Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[HOWTO] SSH root logins without a password
#1
The normal root users home dir is not persistent so it can't be set up with ssh keys and customized shell login scripts so to allow for passwordless SSH logins I followed this procedure...

Code:
# First, create a new SSH key on your laptop/desktop
cd ~/.ssh
ssh-keygen -f n2800.lan
# just hit enter for the key password

# Now open another console shell
# login to your NAS as root and create a persistent home dir
ssh root@192.168.1.100
mkdir /raidsys/0/root
cd /raidsys/0/root
mkdir .ssh
chmod 700 .ssh

# locally, mount the NAS as a regular user so we don't have to use vi
mkdir ~/thecus
sshfs -o idmap=user root@192.168.1.100:/ ~/thecus

# edit the NAS passwd file (use any editor)
nano ~/thecus/etc/passwd
# and change the root users homedir from /root to /raidsys/0/root
# ie; root:(ENCRYPTED PW):0:0:root:/raidsys/0/root:/bin/sh

# create the remote NAS key file to allow for passwordless SSH logins
cat ~/.ssh/n2800.lan.pub
# copy the above output from the shell (ie; one way is to select with your mouse)
nano ~/thecus/raidsys/0/root/.ssh/authorized_keys
# and paste the contents of ~/.ssh/n2800.lan.pub to the above file (middle mouse press)

# in the other remote console where you are logged in as root on the NAS
chmod 600 /raidsys/0/root/.ssh/authorized_keys

# now you can test a root login
ssh -v root@192.168.1.100
# assuming that works okay now we can make things a little more comfortable

nano ~/thecus/raidsys/0/root/.profile
# add -> "source ~/.ashrc"

nano ~/thecus/raidsys/0/root/.ashrc
# add any env vars and aliases to suit your needs, example...
COLOR=36
LABEL=$USER@n2800
export PS1="\[\033[1;${COLOR}m\]${LABEL} \w\[\033[0m\] "
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/opt/bin
export EDITOR=nano
test $(id -u) -gt 0 && SUDO='sudo ' || SUDO=
alias e='nano -t -x -c'
alias n='echo -e "\n-- $(date) --\n" >> ~/.note && e +10000 ~/.note'
alias p='ps w | grep -v grep | grep'
alias q='find -type f -print0 | xargs -0 grep '
alias edsh='e ~/.ashrc;. ~/.ashrc'
alias notes='cat ~/.note'
alias se='sudo nano -t -x -c'
alias la='LC_COLLATE=C ls -lFAh --color=auto'
alias ll='LC_COLLATE=C ls -lF --color=auto'
alias ls='LC_COLLATE=C ls -F --color=auto'

# NOTE: the nano editor and sudo are not available (yet)

# now on your local machine add these for ssh convenience
nano ~/.ssh/config
# add something like the below
Host n2800
  User root
  Port 22
  Hostname 192.168.1.100
  IdentityFile ~/.ssh/n2800.lan

# change the file perms so ssh does not complain
chmod 600 ~/.ssh/config

# finally add an alias to your local ~/.bashrc and "source ~/.bashrc"
alias n2800='ssh n2800'
Now you can type n2800 and get logged into your NAS without having to type a password and also easily use scp and rsync from either the console or from within scripts to automate some procedures, ie; rsync -av /path/to/folder/ n2800: will copy the contents of /path/to/folder/ to /raidsys/0/root on your NAS, do it a second time and it will quickly sync just the changes to any files in /path/to/folder/. Most importantly, this command can now be automated from a cron job.
Reply
#2
OK so not quite a tutorial yet ... but hopefully soon!

I'm just picking through the firmware upgrade file (for my N4200Pro ... "XXXseries_1U4600_N0503_N4200series_N5500_N7700series_N8800series_FW_5.03.01.bin") and I can see the kernel images that are to be put onto partition 2 of the DOM and lots of other interesting stuff, I also see with the kernel is a "bz5200v1.sum" file ... does anyone know what app is used to create that file ? I'm assuming it is a checksum and that the upgrade script will fail if I drop in a kernel of my own crafting in place of the original file.
<!-- m --><a class="postlink" href="http://www.certkiller.com/exam-CAS-001.htm">http://www.certkiller.com/exam-CAS-001.htm</a><!-- m -->
<!-- m --><a class="postlink" href="https://www.facebook.com/pages/LPi-Group/10991386005">https://www.facebook.com/pages/LPi-Group/10991386005</a><!-- m -->
<!-- m --><a class="postlink" href="http://www.youtube.com/watch?v=Or1SG2h_ymw">http://www.youtube.com/watch?v=Or1SG2h_ymw</a><!-- m -->
Reply
#3
OK so not quite a tutorial yet ... but hopefully soon!

I'm just picking through the firmware upgrade file (for my N4200Pro ... "XXXseries_1U4600_N0503_N4200series_N5500_N7700series_N8800series_FW_5.03.01.bin") and I can see the kernel images that are to be put onto partition 2 of the DOM and lots of other interesting stuff, I also see with the kernel is a "bz5200v1.sum" file ... does anyone know what app is used to create that file ? I'm assuming it is a checksum and that the upgrade script will fail if I drop in a kernel of my own crafting in place of the original file.
<!-- m --><a class="postlink" href="http://www.certkiller.com/exam-CAS-001.htm">http://www.certkiller.com/exam-CAS-001.htm</a><!-- m -->
<!-- m --><a class="postlink" href="https://www.facebook.com/pages/LPi-Group/10991386005">https://www.facebook.com/pages/LPi-Group/10991386005</a><!-- m -->
<!-- m --><a class="postlink" href="http://www.youtube.com/watch?v=Or1SG2h_ymw">http://www.youtube.com/watch?v=Or1SG2h_ymw</a><!-- m -->
Reply
#4
markc Wrote:The normal root users home dir is not persistent so it can't be set up with ssh keys and customized shell login scripts so to allow for passwordless SSH logins I followed this procedure...

Code:
# First, create a new SSH key on your laptop/desktop
cd ~/.ssh
ssh-keygen -f n2800.lan
# just hit enter for the key password

# Now open another console shell
# login to your NAS as root and create a persistent home dir
ssh root@192.168.1.100
mkdir /raidsys/0/root
cd /raidsys/0/root
mkdir .ssh
chmod 700 .ssh

# locally, mount the NAS as a regular user so we don't have to use vi
mkdir ~/thecus
sshfs -o idmap=user root@192.168.1.100:/ ~/thecus

# edit the NAS passwd file (use any editor)
nano ~/thecus/etc/passwd
# and change the root users homedir from /root to /raidsys/0/root
# ie; root:(ENCRYPTED PW):0:0:root:/raidsys/0/root:/bin/sh

# create the remote NAS key file to allow for passwordless SSH logins
cat ~/.ssh/n2800.lan.pub
# copy the above output from the shell (ie; one way is to select with your mouse)
nano ~/thecus/raidsys/0/root/.ssh/authorized_keys
# and paste the contents of ~/.ssh/n2800.lan.pub to the above file (middle mouse press)

# in the other remote console where you are logged in as root on the NAS
chmod 600 /raidsys/0/root/.ssh/authorized_keys

# now you can test a root login
ssh -v root@192.168.1.100
# assuming that works okay now we can make things a little more comfortable

nano ~/thecus/raidsys/0/root/.profile
# add -> "source ~/.ashrc"

nano ~/thecus/raidsys/0/root/.ashrc
# add any env vars and aliases to suit your needs, example...
COLOR=36
LABEL=$USER@n2800
export PS1="\[\033[1;${COLOR}m\]${LABEL} \w\[\033[0m\] "
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/opt/bin
export EDITOR=nano
test $(id -u) -gt 0 && SUDO='sudo ' || SUDO=
alias e='nano -t -x -c'
alias n='echo -e "\n-- $(date) --\n" >> ~/.note && e +10000 ~/.note'
alias p='ps w | grep -v grep | grep'
alias q='find -type f -print0 | xargs -0 grep '
alias edsh='e ~/.ashrc;. ~/.ashrc'
alias notes='cat ~/.note'
alias se='sudo nano -t -x -c'
alias la='LC_COLLATE=C ls -lFAh --color=auto'
alias ll='LC_COLLATE=C ls -lF --color=auto'
alias ls='LC_COLLATE=C ls -F --color=auto'

# NOTE: the nano editor and sudo are not available (yet)

# now on your local machine add these for ssh convenience
nano ~/.ssh/config
# add something like the below
Host n2800
  User root
  Port 22
  Hostname 192.168.1.100
  IdentityFile ~/.ssh/n2800.lan

# change the file perms so ssh does not complain
chmod 600 ~/.ssh/config

# finally add an alias to your local ~/.bashrc and "source ~/.bashrc"
alias n2800='ssh n2800'
Now you can type n2800 and get logged into your NAS without having to type a password and also easily use scp and rsync from either the console or from within scripts to automate some procedures, ie; rsync -av /path/to/folder/ n2800: will copy the contents of /path/to/folder/ to /raidsys/0/root on your NAS, do it a second time and it will quickly sync just the changes to any files in /path/to/folder/. Most importantly, this command can now be automated from a cron job.


But isn't /etc/passwd also overwritten after a reboot??

Regards, Angelo
Thecus N4200ECO, 4Gb. RAM, FW 5.03.02
Modules: FaJoSSHD, Twonkymedia, Transmission, ModBase1, PHP53, Apache Web Server, MySQL5, META,
Reply
#5
markc Wrote:The normal root users home dir is not persistent so it can't be set up with ssh keys and customized shell login scripts so to allow for passwordless SSH logins I followed this procedure...

Code:
# First, create a new SSH key on your laptop/desktop
cd ~/.ssh
ssh-keygen -f n2800.lan
# just hit enter for the key password

# Now open another console shell
# login to your NAS as root and create a persistent home dir
ssh root@192.168.1.100
mkdir /raidsys/0/root
cd /raidsys/0/root
mkdir .ssh
chmod 700 .ssh

# locally, mount the NAS as a regular user so we don't have to use vi
mkdir ~/thecus
sshfs -o idmap=user root@192.168.1.100:/ ~/thecus

# edit the NAS passwd file (use any editor)
nano ~/thecus/etc/passwd
# and change the root users homedir from /root to /raidsys/0/root
# ie; root:(ENCRYPTED PW):0:0:root:/raidsys/0/root:/bin/sh

# create the remote NAS key file to allow for passwordless SSH logins
cat ~/.ssh/n2800.lan.pub
# copy the above output from the shell (ie; one way is to select with your mouse)
nano ~/thecus/raidsys/0/root/.ssh/authorized_keys
# and paste the contents of ~/.ssh/n2800.lan.pub to the above file (middle mouse press)

# in the other remote console where you are logged in as root on the NAS
chmod 600 /raidsys/0/root/.ssh/authorized_keys

# now you can test a root login
ssh -v root@192.168.1.100
# assuming that works okay now we can make things a little more comfortable

nano ~/thecus/raidsys/0/root/.profile
# add -> "source ~/.ashrc"

nano ~/thecus/raidsys/0/root/.ashrc
# add any env vars and aliases to suit your needs, example...
COLOR=36
LABEL=$USER@n2800
export PS1="\[\033[1;${COLOR}m\]${LABEL} \w\[\033[0m\] "
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/opt/bin
export EDITOR=nano
test $(id -u) -gt 0 && SUDO='sudo ' || SUDO=
alias e='nano -t -x -c'
alias n='echo -e "\n-- $(date) --\n" >> ~/.note && e +10000 ~/.note'
alias p='ps w | grep -v grep | grep'
alias q='find -type f -print0 | xargs -0 grep '
alias edsh='e ~/.ashrc;. ~/.ashrc'
alias notes='cat ~/.note'
alias se='sudo nano -t -x -c'
alias la='LC_COLLATE=C ls -lFAh --color=auto'
alias ll='LC_COLLATE=C ls -lF --color=auto'
alias ls='LC_COLLATE=C ls -F --color=auto'

# NOTE: the nano editor and sudo are not available (yet)

# now on your local machine add these for ssh convenience
nano ~/.ssh/config
# add something like the below
Host n2800
  User root
  Port 22
  Hostname 192.168.1.100
  IdentityFile ~/.ssh/n2800.lan

# change the file perms so ssh does not complain
chmod 600 ~/.ssh/config

# finally add an alias to your local ~/.bashrc and "source ~/.bashrc"
alias n2800='ssh n2800'
Now you can type n2800 and get logged into your NAS without having to type a password and also easily use scp and rsync from either the console or from within scripts to automate some procedures, ie; rsync -av /path/to/folder/ n2800: will copy the contents of /path/to/folder/ to /raidsys/0/root on your NAS, do it a second time and it will quickly sync just the changes to any files in /path/to/folder/. Most importantly, this command can now be automated from a cron job.


But isn't /etc/passwd also overwritten after a reboot??

Regards, Angelo
Thecus N4200ECO, 4Gb. RAM, FW 5.03.02
Modules: FaJoSSHD, Twonkymedia, Transmission, ModBase1, PHP53, Apache Web Server, MySQL5, META,
Reply
#6
Edit: typed before thinking about it. /etc is persistent. Some files inside /etc are symlinked to /var or /tmp but the rest persist during reboots.
Reply
#7
Edit: typed before thinking about it. /etc is persistent. Some files inside /etc are symlinked to /var or /tmp but the rest persist during reboots.
Reply
#8
markc Wrote:Edit: typed before thinking about it. /etc is persistent. Some files inside /etc are symlinked to /var or /tmp but the rest persist during reboots.

On my 4200ECO the passwd file is reverted. Changes I make for the home directory of root in the passwd file are back to /root again after a reboot Sad I would love to know how to make this persistent.

Regards, Angelo
Thecus N4200ECO, 4Gb. RAM, FW 5.03.02
Modules: FaJoSSHD, Twonkymedia, Transmission, ModBase1, PHP53, Apache Web Server, MySQL5, META,
Reply
#9
markc Wrote:Edit: typed before thinking about it. /etc is persistent. Some files inside /etc are symlinked to /var or /tmp but the rest persist during reboots.

On my 4200ECO the passwd file is reverted. Changes I make for the home directory of root in the passwd file are back to /root again after a reboot Sad I would love to know how to make this persistent.

Regards, Angelo
Thecus N4200ECO, 4Gb. RAM, FW 5.03.02
Modules: FaJoSSHD, Twonkymedia, Transmission, ModBase1, PHP53, Apache Web Server, MySQL5, META,
Reply
#10
YES! One can use the META mod to copy the edited passwd file to /etc after a reboot....... Big Grin
Thecus N4200ECO, 4Gb. RAM, FW 5.03.02
Modules: FaJoSSHD, Twonkymedia, Transmission, ModBase1, PHP53, Apache Web Server, MySQL5, META,
Reply
#11
YES! One can use the META mod to copy the edited passwd file to /etc after a reboot....... Big Grin
Thecus N4200ECO, 4Gb. RAM, FW 5.03.02
Modules: FaJoSSHD, Twonkymedia, Transmission, ModBase1, PHP53, Apache Web Server, MySQL5, META,
Reply
#12
On my n2800 /etc is a 23Mb read write partition on the DOM module so it would be persistent. I've added a couple of extra users via the web interface and they are in my /etc/passwd file (obviously) and the change I made to the root users home dir remains after a reboot. Maybe on some other devices the files in /etc are in ram and are rebuilt from some other ROM area or tarball but on this n2800 most of the files in /etc are the originals.
Code:
/dev/sdaaa2 on /etc type ext2 (rw,noatime,nodiratime,errors=continue)
/dev/sdaaa2              22.9M    913.0K     22.0M   4% /etc
Reply
#13
On my n2800 /etc is a 23Mb read write partition on the DOM module so it would be persistent. I've added a couple of extra users via the web interface and they are in my /etc/passwd file (obviously) and the change I made to the root users home dir remains after a reboot. Maybe on some other devices the files in /etc are in ram and are rebuilt from some other ROM area or tarball but on this n2800 most of the files in /etc are the originals.
Code:
/dev/sdaaa2 on /etc type ext2 (rw,noatime,nodiratime,errors=continue)
/dev/sdaaa2              22.9M    913.0K     22.0M   4% /etc
Reply
#14
Every time you do a firmware update your ~/ root directory (including all your authorized ssh keys) will be deleted.

I didn't want to rewrite anything that could be affected by a reboot/firmware update or anything else, so I do a short set of steps to handle them.

First, copy the newly created authorized keys file out to a persistent directory (something in /raid/data)

In this case, my copy is /raid/data/backup/keys/auth_keys (the new file created by the process documented above).

I use this script to put my keys back once I've reloaded:

Code:
#!/bin/sh
cp ~/.ssh/authorized_keys /raid/data/backup/keys/auth.current
cp /raid/data/backup/keys/auth_keys ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
kill $(ps | grep '[/]opt/bin/stond' | awk '{print $1}')
/opt/bin/stond -f /tmp/sshd/sshd_config

Now for the breakdown of what's happening:

Copy the current keys down to the backup folder - never know when something will need to be reverted.
Copy the "good keys" back up to the root .ssh folder.
I've found elsewhere in these forums that the chmod process is needed to make stond (the SSH daemon) pick up the keys correctly, so we do that here.
Kill the ssh daemon - since there are three (at least) processes spawned by this, we can't just use pidof to find it, this command will kill the correct one.
Restart the ssh daemon.

Voila, your keys are restored, and you can connect without a password from your other machines once more.
Reply
#15
Why not just use FaJoSSHD Wink ... can be used in parallel to the integrated sshd and makes live a lot easier.

/Falk
Further information und module downloads at FaJo.de

I decided to finally stop module development and maintenance. Existing modules are still available for download for now.
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [HOWTO] Non-root SSH logins markc 10 11,823 08-06-2015, 12:41 PM
Last Post: xrdcarbon
  [HOWTO] Non-root SSH logins 0 8,252 Less than 1 minute ago
Last Post:
  [HOWTO] SSH root logins without a password 0 8,766 Less than 1 minute ago
Last Post:

Forum Jump:


Users browsing this thread: 1 Guest(s)