Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[HOWTO] Non-root SSH logins
#1
This is weird, I am at a total loss as to why non-root users are denied SSH access. This would totally solve my problems with the default pure-ftp server not working and allow me to offer safe and secure external offsite upload facilities using scp and rsync via ssh. I just don't get why the most obvious (to me) access to this NAS would be deliberately crippled. Anyway, I don't know how to make this persistent but this procedure works after a reboot...

Code:
# Make sure you have created a user on your NAS via the web interface
# on your laptop/desktop create a directory as a regular user
mkdir ~/thecus

# mount the NAS as a regular user so we don't have to use vi
sshfs -o idmap=user root@192.168.1.100:/ ~/thecus
# where the IP is for your NAS

# edit the SSH config file on the NAS (use any editor)
nano ~/thecus/var/tmp/sshd/sshd_config
# and change "AllowUsers root" to "AllowUsers *"

# now get a listing of the main file system
ls -l ~/thecus/raid0/data/
# and take note of your users home dir in the listing above

nano ~/thecus/etc/passwd
# change your non-root userids last 2 fields to "...:/raid/markc:/bin/sh"
# where /raid/markc is YOUR path to your home dir on the NAS

# stop and restart the SSH server on the NAS
ssh root@192.168.1.100
ps | grep /opt/bin/stond
kill 12345
# where 12345 is the process ID from the first field of the above ps output
/opt/bin/stond -f /tmp/sshd/sshd_config

# to be able to ssh out from the NAS, set permissions on a few devices
chmod 666 /dev/null /dev/random /dev/urandom /dev/tty

# now try to ssh into your NAS as a normal user from your laptop/desktop
ssh markc@192.168.1.100
# using your NAS username and your NAS IP (use -vvv to troubleshoot)

# now try ssh'ing out to some other computer with sshd running
ssh markc@192.168.1.101 # my laptop IP
I would be interested to hear if this works for anyone else and how to make this procedure persist across reboots.
Reply
#2
Here is a workaround to make non-root SSH logins possible without having to manually tweak the above settings after each reboot. Assuming you have followed the post about passwordless root logins then you can simply add this to the end of the root users .ashrc file...

Code:
if [ ! -f /tmp/FIRSTLOGIN ]; then
  echo "AllowUsers *" >> /tmp/sshd/sshd_config
  kill $(ps|grep -v grep|grep /opt/bin/stond|awk '{print $1}')
  /opt/bin/stond -f /tmp/sshd/sshd_config
  touch /tmp/FIRSTLOGIN
fi
Now the first time the root user logs in after a reboot the above snippet will set up the system to allow non-root users to also log in assuming the /etc/passwd user entries have been modified according to the above post. Follow the same procedures from the passwordless root login post to automate non-root user logins as well. There are some windows tools available from here to enable windows users to interact with these SSH settings on your NAS. I think OSX already has ssh and rsync available via it's terminal application.
Reply
#3
please Mark publish your HOW-TO in Tutorial Section, that everybody see them Wink
Stéphane Guérithault

In a world without walls and fences, who needs Windows and Gates

PayPal Donation: https://www.paypal.me/qoolbox

My apps

##########################################################################

rolling now for competitor, i do not support anymore Thecus apllications due to lack of time

##########################################################################


voyance - Sophrologue Hypnothérapeute Essonne 
Reply
#4
Hi, i tried your tutorial the whole night, but it doesnt really work for me.

First i found the idea really good to realize SFTP-Access for all my users. I figured, the reason that my SFTP Access works only for root could be because he is the only one having a .ssh folder (or even a homedir). But i want my system users be able to connect securely via SFTP, using FTP-homedirs with PureFTPd-Module. Further i am using 3rd-Party SSH (FaJoSSHD).

So what i wanted was homedirs for all my users, and SSH-Access for all of them. So your post sounded good.

First i had to change your snippet a bit, you probably use a lot of aliases or want to make the people use their brains Wink

So thats mine:
Code:
if [ ! -f /tmp/FIRSTLOGIN ]; then
  kill -9 $(ps | grep /raid/data/module/FaJoSSHD/system/sbin/sshd|grep -v grep|awk '{print $1}')
  /raid/data/module/FaJoSSHD/system/sbin/sshd -f /raid0/data/module/FaJoSSHD/system/etc/ssh/sshd_config
fi

The "Allow *" thingie is not needed with FajoSSHd because the config features it already:

Code:
##
## sshd configuration
##
## Note: this sshd was compiled with a default user PATH of
##       PATH=/raid/data/module/FaJoSSHD/system/bin:/usr/sbin:/bin:/usr/bin:/opt/bin
## Note: this sshd was compiled with a default super user PATH of
##       PATH=/raid/data/module/FaJoSSHD/system/bin:/sbin:/usr/sbin:/bin:/usr/bin:/opt/bin
##
## Default values are commented out.
##

## (Multiple Port options are permitted.)
#Port 22
Port 22

## Valid arguments are "any", "inet" (use IPv4 only) or "inet6" (use IPv6 only).
#AddressFamily any

## Syntax:
##    ListenAddress host|IPv4_addr|IPv6_addr
##    ListenAddress host|IPv4_addr:port
##    ListenAddress [host|IPv6_addr]:port
#ListenAddress 0.0.0.0
#ListenAddress ::

## Possible values are "1", "2" or '1,2'
#Protocol 2

## Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

## Logging
#SyslogFacility AUTH
#LogLevel INFO

## Authentication
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

## For this to work you will also need host keys
## in /raid/data/module/FaJoSSHD/system/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
## similar for protocol version 2
#HostbasedAuthentication no

## Change to yes if you don't trust ~/.ssh/known_hosts for
## RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

## Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

## To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

## Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#AllowTcpForwarding yes
AllowTcpForwarding no
#AllowAgentForwarding yes
AllowAgentForwarding no
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
UseDNS no
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none


## Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    ForceCommand cvs server

## #############################################################################
## #                                                                           #
## # Do not change anything below unless you know exactly, what you are doing. #
## #                                                                           #
## #############################################################################

#AuthorizedKeysFile    .ssh/authorized_keys
AuthorizedKeysFile    /raid/data/module/FaJoSSHD/system/etc/ssh/users/%u/authorized_keys

## HostKey for protocol version 1
## Never change this - it will break the start scripts
#HostKey /raid/data/module/FaJoSSHD/system/etc/ssh/ssh_host_key

## HostKeys for protocol version 2
## Never change this - it will break the start scripts
#HostKey /raid/data/module/FaJoSSHD/system/etc/ssh/ssh_host_rsa_key
#HostKey /raid/data/module/FaJoSSHD/system/etc/ssh/ssh_host_dsa_key
#HostKey /raid/data/module/FaJoSSHD/system/etc/ssh/ssh_host_ecdsa_key

## Kerberos options
## Note: Kerberos is not compiled into the daemon.
#KerberosAuthentication no
#KerberosOrLocalPasswd  yes
#KerberosTicketCleanup  yes
#KerberosGetAFSToken    no

## GSSAPI options
## Note: GSSAPI is not compiled into the daemon.
#GSSAPIAuthentication     no
#GSSAPICleanupCredentials yes

## Set this to 'yes' to enable PAM authentication, account processing,
## and session processing. If this is enabled, PAM authentication will
## be allowed through the ChallengeResponseAuthentication and
## PasswordAuthentication.  Depending on your PAM configuration,
## PAM authentication via ChallengeResponseAuthentication may bypass
## the setting of "PermitRootLogin without-password".
## If you just want the PAM account and session checks to run without
## PAM authentication, then enable this but set PasswordAuthentication
## and ChallengeResponseAuthentication to 'no'.
## Note: PAM support is not compiled into the daemon.
#UsePAM no

## Never change this - it will break the start scripts
#PidFile /raid/data/module/FaJoSSHD/system/var/run/sshd.pid

## override default of no subsystems
Subsystem    sftp    /raid/data/module/FaJoSSHD/system/libexec/sftp-server

AllowUsers *

I set up a root folder on the raid (/raid/data/0/root) with rights, .ashrc etc, and did everything else of the two tutorials.

My problem is, after startup - logging in via ssh as root - my pwd is still /root, nothing changed. The Script in /raid/data/0/root/.ashrc was definitely NOT executed, and i am really wondering how it should?

Just by changing the root-line in /etc/passwd? After reboot everything in that line is old fashioned, seems like that line is not persistent (changes of the user lines are!).

So, however, just to check if it works i manually "executed" the snippet and ssh-login for the users worked. Until reboot.

And - my big problem - SFTP still doesnt work for any of the users. I get Error 126 "Cannot initialize SFTP - is there a SFTP-Server running?".

Looks like it is capable of establishing the SSH connection but when its trying to pass some command to the subsystem there is noone feeling responsible.

So, after all, 2 questions:

- how to make the user-SSH-feature last longer than a reboot?
- how to "connect" the SSHD of FaJo and its sftp-subsystem and PureFTPd together that it works for SFTP-Logins of users? Has it even something to do with all this here?! Wink

Maybe you can help,
stoechi
Reply
#5
I'm not sure about your last 2 questions but most files in /etc are persistent so finding the right startup file and adding something like source /etc/rc.local near the end of it will allow us to run custom user settings on bootup from /etc/rc.local. That's on my TODO list for sure. FWIW the boot sequence looks something like this, /init is linked to /bin/busybox which means a standard sysv activation of /etc/inittab, that kicks off /etc/rc.d/rc.sysinit which in turn calls (not exec?) /etc/rc.d/rc.3 and it then fires off /etc/cfg/rc (if it exists) so a source /etc/rc.local near the end of /etc/rc.d/rc.3 may work.

My problem is, after startup - logging in via ssh as root - my pwd is still /root, nothing changed. The Script in /raid/data/0/root/.ashrc was definitely NOT executed, and i am really wondering how it should?

The home dir field of the first root user entry in /etc/passwd has to match where you want this new root home dir. Are you sure you have a 0 folder in /raid/data?

If you do a listing of / and type the mount and df commands you can see that /raidsys/0 is a real 512Mb read-write partition and is away from /raid0/data/ which could be viewed by various programs (samba etc).

You may also be missing ~/.profile that contains source ~/.ashrc (or just . ~/.ashrc). Also, the permissions of the users folders and ~/.ssh/* files cannot have group or world write perms. Ideally, these folders should be (using my root homedir example)...
Code:
chmod 700 /raidsys/0/root
chmod 700 /raidsys/0/root/.ssh
chmod 600 /raidsys/0/root/.ssh/*
and the same for any /raid0/data/username folders created for users by the web interface. How this impacts samba, ftp and nfs access is yet to be determined.

It's been batshit crazy trying to work out this basic stuff and at the moment I have a /etc/shadow file (copied from my Archlinux laptop and chmod 600) with just a few user entries that match the users in /etc/passwd and I also had to create a /etc/pam.d folder and add a /etc/pam.d/pure-ftpd file and now I have ftps working for non-root users. I also have ssh, scp and rsync working for these users but I have messed around so much I am not sure EXACTLY what I did at each step that actually worked to enable ftps and scp/rsync etc.
Code:
root@n2800 ~ ll /etc/pam.d
-rw-------    1 root     root           187 Sep 28 21:02 other
-rw-------    1 root     root           348 Sep 29 22:31 pure-ftpd
root@n2800 ~ cat /etc/pam.d/other
#%PAM-1.0
auth            required        pam_unix.so
account         required        pam_unix.so
password        required        pam_unix.so
session         required        pam_unix.so
root@n2800 ~ cat /etc/pam.d/pure-ftpd
auth       sufficient   pam_ldap.so
auth       sufficient   pam_winbind.so
auth       required     pam_unix.so use_first_pass
account    sufficient   pam_ldap.so
account    sufficient   pam_winbind.so
account    required     pam_unix.so
session    sufficient   pam_ldap.so
session    sufficient   pam_winbind.so
session    required     pam_unix.so
Reply
#6
haha, thx for your great help, didnt find the time to try all this - but i WILL!

I do absolutely understand your situation, its always a whole lot of a mess when trying around days (so much back&forth) and afterwards not being able to say exactly what the problem was..

Even making kind of a documentation, it gets so complex and is forking up recursively, its exhausting.. Nerd problems..

Will tell u wheter i got it running or not.
Reply
#7
haha, thx for your great help, didnt find the time to try all this - but i WILL!

I do absolutely understand your situation, its always a whole lot of a mess when trying around days (so much back&forth) and afterwards not being able to say exactly what the problem was..

Even making kind of a documentation, it gets so complex and is forking up recursively, its exhausting.. Nerd problems..

Will tell u wheter i got it running or not.
Reply
#8
#
## sshd configuration
##
## Note: this sshd was compiled with a default user PATH of
## PATH=/raid/data/module/FaJoSSHD/system/bin:/usr/sbin:/bin:/usr/bin:/opt/bin
## Note: this sshd was compiled with a default super user PATH of
## PATH=/raid/data/module/FaJoSSHD/system/bin:/sbin:/usr/sbin:/bin:/usr/bin:/opt/bin
##
## Default values are commented out.
##

## (Multiple Port options are permitted.)
#Port 22




it is not working


i"ve the same problem
jessica
Reply
#9
jessicasmith Wrote:#
## sshd configuration
##
## Note: this sshd was compiled with a default user PATH of
## PATH=/raid/data/module/FaJoSSHD/system/bin:/usr/sbin:/bin:/usr/bin:/opt/bin
## Note: this sshd was compiled with a default super user PATH of
## PATH=/raid/data/module/FaJoSSHD/system/bin:/sbin:/usr/sbin:/bin:/usr/bin:/opt/bin
##
## Default values are commented out.
##

## (Multiple Port options are permitted.)
#Port 22




it is not working


i"ve the same problem

Hi Jessica,

what problem do you have ? FaJoSSHD listenes on port 10022 per default configuration, by he way Wink

/Falk
Further information und module downloads at FaJo.de

I decided to finally stop module development and maintenance. Existing modules are still available for download for now.
Reply
#10
thx for the method ! Big Grin
However may I say a remark?

1) depending if you have ModBase1 or a custom, and you load its path in your profile, the binaries ps and grep can possibly lead to unexpected results! Example: the PID column of the result of the ps command from ModBase1 is not the first...
2) the best practice is not to have duplicate lines in your system files. So if you already modified your sshd_config, you could have duplicates!
3) I'm not sure it's the reason why, but I could'nt connect a non root user without having only one AllowUsers line

:ugeek: For these reasons, here is the modified version for your /root/config.nonSSHUsersLoginEnable.sh file:

Code:
if ! /bin/grep -q "AllowUsers \*" /tmp/sshd/sshd_config; then
  (/bin/grep -v AllowUsers /tmp/sshd/sshd_config; echo "AllowUsers *") >/tmp/sshd/sshd_config_AllowUsers;
  kill $(/bin/ps | /bin/grep -v grep | grep /opt/bin/stond|awk '{print $1}');
  /opt/bin/stond -f /tmp/sshd/sshd_config_AllowUsers;
fi
scavenger
N5550 V2.05.08.20150416.cdv + 4G patch
2*4GB Corsair CMSO8GX3M2A1333C9 = 8GB RAM
5 x 2To Hitashi HDS72202 (RAID5) @ write=72MB/s - read=91MB/s (802.3ad dual cable)
Reply
#11
great share
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [HOWTO] SSH root logins without a password markc 17 14,093 08-04-2015, 11:57 AM
Last Post: xrdcarbon
  [HOWTO] Non-root SSH logins 0 8,252 Less than 1 minute ago
Last Post:
  [HOWTO] SSH root logins without a password 0 8,766 Less than 1 minute ago
Last Post:

Forum Jump:


Users browsing this thread: 1 Guest(s)