How to use SFTP on a system that requires sudo for root access & ssh key based authentication?

Calling the subsystem with sudo worked for me.

To an Ubuntu host for example:

sftp -s "sudo /usr/lib/openssh/sftp-server" targethost.fqdn

SFTP is a command access to file operations, with the restrictions from the account you use. You must use ssh for make more administrative operations, making impossible use sudo and SFTP at same time. If you need access to the entire disk without restriction using SFTP, do it using the root account. Anyway you can make a login with root on sftp and ssh at same time, of course, using two different sessions.

The security keys improve the security and make more easy the logging, not requiring keyboard input. Only helps to make login, you can had several passwords for every account user and had the same effect.

EDIT: I forgot: you can create another account with the same effect than root if you assign the user id to 0, but not had any sense, being dangerous in the same way. Could give some obfuscation if somebody try to login like root, but apart of that, not had much sense.


Beyond what @MartinVonWittich suggested in the comments above you could setup a dedicated SSH key pair just for this activity and add them to the root user's /root/.ssh/authorized_keys file limiting their scope to just a single command.

# User backup's $HOME/.ssh/authorized_keys file
command="/usr/libexec/openssh/sftp-server" ssh-dss AAAAC8ghi9ldw== backup@host

This would allow another system with the corresponding key to this pair to SFTP into this system as root. You'd still have a record of this connection in your syslog and/or secure.log files (assuming your distro provides this level of logging).

NOTE: Whomever accesses the server in this method would have cartes blanche access, so use it wisely. Better still continue reading and combine this capability with chroot and read only access, to construct tighter restrictions and targeted access to specific locations as root.

chroot & readonly

The other technique you could exploit here would be to limit the SFTP connection so that it was chrooted into specific locations as root, based on which SSH key was used. See my answer to this U&L Q&A titled: "Restrict password-less backup with SFTP" for more details.

You can also control sftp-server through its switches -R and -d.

 -d start_directory
         specifies an alternate starting directory for users.  The pathname 
         may contain the following tokens that are expanded at runtime: %%
         is replaced by a literal '%', %h is replaced by the home directory
         of the user being authenticated, and %u is replaced by the user‐
         name of that user.  The default is to use the user's home 
         directory.  This option is useful in conjunction with the 
         sshd_config(5) ChrootDirectory option.

 -R      Places this instance of sftp-server into a read-only mode.  
         Attempts to open files for writing, as well as other operations 
         that change the state of the filesystem, will be denied.

Tags:

Sftp

Ssh