How do I change user after login (e.g. su root)?
None of the protocols (SFTP, FTP and SCP) supported by WinSCP allow the user to be changed in the middle of file transfer session. You need to start the session with the correct user.
Advertisement
Direct Login
Easiest way is to allow direct login with the user account you need, if it is not allowed already. For accounts such as root
, the direct login is typically disabled by default for security reasons. So when enabling it, have security in mind.
Particularly with SSH, you may want to keep password authentication (the most vulnerable one) disabled and use e.g. public key authentication instead. With OpenSSH server, you can do that by setting sshd_config
keyword PermitRootLogin
to without-password
.1
Use sudo on Login
In some cases (with Unix/Linux server) you may be able to use sudo
command straight after login to change a user, before file transfer session starts.
FTP protocol does not allow this.
The SFTP and SCP protocols allow for this, but the actual method is platform dependent.
- With SFTP protocol, you can use SFTP server option on SFTP page of Advanced Site Settings dialog to execute SFTP binary under a different user. With OpenSSH server, you can specify:
sudo /bin/sftp-server
Note that SFTP server binary may be located elsewhere2 (e.g. in/usr/lib/sftp-server
,/usr/lib/openssh/sftp-server
or/usr/libexec/openssh/sftp-server
).
- With SCP protocol, you can specify the following command as custom shell on the SCP/Shell page of Advanced Site Settings dialog:
sudo -s
However you will not be able to provide a password for su
(see remote command execution limitations). So you may be able to do the above only if you are allowed to do sudo su
without being prompted with password. See sudo
documentation to learn how to do that. For example you can add following line to sudoers
file (/etc/sudoers
):
yourusername ALL=NOPASSWD: ALL
Advertisement
The above line is very permissive, it allows user yourusername
connected from anywhere (the first ALL
) to run any command (the second ALL
) as a root
without being asked for password. So you should restrict it as much as possible.
For example with OpenSSH you may restrict it only to SFTP session by:
yourusername ALL=NOPASSWD: /bin/sftp-server
Note that as WinSCP cannot implement terminal emulation, you need to have sudoers
option requiretty
turned off (which is default).
- Even more restrictive option
forced-commands-only
may work with SFTP protocol, but it has not been tested.Back - You can see path to SFTP binary in
Subsystem sftp
clause in/etc/ssh/sshd_config
, unless keywordinternal-sftp
is used instead of a path. You may also usewhereis sftp-server
command to locate the binary.Back