I accidentally put root user into my sftp group and now I cannot log in

0

I was using aws linux server and MobaXterm. While I was in the server I accidentally put root user into my sftp group using command:

sudo usermod -a -G sftp ubuntu

and now I exited the server and when I tried to log back in I receive this error mes on MobaXterm: Enter image description here Saying "This service allows sftp connection only"

I do not have any other user besides root user. Now I cannot log in to my server, I can only log in to my sftp. Is there any fix to this?

asked 2 years ago636 views
1 Answer
0

Hi,

It looks like you have forced internal-sftp service for sftp group in /etc/ssh/sshd_config file. Now that you added the default ubuntu user to sftp group, it will only allow ftp connection for ubuntu user. Use one of the following methods to remove the ubuntu user from sftp group and regain ssh access.

Option 1

If your EC2 instance is managed by AWS Systems Manager, you can use the Run Command feature to execute following command in the instance. This will remove the ubuntu user from sftp group.

gpasswd -d ubuntu sftp

For more details about running remote commands on an EC2 Instance with AWS Systems Manager see following documentation.

https://aws.amazon.com/getting-started/hands-on/remotely-run-commands-ec2-instance-systems-manager/

After creating the instance profile, attach it to your EC2 instance and reboot the instance. Since you already have an EC2 instance running, you can skip Steps 2,3 & 5.

Option 2

If you can stop the instance, you can re run the user-data to remove the ubuntu user from sftp group. You can use following user-data script to achieve this.

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud.cfg"

#cloud-config
cloud_final_modules:
- [scripts-user, once]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="script.sh"

#!/bin/bash -x
gpasswd -d ubuntu sftp

Refer to following KC article for the steps re run the user-data in an an existing EC2 instance.

https://aws.amazon.com/premiumsupport/knowledge-center/execute-user-data-ec2/

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions