Cannot switch to jenkins user on aws ec2 linux? - linux

When I ssh into an aws ec2 Linux instance, I am ec2-user. The instance is a Jenkins master. When I try su - jenkins and entered the correct password, the system says Last login: .... which looks like the switching succeeded. But whoami says I'm still ec2-user.
What am I missing? Thanks!

jenkins is a service account, it doesn't have a shell by design. It is generally accepted that service accounts shouldn't be able to log in interactively.
if you really want to login as Jenkins, you can do so with: sudo su -s /bin/bash jenkins

Related

How to configure jenkins to give password while executing shell script in remote server

I have a shell script to do deployment on a remote server. But I didn't have full root privileges for that server and it asks password for every steps (4-5 times while executing the script).
Now, I want to run the shell script using Jenkins. How to configure jenkins to give the password while executing the shell script in remote server.
Thanks in advance
Add myuser ALL=(ALL) NOPASSWD: ALL in /etc/sudoers.
Note: Replace myuser with your actual username.

Just registered GitLab runner and getting Authentication failure when using shell type

Just installed GitLab runner service and tried to run a basic job.
I got the following output:
Password: su: Authentication failure
ERROR: Job failed: prepare environment: exit status 1. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
Googling, I found that the contents of the .bash_logout may be a problem, but my .bash_logout was blank. I created and added ssh keys for the gitlab-runner user, and was able to manually clone via ssh, but I can't get the job to run. Anyone experienced this that can offer a suggestion?
I found the issue was in the pam file. root couldn't su to gitlab-runner
Background story: GitLab runner is running as root user, in order to retrieve for example the /etc/gitlab-runner/config.toml file. If your gitlab-runner is already running rootless you might want to remove the --user gitlab-runner from the systemd service file. However, most likely your Gitlab Runner is running as root.
If you increase the security on your host machine and disable the root user and the su command. You could enable this again by editing /etc/pam.d/su file and set:
auth sufficient pam_rootok.so
Or only allow the root user to use the su command to only switch to the gitlab-runner user (without password):
auth [success=ignore default=1] pam_succeed_if.so user = gitlab-runner
auth sufficient pam_succeed_if.so use_uid user = root

aws ec2 ubuntu require my password

i want to build a project and failed because it requires root permission. When i change the user to root as "sudo -s", it prompted [sudo] password for ubuntu. As ec2 doesn't offer ubuntu password, it login with pem file. How can I login as root and create files? Thanks!
I fixed this by doing using "sudo" for a Ubuntu AWS EC2 SSH Login:
$ sudo passwd ubuntu
Instead of prompting me for:
"(current) UNIX password:"
It prompts now for:
"Enter new UNIX password:"
I hope this fixes some problems with ec2 ubuntu users!
I was surprised as well, when AWS ec2 ubuntu prompted me for a password.
[sudo] password for ubuntu:
In the end I just hit return without inserting anything and it worked.
If you want to run commands from your terminal interactively as root do it as follows:
sudo -i
If just want to run a single command do it as:
sudo some-command-goes-here
You will not be prompted for password in any of these scenario.
AWS doesn't grant root access by default to EC2 instances. This is an important security best practise. Users are supposed to open a ssh connection using the secure key/pair to login as ec2-user. Users are supposed to use the sudo command as ec2-user to obtain elevated privileges.

Issue running linux AWS CodeDeploy agent in non root context

I am using AWS CodeDeploy to deploy code to our AWS Amazon Linux instances. I followed this knowledge base article https://aws.amazon.com/premiumsupport/knowledge-center/codedeploy-agent-non-root-profile/ to have the agent execute in the ec2-user context instead of root
Before making the change, the script in the yml file executed as expected (but we need the script to execute in non root context) and setting the runas: part of the appspec.yml file did not seem to execute the script in the ec2-user context as expected
appspec.yml:
version: 0.0
os: linux
files:
- source: /
destination: /home/ec2-user/veddor/api
owner: ec2-user
hooks:
AfterInstall:
- location: deploy/script/deploy-veddor-api.sh
timeout: 300
runas: ec2-user
Since making the change, this error now shows up rather than executing the script specified in the appspec file
LifecycleEvent - AfterInstall
Script - deploy/script/deploy-veddor-api.sh
[stderr]Password: su: Authentication failure
contents of the deploy-veddor-api.sh
cp /home/ec2-user/veddor/api/deploy/config/Config-roddev.php /home/ec2-user/veddor/api/app/config/Config.php
cd /home/ec2-user/veddor/api
chmod +x ./composer.phar
php ./composer.phar install
I am looking for help to figure out what I need to do to get the script deploy-veddor-api.sh to actually run in the ec2-user context.
You may be running the AWS CodeDeploy Agent as a non-root user. Only root will have the ability to have a runas user in your AfterInstall hook, as no other user account can run the substitute user "su" command without password authentication.
Check out the details for "runas" in AWS' appspec user guide:
https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html
runas Optional. The user to impersonate when running the script. By
default, this is the AWS CodeDeploy agent running on the instance. AWS
CodeDeploy does not store passwords, so the user cannot be
impersonated if the runas user needs a password. This element applies
to Amazon Linux and Ubuntu Server instances only.
If you are already running the CodeDeploy Agent as ec2-user, then you do not need to supply the runas element in your AfterInstall hook.
If you are use SDK to trigger CodeDeploy, here is a param: ignoreApplicationStopFailures: true
see: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CodeDeploy.html#createDeployment-property
if you have codedeploy already configured as non root, then remove the runas commands from appspec.yml. Save it and retry!

Why does jenkins need sudo password when ssh account doesn't?

My linux user account has the rights to run a particular sudo command without a password prompt. I am trying to implements jenkins to run this command. It is set up to ssh as my user account on the box with the Publish Over SSH plugin.
When I am in the box $USER shows the correct user, but when I try to run "sudo {command}" (which runs without password when I am using that box normally with my user) it requires password. What is causing this behavior?
Because it is configured to do so. There is file /etc/sudoers specifying these rules and there is respective manual page describing how does this file and the roles work. It is probably a good start to read.

Resources