sudo in WinSCP

So here is quick one to help gain access to Debian 12 that uses certs and sudo only to allow for more secure access to ssh. Since WinSCP uses ssh there is the setup that I use to gain access to my ssh enable vms.


sudo is something to allow you to elevate privleges for a user only when needed. Here are some articles on sudo if a refresher is needed.

Advanced Site settings.

Click the Advanced button. Then go to SFTP and setup the SFTP server: to the following:

sudo su -c /usr/lib/openssh/sftp-server

The SFTP should look like this.

SFTP is now setup to sudo!!! At least for Debian 11 and 12 this may work on other distros.

Its Not There: How Do I Find sftp-server?

Ok, so for some reason sftp-server moved or you are working on a different Distro then Debian 12. So, here is how you find the needed binary and then just change the associated path shown above to fit your needs. This should work on almost every dirstro then. However, I have not tested it. Hey, add a comment below if it works on other distros or if you have a specific path that works for your distro and maybe I can add a list here for other distros. By the way, whereis is a very helpful command. Keep that in your back pocket for other binaries when you need to do things in linux and need to find out where they are located.

apauna@MSI:~$ whereis sftp-server
sftp-server: /usr/lib/sftp-server /usr/share/man/man8/sftp-server.8.gz

Setup Public Cert

So, it is important to grab the public cert or generate one with putty. Maybe I will create a post on that in the future but I got my public cert from .ssh on my WSL debian and have been using that as my cert since I created it. that was simply the one defined in ~/.ssh/id_rsa that I generated using ssh-keygen. Nothing fancy there. Anyway I simply put it into a dir and converted it to a ppk. Actually WinSCP did that for me from what I remember and I simply saved it out. Again, nothing fancy. This is then placed in SSH->Authentication->Private key file. So, as mentioned above I simply copied the ~/.ssh/id_rsa file into a new text document and when I attempted to use it WinSCP asked to convert to a ppk and so that is what I let it do. I never even renamed it! As seen below,

Adding Private Key to WinScp SSH connection

Should Add To sudoers File

Oh, I had problems on the latest Debian that also required me to add to /etc/sudoers file my user and associated privleges. That is, I got an error on WinSCP like the following:

Debain 12.4 does added security that causes sudo to fail.

looking at journalctl I noticed lines like these below:

Jan 20 11:47:23 dvr-01 sudo[910]: pam_unix(sudo:auth): conversation failed
Jan 20 11:47:23 dvr-01 sudo[910]: pam_unix(sudo:auth): auth could not identify password for [debian]

So, with that I found this WinSCP page to address that helped to address this issue.

For me I found that for now I could only get it to work with the following in /etc/sudoers file

# Allow sftp-server to use sudo without a password.

So, here is another link that helps explain sudo well with Debain 12. Also, this linuxize link is good as it shows an example of using sudoers.d directory. This approach is really the recommended way to do sudoers in the modern linux environment. So lets explore that below

echo "debian  ALL=(ALL) NOPASSWD:/usr/bin/su,/usr/lib/sftp-server" | sudo tee /etc/sudoers.d/debian | sudo chmod 440 /etc/sudoers.d/debian

Remember, the name is not important. Only for ease of file searches it should be named with something about the user as shown above. Oh one onther catch do not put a . or a ~ in the filename or it will be ignored! So, no extensions!!! Here is the Debian 12 readme I found on this!!! Also, note that I am using chmod 440 as it appears that both sudoers and the directory is setup that way so I think it is good for security to setup files so noone but root can write them! Oh, and I found that I had to include both /usr/bin/su,/usr/lib/sftp-server if I wanted to limit the exposure of sudo with no password to something like only WinSCP. Guess that is better than ALL in there.

# The default /etc/sudoers file created on installation of the
# sudo  package now includes the directive:
# 	@includedir /etc/sudoers.d
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
# Note that there must be at least one file in the sudoers.d directory (this
# one will do).
# Note also, that because sudoers contents can vary widely, no attempt is 
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable 
# this functionality for existing installations if you wish! Sudo
# versions older than the one in Debian 11 (bullseye) require the
# directive will only support the old syntax #includedir, and the current
# sudo will happily accept both @includedir and #includedir
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo and sudoers for more information.

Test It

One that is all done it should be possible to connect to server via WinSCP and do whatever is needed. I hope this was helpful and if there are any recommendations or suggestions let me know in the comments below. Thanks for reading and happy WinSCP'ing!!!

Leave a Reply

Your email address will not be published. Required fields are marked *