# TRICK: su to root without a password

## ectospasm

DISCLAIMER: I do not suggest you do this on a production system for security reasons, unless you like to live dangerously.  It is safer, security-wise, not to allow root logins through SSH.  DO THIS AT YOUR OWN RISK.

If you couldn't tell from the disclaimer, this actually uses ssh, not su, to login to your machine.  It uses public/private key encryption in order to accomplish this.  These instructions assume your shell is bash, and they assume you know how to su to root.  These are the steps you need to follow:

Install openssh if it's not already installed and configured to allow root logins.  It's outside the scope of this post to tell you how, but it should be straightforward.  I don't seem to remember doing anything special to enable root logins.

Make sure sshd is running.  It should be as simple as this (logged in as root):

```
# /etc/init.d/sshd start
```

Logged in as your main user (not root), and create your RSA keys.  Type the following in your root home directory:

```
$ ssh-keygen -t rsa
```

Follow the prompts (the defaults should suffice, and I didn't enter a passphrase).  Once finished, your new keys will be in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, for your private and public keys, respectively.  WARNING:  Your private key needs to remain private.  If someone gets hold of it, they will be able to login as you, into your root account, without a password.  So keep it safe.

su to root now 

```
$ su -
```

Create the .ssh directory in root's home directory (defaults to /root/) if it's not already created.

Perform the following command:

```
# cat ~user/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys2
```

Replace "user" with your actual main user name.  Note that authorized_keys2 probably does not exist, and we'll be creating, not appending to that file if that is the case.  We're appending just to be safe.  If you want to make sure no one has maliciously added their own key, you can overwrite the file (> instead of >>).

Log out of your root su session (CTRL-D or exit)

Now for the magic part.  Test out that the keys actually work:

```
$ ssh root@localhost
```

If all goes to plan you should now be in a root session, without having to type in a password.

"ssh root@login" is a relatively long command to type, compared to "su -".  Create an alias in your primary user (not root) .bashrc file.  Add this line to the bottom of that file:

```
alias sup='ssh root@localhost'
```

You can change the letters 'sup' to be anything you want.  Just make sure there isn't already a command in your path that has that name.

Source the new .bashrc file, like so:

```
$ . .bashrc
```

I hear you can get away with typing "source .bashrc", but I like to type as few keystrokes as possible.

To test your new alias, type the following at your prompt (assuming the alias name is 'sup'):

```
$ sup
```

You, like before, should now be in a root shell without having to type a password.

As long as you can keep your private key safe, this should be relatively secure.  There is a little overhead since we're not using a direct login, but the performance hit should be negligible.  If you maintain several machines you can append your id_rsa.pub file to each machine's authorized_keys2, and log into them without typing a password.  I got the idea for all of this from Linux Server Hacks, hack 66.

I'd like to see a philosophical discussion on whether this is a good idea or not.  I'm still undecided.  One thing that I definitely do not suggest is generating keys in your root account, and then using this method to allow passwordless logins to other machines.  I had done this, and realized it was a bad idea today since if the first machine got rooted, potentially every other machine that has that root's public key would be vulnerable.

----------

## kimchi_sg

Sounds like a bad idea to me.  :Rolling Eyes: 

We could just use sudo for passwordless root logins, after all.

----------

## ectospasm

My whole point is not having to type a password.  Doesn't sudo require you to type your own password (I don't know, I don't use it)? As long as you can guarantee the safety of your private key, it shouldn't be a problem.  Someone would have to have your private key to breach your security.  It all depends on how physically secure your box is. YMMV, but no one touches my machine but me.

----------

## Jeremy_Z

I suggest another bad idea :

Configure sudo with no password for all command, just type "sudo su" 

 :Laughing: 

----------

## pijalu

 *ectospasm wrote:*   

> ... Doesn't sudo require you to type your own password (I don't know, I don't use it)? ...

 

FYI:

```

%wheel        ALL=(ALL)       NOPASSWD: ALL

```

in /etc/sudoers 

and all wheel users can call sudo without passwd prompt. 

Change %wheel by username and only this user will have no passwd sudo

(edit this file using visudo to be a good boy)

----------

## irondog

Great!!. I hate to type the root password over and over again.

 All my desktop boxes have a blank root password and root access disabled for ssh. I like your kind of setup, it a lot safer and does exactly the same thing I got used to. Thnx for the guide!

----------

## Sheepdogj15

[weird forum error, ignore this post]

----------

## Sheepdogj15

the only significant risk i see is if someone gets into your user account on that computer. better not leave it unattended. and better have a crack-resistant password.

note that having sshd running will allow people to attempt to log onto your system, remotely. of course, that assumes you don't have the ports blocked by iptables, or something like that. my recommendation would be to just not have sshd running unless you have a real need for it. (sshd is pretty secure in and of itself, it's just that we paranoid sys admins want to have as small of a vulnerability footprint as possible.)

----------

## Jake

I'm a newb with this sort of stuff, but if sudo is only ever used for nopassword su'ing by a single user, wouldn't the following be sufficient?

```
#include <sys/types.h>

#include <unistd.h>

#include <stdio.h>

int main() {

if( getuid() == (uid_t)1000 ) {

        setuid( (uid_t)0 );

        setgid( (gid_t)0 );

        execl("/bin/bash", "bash", 0);

        return 0;

}

else {

        printf("sorry\n");

        return 1;

}

}
```

naturally, you'll want to call that something like easysu.c and do:

```
$ gcc -o easysu easysu.c

chown root easysu

chmod u+s easysu
```

----------

## dev-urandom

Well in case you are insistent on being su without password, here's a better suggestion:

```

echo "auth       sufficient   pam_wheel.so use_uid trust" >> /etc/pam.d/su

usermod -g wheel myuser 
```

This will make myuser be able to su without any password.

I will not harp on the dangers of being root without any password: This can be akin to nuking your system if don't use it properly.

Whosoever does it should be aware of whatever that could result.

----------

## humbletech99

Thanks for this guys! The first post was interesting and obviously there was effort there but there do seem to be much better ways like using sudo. I'd personally do that. The tiny c code was very cool though and simple enough even for someone with rusty c like me. The easist is probably to 'sudo su' without password and alias it to su as this gets checked first before the path to the actual binary. Then every time you 'su' you get root without a password!

----------

## damjanek

also 

```
sudo su -
```

 is very easy way to obtain root privillages.

----------

## ectospasm

I'd agree, sudo is the way to go, but I didn't really use it until after I started this thread.

----------

## monkey89

 *damjanek wrote:*   

> also 
> 
> ```
> sudo su -
> ```
> ...

 

Or just type sudo -s to get a shell with sudo.

-Monkey

----------

## slycordinator

If you guys are so hung up about having to enter the root password for su you should just never create an account and log in as root all the time.

----------

## pijalu

 *slycordinator wrote:*   

> If you guys are so hung up about having to enter the root password for su you should just never create an account and log in as root all the time.

 

I like the smell of napalm in the morning...

----------

## slycordinator

 *pijalu wrote:*   

>  *slycordinator wrote:*   If you guys are so hung up about having to enter the root password for su you should just never create an account and log in as root all the time. 
> 
> I like the smell of napalm in the morning...

 

Apocalypse Now?    :Laughing: 

But seriously, if you want to enter "su" and not be prompted for a password you might as well just log in as root all the time because the reason you use "su" is because if your box is compromised the person can only do the commands that the logged in user can do. And surely, they would try "su"  :Rolling Eyes: 

----------

## pijalu

 *slycordinator wrote:*   

> 
> 
> Apocalypse Now?   
> 
> But seriously, if you want to enter "su" and not be prompted for a password you might as well just log in as root all the time because the reason you use "su" is because if your box is compromised the person can only do the commands that the logged in user can do. And surely, they would try "su" 

 

I agree on the "got root" point, but lMHO, on a _desktop_ (and if configured correctly... eg no need for apache user to be able to sudo...Note: on a production machine, the problem is different), this is just a matter of choice, a personal balance between "risk" and ease of use...

----------

## humbletech99

actually not, you might do something accidentally when you are at a command prompt and therefore by 'su'ing to it you put yourself in the more careful frame of mind, them exit the su when you are finished, so there is a difference and running as root is a very bad idea....

so yes, security wise, it's rubbish, but if you're not worried about security and want ease of use while still not accidentally breaking things, this is as good a solution as any, just have a strong user account password!

----------

## cornet

Root on external listening ssh is bad, especially if you still allow password auth.

Ok here is an outline of how to do this safely which is suitable for production use.

The method goes as follows:

Setup a 2nd sshd listening on a different port (say 2222)

The configuration of this should be as follows:

* Listen ONLY on localhost

* Allow root login

* Allow key auth

* Disable password auth

* Disable usePam

Now add your keys to /root/.ssh/authorized_keys as described in the original post.

Right now we create 2 short shell scripts, which should be placed in your path somewhere.

The first is the root script which is the equivelent of "su -"

```

#!/bin/sh

ssh -p 2222 root@localhost "$@"

```

The second is the rootdo sciript which works like sudo

```

#!/bin/sh

 

 D=`pwd`

 root cd $D\&\&"$@"

```

Now how to use this setup.

Say the box in question is called "myserver".

You basically forward your ssh-agent to "myserver", (google if you don't know about ssh-agent)

This can be done in 2 ways.

1. On the command line

```

ssh -A myserver

```

2. Via ~/.ssh/config, into which you add the following

```

Host myserver

  ForwardAgent yes

```

Now you can ssh to myserver and issue the command

```

root

```

to get a root shell  :Smile: 

or

```

rootdo <some command>

```

to just run a command as root.

Now there is a security consideration with this.

... From the ssh man page:

```

             Agent forwarding should be enabled with caution.  Users with the

             ability to bypass file permissions on the remote host (for the

             agent's Unix-domain socket) can access the local agent through

             the forwarded connection.  An attacker cannot obtain key material

             from the agent, however they can perform operations on the keys

             that enable them to authenticate using the identities loaded into

             the agent.

```

This basically means that any one else with root access to the box that you are forwarding your agent to can hijack your ssh agent session and use it to ssh to any boxes on which you are keyed on!

So basically don't do on this on a box where you don't know who has root access.

I have an ebuild file that installs the scripts and sets up the 2nd ssh server (which just involves duplicating /etc/init.d/ssh and pointing it at new configs and pid files)

Oh and definitly don't use keys without a passphrase on them for this!!. Using ssh-agent means you only have to type in the passphrase for your keys once per session (when you leave your workstation either lock it with xlock or do unload your keys from the agent then reload them when you get back)

Cornet

----------

## nesl247

Why not do this

Open /etc/pam.d/su

Uncomment: 

```
auth       sufficient   pam_wheel.so use_uid trust
```

Save. Then add the user to the wheel group and anyone in the wheel group no longer needs to use a password for root.

----------

## cornet

 *nesl247 wrote:*   

> Why not do this
> 
> Open /etc/pam.d/su
> 
> Uncomment: 
> ...

 

Its not a good idea for a few reasons:

* Root access is secured by only a single password, somone finds out your password then they have full access.

(Note with the ssh method i described someone needs to get your key and know the passphrase - I have a 40+ char passphrase on mine)

* That method makes it impossble to log into the box and not easily be able to have a root shell. This could easily go wrong (i've seen install scripts try to su - and if that works then install the software, not what you want if you're not expecting it!)

Cornet

----------

## humbletech99

I agree, I think it's bad idea to do this since you are losing control for minimal increase in ease of use, I would personally just put up with the password, su to root and use the root shell for as long as I want because at least then you are aware of the risks. Otherwise you might get a nasty surprise one day... but it's entirely down to personal choice, a compromise between security and laziness...

----------

## andyfaeglasgow

You can actually do this without using ssh or sudo by configuring pam.  

Check out /etc/pam.d/su.  If you uncomment one of the lines in there, wheel users can su to root without any password required.  If someone is sitting on your machine as a wheel user you're in trouble anyway.

----------

## sundialsvc4

The basic idea of this post is a good one .. using RSA keys for security in SSH .. but the concept is somewhat mis-applied when it is used to "log on to root (no less...) without a password."

The strongest way to use SSH, by far, is to use the Level-2 protocol with "digital certificates only."  Those can be issued without a password but it is safer to put a password on them.  SSH, however, is programmed to use only certificates, not the "challenge/response' (password) authentication method.  And, it's programmed not to allow direct access to root.

Anyone with a dictionary can crack most passwords...  but they can't "crack" a digital certificate.  It is a very secure keying mechanism that can be made very simple for its authorized holders -- even password-free.  But it's much stronger than passwords.

----------

## nesl247

 *andyfaeglasgow wrote:*   

> You can actually do this without using ssh or sudo by configuring pam.  
> 
> Check out /etc/pam.d/su.  If you uncomment one of the lines in there, wheel users can su to root without any password required.  If someone is sitting on your machine as a wheel user you're in trouble anyway.

 

Thats what my post was about...

----------

## humbletech99

yeah, I'm aware of how cool pams are but they're also quite complicated to first look at and if you don't get them exactly right you'll screw your system and you'd have to do a recovery, so if somebody isn't familiar it's best to leave them alone as they aren't worth the hassle.

generally it's easier to just put the line in sudoers to allow sudoing without a password and then sudo su without needing a passwd. you could create an alias in your bashrc script as follows su="sudo su" and then all will work as desired with transparent ease.

Still think it's better to just su and put in your passwd though...

----------

## cornet

 *humbletech99 wrote:*   

> 
> 
> generally it's easier to just put the line in sudoers to allow sudoing without a password and then sudo su without needing a passwd. you could create an alias in your bashrc script as follows su="sudo su" and then all will work as desired with transparent ease.
> 
> 

 

Still a silly idea, definitly not for use on a production server.

 *humbletech99 wrote:*   

> 
> 
> Still think it's better to just su and put in your passwd though...

 

Indeed - if you're unsure about anything said in this thread then just stick with passwords.

Cornet

----------

## humbletech99

Indeed, I prefer to stick with passwords, they're not that much trouble and any seasoned sysadmin will be more than used to putting them in all the time...

Su and use a password. Simplest, safest and most elegant solution.

----------

## pyxel

my mean:

```
# cat /etc/sudoers

...

root    ALL=(ALL) ALL

pyxel ALL=(ALL) NOPASSWD: ALL

...
```

```

# cat /home/pyxel/.bashrc

...

alias su='sudo su'

...
```

and just type su for root login.

----------

## ectospasm

 *pyxel wrote:*   

> my mean:
> 
> ```
> # cat /etc/sudoers
> 
> ...

 

That's what I eventually ended up doing (except my alias is "sup", just for the sake of making it distinct).  The only thing I miss from the ssh method is the notice I'd receive of my last login when I'd login, and I'm too lazy to figure out how to put it in .bashrc...

----------

## Xk2c

```
alias su='sudo su'
```

 *Quote:*   

> and just type su for root login.

 

instead of using this alias you could also just type:

```
 sudo -i
```

----------

