Thread Info
  • Replies 0 replies
  • Subscribers 6 subscribers
  • Views 13462 views
  • Users 0 members are here
Options
Suggested

Sophos UTM: How to enable root access to UTM instances in AWS

Taher Elbar

Note: Information is posted as-is and the content should be referenced at your own risk.

Overview

In certain scenarios it might be required to gain root access to Sophos UTM without having previously accessed the WebAdmin console. Due to AWS security policy requiring that the root account is disabled for SSH access we will need to work around limitation to get access to the system and enable root access if needed.

This article describes the steps to enable SSH access for root on Sophos UTM instances in AWS.

Note:

  • Sophos do not recommend using the root user for logging in to the system or any other operation due to the risks associated with this account.
  • The safe alternative is to use the sudo command when executing commands that require root privilege as loginuser is part of the sudo-approved users by default.

Applies to the following Sophos products and versions
Sophos UTM v9.412 and above

Connecting to Sophos UTM using PuTTY

The loginuser user account has access to any UTM system launched on AWS by default. This user can sign in using the private key selected during the UTM’s deployment. Download and install both PuTTY and PuTTYGen from www.putty.org

Open PuTTYgen to convert your AWS .pem file to PuTTY’s .ppk format.

Select SSH-2 RSA (or RSA in newer versions of PuTTYgen) and click Load.

Browse to a stored copy of your AWS private key and click Save private key to save your private key in .ppk format.

Note:

  • PuTTYgen will generate a warning if your keyfile isn’t protected by a password. Password protection is recommended as an additional security measure, but not required for SSH to work.
    If you’d like to set a password, enter it in the Key Passphrase and repeat it in the Confirm Passphrase fields prior to clicking Save private key.

Start PuTTY and navigate to Connection > SSH > Auth.

Click Browse to select the .ppk keyfile generated earlier.

  
Navigate to Session and enter the UTM’s public IP address or hostname.
Make sure Connection type is set to SSH and click Open to connect to the UTM.

Accept the security alert regarding the RSA fingerprint to connect.

Note:

  • Sophos recommend verifying that the fingerprint matches the fingerprint of your system before continuing.
    To find the fingerprint of your instance, you can use the AWS CLI tools: aws ec2 get-console-output --instance-id <your AWS instance id here> where <Your AWS instance id here> should be replaced by the instance ID of your instance.
    This will output a set of parameters regarding your instance, including the RSA host fingerprints in the section starting with -----BEGIN SSH HOST KEY FINGERPRINTS-----.
Enter the name loginuser to authenticate with the UTM instance  

Setting up a password for root

Since root uses a unique randomized password, you will need to modify this password to log in as root.

  1. Log in to the UTM with loginuser account as described above.
  2. Enter sudo passwd root followed by <enter>.
  3. Set and confirm a new password for the root user.
  4. Optionally confirm the new password by switching to root. Enter su or su root command followed by <enter>.

 

Enabling SSH login for root

If your setup requires direct SSH access to UTM with the root user, you can use one of the following methods to enable it.

Enabling root access via SSH channel

Login to the UTM using the loginuser account and run the following command:

rest --request PUT --data '"without-password"' '/nodes/ssh.root_login'

 

You can now set up a new PuTTY session and login as a root. 

 

Enabling root access via RESTful API channel

From any remote application supporting RESTful API, run the following commands against your Sophos UTM instance:

UTM_HOST="utm_hostname.example"

ADMIN_USER="admin"

ADMIN_PASSWORD="your_password"

curl -f -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --user "$ADMIN_USER:$ADMIN_PASSWORD" --data '"without-password"' "https://$UTM_HOST:4444/api/nodes/ssh.root_login"

 

You can now set up a new PuTTY session and login as a root.

 

Enabling root access using the confd client

Login to the UTM instance as loginuser and type su followed by the root password set earlier.

Type cc to enter the confd client interactive mode.

  

Enter the following commands line by line and  press Enter after each line:

  • ssh
  • root_login$
  • =without-password
  • quit
  

You can now set up a new PuTTY session and login as a root.

  

Enabling root access by editing the configuration files

Log into the UTM as loginuser and edit the SSH configuration by entering sudo vi /etc/ssh/sshd_config  
Move the cursor to the PermitRootLogin no line.  

Press the Insert key on your keyboard or the “I” key to enable editing.
Change PermitRootLogin no to PermitRootLogin without-passwordto enable root to log into the UTM using private key authentication.

  
Press the Esc or Escape key on your keyboard to disable editing.
Type :wq followed by <enter> to save the changes and close the file.

  

Your private key needs to be added to authorized keys.

Create a .ssh directory in /root by entering: sudo mkdir /root/.ssh

Set the rights on the directory using: sudo chmod 700 /root/.ssh

Create the authorized keyfile with: sudo vi /root/.ssh/authorized_keys

Press the Insert key on your keyboard or the “I” key to enable editing.

  
Enter or copy the private key (PuTTY supports pasting by clicking the right mouse button).
Note that you can copy the on-screen output of PuTTYgen or copy the existing contents in /home/login/.ssh/authorized_keys
Press the Esc or Escape key to disable editing.

 

Type :wq followed by <enter> to save the changes and close the file.  
Restart the SSH daemon by running sudo /var/mdw/scripts/sshd restart  

You can now set up a new PuTTY session and login as a root.

  
You can also enable SSH access for root using password for authentication following below steps:

When you log into the UTM as loginuser and edit the SSH configuration by entering sudo vi /etc/ssh/sshd_config, move the cursor to the PermitRootLogin no line and press the Insert key on your keyboard or the “I” key to enable editing.

Change PermitRootLogin no to PermitRootLogin yes and PasswordAuthentication no to PasswordAuthentication yes to enable SSH access for root using a password instead of key pair.  

Press the Esc or Escape key on your keyboard to disable editing.

Type :wq followed by <enter> to save the changes and close the file.

  
Restart the SSH daemon by running sudo /var/mdw/scripts/sshd restart  
You can now set up a new PuTTY session and login as a root using the password set earlier.   

Note:

  • Any changes made in WebAdmin under Management > System Settings > Shell Access will erase all the changes made above.
Unfiltered HTML