How to Change Users After Login

The SFTP protocol does not provide a way to switch users after initially logging in. However, there are a couple tricks you can utilize using custom sftp server features to switch users. 

One method is to use the sudo command, and the other is to use the setuid bit of chmod. Both methods require system admin (root) privileges. This tutorial will go over these two methods.

Before beginning, you'll need to note where your sftp-server is placed.

# cat /etc/ssh/sshd_config grep sftp Subsystem sftp /usr/libexec/openssh/sftp-server

Running the sftp-server Using Sudo

  1. Register Users in Sudo.
    Any users who use sudo commands need to be listed in the sudoers file:

    # vi /etc/sudoers ... # This need to be commented out for Redhat series Linux. #Defaults requiretty ... User_Alias SFTPUSER = john,jane SFTPUSER ALL=(ALL) NOPASSWD:full_path_of_your_sftp_server # NOPASSWD is mandatory. # sftp-server can be in any other place
    • requiretty - The requiretty means that tty is allocated, or in others, that you are logged in, so you’ll need to change it to !requiretty. To use the SFTP subsystem, it must be set to !requiretty (or commented out like in our example above) since you are not logged in.

    • SFTPUSER - The list of accounts that can run sudo. Must be in all capital letters. In the example above, this includes the john and jane accounts.

    • ALL - This value refers to the host on which sudo is running. We’ve selected ALL to allow it to run on any hostname.

    • (ALL) - This is the user account and/or the group that you will change to. Selecting ALL allows any account, including root, to execute commands on behalf of the initially logged in user. If you only want to target specific users, enter their usernames here. You can specify multiple users with a ',' (comma).

    • NOPASSWD: - The default value is PASSWD which will prompt you for the password when using the sudo command. This value must be changed to NOPASSWD when using sftp-subsystems which allows you to avoid entering your password. The password used will be the password of the ADMINISTRATOR.

    • full_path_of_your_sftp_server - Enter the full path to the command that runs the SFTP subsystem. You can check the path in the /etc/ssh/sshd_config file.

  2. Check if the configuration is correct
    You can confirm if the configuration was correctly registered by using the sudo command. There should be no message in the terminal after using sudo command like in the image below. If you see any kind of message, the sudoers configuration was not properly configured. Note that the sftp subsystem will be running until you send a interrupt signal, such as Ctrl+C.

    image-20240930-045609.png

  3. In Xftp, create a session file which includes the custom sftp-server option.
    Session Properties -> General Tab -> Protocol: SFTP -> Setup -> Use custom SFTP server : sudo full_path_of_your_sftp_server


    If you use the '-u' option with sudo, you can switch to any desired user.

  4. Run the session.

  5. Check if any restricted files and directories can be accessed.

Changing File Mode Bits(chmod)

This method does not require you to modify the system sudoers file and thus carries less risk than sudo. If the user you'd like to switch to does not have root privileges, you won't need root privileges either. In the following example user 'bar' will switch to user 'foo.'

  1. Allow the user who you will switch to, foo, to copy the sftp-server to a desired location.

    [bar@myserver ~] $ whoami bar [bar@myserver ~] $ cp /usr/libexec/openssh/sftp-server /tmp [bar@myserver ~] $ chmod u+s /tmp/sftp-server [bar@myserver ~] $ ls -l /tmp/sftp-server -rwsr-xr-x. 1 bar bar 83984 Mar 29 18:01 sftp-server

     

  2. In Xftp, create a session file including the custom sftp-server option. There is no need to use sudo.

     

     

  3. The user 'foo' will run the sftp-server in the /tmp directory, but the sftp-server will work using the permissions of the user 'bar.'

  4. Save and run the session.

  5. Check if the files and directories restricted to the 'bar' user can be accessed.