Locked myself out of my server, disabled root access and no other users have sudo

mawr

What should/can I do? Google tells me I should boot from a Live CD or other OS, and edit the /etc/passwd file.

Basically I was trying to disable SSH access while allowing SFTP (which btw I still can't figure out) for a user, but then disabled root login too. No other users have sudo priveleges but I can login to other users.

However I can't do any admin things like add new users (which I need to do).

What can I do?

Thanks!

serverian

Dedicated server?

Spencer

What OS?

Rallias

Find a local user exploit?

amhoab

If you can get into single user mode, that's the best route. Otherwise, if you can access the FS with a live CD, you can either update the passwd file to a known hash, or add one of the accounts you can login with to the sudoers file and reboot.

NickM

Rallias said: Find a local user exploit?

I like this method! But on a more serious note... assuming this is some flavor of Linux:

If it's a dedicated server, your root account (assuming that you didn't lock the account using passwd -l) should be able to login from the system console, so if you have KVM or IPMI access, that's your best bet.

If you did lock the root account, you should be able to boot into single user mode (reboot the server, and on the grub screen, press e, then add "single" to the end of the line that starts with "linux", then press Ctrl+x to boot). Once you're in single user mode, you can fix whatever it is you need to fix and then reboot again.

If it's a KVM-based VPS, the same advice applies - use the VNC console to log in to the root account or boot into single user mode.

If it's OpenVZ, you should be able to access the VPS via the recovery console.

amhoab

Ah, I read this hastily and thought he couldn't login as root due to a bad password or something. You should be able to login to the console and get situated in that case.

mawr

It's Debian and a dedicated server. I submitted a ticket to WSI but is there any other way? I don't have KVM or IPMI but I do have DirectAdmin installed as a control panel

cloromorpho

i think the best option is to ask your provider to boot your server from a live CD ("rescue mode" as some providers say) and once logged in, mount the drives if needed and edit your settings.

If this is done by ticket it is posible that you will need to ask them to boot your server from the HD as usual once you have edited what was needed.

Gien

@mawr If you use directadmin and haven't locked yourself out of the DA panel.
Then go into admin mode.

Goto 'file editor' select 'sshd_config'

Restore the sshd file,

Permitrootaccess to yes

And you can add additional users, by adding to the last line of the file (my personal prefrence, not required)

AllowUser usrrname

Save the file then goto service monitor and restart/reload ssh

Srry for the linebreaks, im on my mobile, appparently it doesnt function as well

mawr

@Gien said:
mawr If you use directadmin and haven't locked yourself out of the DA panel.
Then go into admin mode.

Goto 'file editor' select 'sshd_config'

Restore the sshd file,

Permitrootaccess to yes

And you can add additional users, by adding to the last line of the file (my personal prefrence, not required)

AllowUser usrrname

Save the file then goto service monitor and restart/reload ssh

Srry for the linebreaks, im on my mobile, appparently it doesnt function as well

It won't let me edit the file without "Authenicating" myself by entering the root password, and when I do it says Unable to authenticate (which is because I think I had set root to sbin/nologin through the passwd file)

mawr

@Zen said:
Without KVM or IPMI nope. You should make sure any server you get has one of those nowadays.

Server actually comes with free IPMI but I had to request it. Just waiting on support to give me info right now. Thanks

Gien

mawr said: It won't let me edit the file without "Authenicating" myself by entering the root password, and when I do it says Unable to authenticate (which is because I think I had set root to sbin/nologin through the passwd file)

@mawr yeah if you compleetly disabled root password, then thats not an option anymore. Too bad, would have been an easy fix.

I got a system backup running, so i could restore that one (which also includes sshd_config) and then just add the latest admin/user back ups.. (which are made twice a day) so at most i would lose 12h of data..

i agree not ideal, but better then doing a clean install

But yes, IPMI is your last resort now.. hope it works

Mun

Why not just use 'su root' it will allow you to go and change to the user root, with full permissions from an account less the root, assuming you have and remember your password.

http://en.kioskea.net/faq/2320-using-the-su-command

Please note su is different then sudo, and I think it is a default on debian.

Mun

Gien

@Mun, OP stated he cant ssh into his box, as only root has ssh rights. So even getting in the box is impossible. And also su root wil ask for a password and what i could read above that didnt even work, he probably turned off passwords all together..

and yeah su works on most (if not all) debian based OS, i think on all linux boxes (as i use it regularly on my centos boxes)

but su requires that another user has ssh access.

Mun

@Gien said:
Mun, OP stated he cant ssh into his box, as only root has ssh rights. So even getting in the box is impossible. And also su root wil ask for a password and what i could read above that didnt even work, he probably turned off passwords all together..

and yeah su works on most (if not all) debian based OS, i think on all linux boxes (as i use it regularly on my centos boxes)

but su requires that another user has ssh access.

Actually that isn't what he said in the initial post, he stated no users have sudo.

mawr

Thanks guys! I fixed the issue after a few hours of work in IPMI, I found out I had an account with sudo. Woops. I spent all that work and it didn't even fix it anyways.

Gien

LOL @mawr all that extra work,