread, it seems the trick is to comment out Defaults requiretty in sudoers. My procedure now:

Log in to your EC2 instance using Putty.
Run sudo visudo, a special command to edit /etc/sudoers.
Press the Insert key to start Insert mode.
Find the line Defaults requiretty. Insert a hash symbol (#) before that line to comment it out:
#Defaults requiretty
Press the Esc key to exit Insert mode.
Type :wq to write the file and quit visudo.

In WinSCP:

Under Advanced > Environment > SCP/Shell, change the Shell to sudo su -.
Under SSH > Authentication, choose your Private key file (.ppk file).

Thanks. Worked for me. I was using Ubuntu 18.04 instance. "Defaults requiretty" line was not present at all in "sudo visudo" in my case. So I've did only WinSCP settings updates. — Dub Nazar, Jul 03 '19 at 15:00

score 2 · Answer 2 · answered Mar 06 '14 at 12:49

2

I was having the same problem and solved it using the steps in this tutorial. I would have posted it here, but I don't have enough rep for images/screens.

http://cvlive.blogspot.de/2014/03/how-to-login-in-as-ssh-root-user-from.html

answered Mar 06 '14 at 12:49

Carl McDade

616
9
14

Unfortunately this didn't work for me. But once I commented out `Defaults requiretty` in sudoers, I was able to connect--even with "Attempt 'keyboard-interactive' authentication" checked. – Mark Berry Aug 05 '14 at 01:28

score 2 · Accepted Answer · edited Mar 06 '15 at 10:07

2

WinSCP does not support commands that require terminal emulation or user input.

See: http://winscp.net/eng/docs/remote_command#limitations

Since sudo su - expects a password, it wouldn't work.

There is a way around it: make root logon without being prompted for a password. You can do this by editing your sudoers file usually located at /etc/sudoers and adding:

root ALL=NOPASSWD: ALL

Needless to say, this is Not a Very Good Thing To Do - for reasons which should be obvious :)

edited Mar 06 '15 at 10:07

Martin Prikryl

147,050
42
335
704

answered Jun 23 '11 at 04:48

Jay Sidri

5,877
3
36
53

Is there a way of logging in as a none root user via WinSCP? – powtac Aug 09 '13 at 17:00
1

For more detailed instructions for password-less `sudo` setup for WinSCP, see http://winscp.net/eng/docs/faq_su – Martin Prikryl Jun 13 '14 at 08:07
1

I thought `su -` would require a password, but not `sudo su -`? The OP states he's using public key authentication, so no password is involved. The trick seems to be to let sudoers be happy without a TTY device by commenting out `Defaults requiretty`. More details in my answer. – Mark Berry Aug 05 '14 at 01:46

1keown · Answer 4 · 2017-08-09T05:33:10.753

The following tutorial worked for me and provides helpful screenshots. Logging in as a regular user with sudo permissions just required tweaking a few WinSCP options. http://cvlive.blogspot.de/2014/03/how-to-login-in-as-ssh-root-user-from.html

Set Session/File protocol to: SCP, enter host/instance ip, port - usually 22, and regular username. Enter password credentials if the login requires it. Add Advanced/SSH/Authentication/Private key file.

Unchecking Advanced/SSH/Authentication/attempt "keyboard interactive" authentication should allow Advanced/Environment/SCP Shell/Shell/Shell: sudo su - to provide sudo permissions for accessing webserver directories as a non-owner user.

Update 08/03/2017

WinSCP logging can be helpful to troubleshoot issues: https://winscp.net/eng/docs/logging

[WinSCP] Logging can be enabled from Logging page of Preferences dialog. Logging can also be enabled from command-line using /log and /xmllog parameters respectively, what is particularly useful with scripting. In .NET assembly, session logging is enabled using Session.SessionLogPath1).

Depending on WinSCP connection errors, some server installations may need a directive added to the (Ubunto, CentOS, other-Linux-Server) /etc/sudoers file to not require TTY for a specified user. Creating a file in /etc/sudoers.d/ (using a tool such as Amazon Command Line Interface or PuTTY) may be a better option than editing /etc/sudoers. Some /etc/sudoers versions recommend it:

This file MUST be edited with the 'visudo' command as root. Please consider adding local content in /etc/sudoers.d/ instead of directly modifying this file. See the man page for details on how to write a sudoers file.

When editing a sudoers file (as root) through the command-line, the 'visudo' command should be used to open the file as it will parse the file for syntax errors. /etc/sudoers.d/ files are typically owned by root and chmoded with minimal permissions. The default /etc/sudoers file may be referenced as it should automatically have recommended chmod permissions on installation. e.g.: 0440 r--r----- .

https://superuser.com/a/869145 :

visudo -f /etc/sudoers.d/somefilename

Defaults:username !requiretty

Helpful Links:

Stackoverflow: cloud-init how to add default user to sudoers.d
- https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos

WinSCP Forum:

WinSCP Doc: https://winscp.net/eng/docs/faq_su

With SCP protocol, you can specify following command as custom shell on the SCP/Shell page of Advanced Site Settings dialog:

sudo -s

[...]

Note that as WinSCP cannot implement terminal emulation, you need to have sudoers option requiretty turned off.

Instructions in Ubuntu Apache /etc/sudoers recommend adding directives to /etc/sudoers.d rather than editing /etc/sudoers directly. Depending on the installation, adding directive to /etc/sudoers.d/cloud-init may work as well.

It may be helpful to create an SSH test user with sudo permissions by following the steps provided in instance documentation to ensure that the user has recommended instance settings and any updates to server sudoer files can be effected and removed without affecting other users.

score -2 · Answer 5 · answered May 31 '13 at 11:19

-2

Under SCP/Shell settings, instead of "sudo su -", choose /bin/bash.

It should work.

answered May 31 '13 at 11:19

Peach

101
4

`/bin/bash` lets you log in, but the point is to get sudo permissions. – Mark Berry Aug 05 '14 at 00:54

WinSCP connect to Amazon AMI EC2 Instance changing user after login to "root"

5 Answers5

Linked