Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[HOWTO] Persistent SSH Home Directories
#1
SSH with persistent user home directory guide

Disclaimer
This is an unofficial guide to SSH and setting up persistent user accounts on a Thecus NAS. It was made using a Thecus N4100PRO firmware version 5.03.02.8 so it may be quite different in other hardware and/or firmware versions. I'll try to explain each step so alternate decisions can be taken based on individual realities and/or necessities. If any ascpect of this guide is incorrect or needs further clarification please feel free to suggest a revision or point out and explain the mistakes. I'm not in any way responsible to any harm that can come to your hardware and/or data that can come from following this guide. I'm not a linux expert, only a hobbyist and this is my first guide.  Angel

Introduction
I'll consider a mostly default configuration of the NAS as a starting point. I'll not get into setting up the RAID itself, I'll only assume your RAID is correctly set and the data directory is mounted on /raid/data (which is actually symlinked to the real mount point /raid0/data). Since you can't verify that yet, we need to install the SSH module to be able to log into the NAS command line.

Download, install and activate the FajoSSHD module. At the time of writing this guide the latest version of the module was 1.09.02 containing openssh v7.1p1 and openssl 1.0.1p and could be found at FaJoSSHD (updated: V1.10.00 by outkastm)

Optional: Make the following changes to the FaJoSSHD configuration:

## (Multiple Port options are permitted.)
#Port 22
Port 10022

to

## (Multiple Port options are permitted.)
Port 22
#Port 10022

To access the SSH server at the default port configuration. This way you'll be able to access the NAS command line by entering the command:

ssh root@<NAS IP Address>
<enter your admin password>

If you want to leave this configuration untouched you'll access the NAS command line by entering the command:

ssh root@<NAS IP Address> -p 10022
<enter your admin password>

So now we are able to log into the NAS command line as the root user in the root user's home directory: /root.

Problems
The first thing everyone wants to do is to add files to the /root directory to customize root's shell experience. The first problem with this is that the /root directory is not persistent. With every reboot you will lose all the files you saved in /root. The reason this happens is that the /root directory is actually mounted on RAM so it gets erased with every reboot. You only have a few mount points available that are persistent, luckily there is one place that is persistent and (usually) has plenty of space: /raid/data (your RAID's data partition). The other problem is that you shouldn't mess around too much with the root user environment since the NAS correct operation depends on it. Additionaly I noticed that the root entry at the /etc/passwd file also gets reset with every reboot(I'm not exactly sure of this, maybe someone else can confirm).

The first problem we already have a solution: Let's put the root user home directory in /raid/data. The second problem is how to change the root user's home directory if the root entry on /etc/passwd gets reset with every reboot? Then I remebered that in the past we needed to install the SYSUSER module to actually be able to login as 'root' via SSH. This module would create a 'sys' user with the same id and privileges as root. So actually this approach solves two problems: Not being able to change the root user's home directory and also not mess around with the root's environment everytime the system runs any non-interactive scripts in the background.

We could configure the new user 'sys' to use a directory in /raid/data as home directory. To me setting this home directory inside /home sounds a lot saner. The problem with the /home directory is that it also gets recreated with every reboot. But what if we could link the /home/sys directory with the sys directory in /raid/data at boot time? Queue the META module. The META module runs any executable scripts inside a startup or shutdown directories of the module at respective NAS startup or shutdown. So install and activate the META module. At the time of this writing the META module's latest version was 2.00.02 and could be found at this Thecus Forum thread.

Solutions
Step 1: Create the 'sys' user home directory in /raid/data.

cd /raid/data
mkdir -p /home/sys

Step 2: Create an executable script to link /raid/data/home/sys to /home/sys in the startup directory in META.

cd /raid/data/module/META/system/etc/startup
vi link.sh

Create and save the script with the code below.

chmod 774 link.sh
exit

The link.sh script:
Code:
#!/bin/bash
# Script to link persistent directories to non-persistent directories

# Directory variables definitions
RHOME='/raid/data/home'
NHOME='/home'

# Link home directories
ln -sf $RHOME/sys $NHOME/sys

unset RHOME NHOME

Restart the NAS. SSH into root and check if the sys directory is present in /home.

Step 3: Create the 'sys' user and configure it's home directory.

You could use the SYSUSER module for this but I guess it's easier to use the command line. It took me a bit of time the get the right command for this since the password creation isn't really straighforward. Enter the command substituting "password" for the user's password:

useradd -u 0 -o -g 0 -d /home/sys -s /bin/bash -p "$(makepasswd -e shmd5 -p "password" | awk '{print $2}')" sys

Example:

useradd -u 0 -o -g 0 -d /home/sys -s /bin/bash -p "$(makepasswd -e shmd5 -p "admin" | awk '{print $2}')" sys

This will create a user 'sys' with uid '0', gid '0', home directory /home/sys, shell /bin/bash and password 'admin'.

In case you need to alter the password for 'sys':

usermod -p "$(makepasswd -e shmd5 -p "password" | awk '{print $2}')" sys

Or delete the 'sys' user altogether:

userdel sys

Conclusion
At this point you should be able to logout of root and log in as sys:

ssh sys@<NAS IP Address>
<enter 'sys' password>

Entering the command 'pwd' should return /home/sys. You can now save the sys user's configuration files and they will persist.

pwd
/home/sys

Additional Notes
To create a home directory for non-root users (users created on the NAS web interface) the procedure is similar:
Step 1: Create the user in the NAS web interface (Example user: 'thecus').
Step 2: SSH as root or sys user and create a home directory: /raid/data/home/thecus.
Step 3: Edit the META startup script to link /raid/data/home/thecus to /home/thecus.
Add the line: ln -sf $RHOME/thecus $NHOME/thecus to the #Link home directories section.
Logout and restart the NAS.
Step 4: SSH as root or sys user and modify the 'thecus' user home directory and login shell. Enter the command:
usermod -d /home/thecus -s /bin/bash thecus
Note: Without a login shell a normal user will not login, even with a correct password. 
Step 5: Logout and SSH in as thecus.

PS
I'll try to follow up with further configurations and customizations adding the ModBase1 module to this setup.

Screenshots
After adding your setup files you can get a more personal shell experience with your NAS command line. Even with an aging system like my Thecus N4100PRO.

SSH login welcome message (click for full size)
[Image: JWlBxjHm.png]

Editing Vim's .vimrc via SSH (click for full size)
[Image: two35z5m.png]

Dotfiles

For my dotfiles and instructions on how to install them, please visit my thecus-dotfiles repository on Github.
Note: My dotfiles assume you have the ModBase1 module installed.

REVISIONS:
- REV. 0.9.03 Beta - 2017-02-06 - Added a link to my dotfiles repository on Github.
- REV. 0.9.02 Beta - 2017-02-01 - Added some screenshots of my system after adding some configuration files.
- REV. 0.9.01 Beta - 2017-02-01 - Updated link to FaJoSSHD module and added note to Step 4 @ Additional Notes.
- REV. 0.9.00 Beta - 2017-01-30 - Initial post.
Reply
#2
Hi,

Thank for the tutorial.

i use OS7(N4810) and  trying to get ssh working for a non-root users (users created on the NAS web interface).

username is N4810.
when i check /raid/data i see i have a HOME(not home) folder already created when i added the user i assume and has the users ownership.

N4810:~# ls -l /raid/data/HOME
drwxrwx---    5 root     root          4096 Jul  4  2017 admin/
drwxrws---    4 N4810    users         4096 Sep  5 07:27 N4810/

so when i created the link.sh file i linked /raid/data/HOME/N4810 to /home/N4810(didnt create a new home folder as this was already there).
rebooted and can see a /home/N4810 folder has been created.

everything looks ok except i still cannot ssh with this user account, keep getting "Permission Denied".

blkbr@blkbr-nuc:~$ ssh N4810@192.168.2.250
N4810@192.168.2.250's password: 
Permission denied, please try again.

logged in as root i did passwd N4810 and entered the password and still get the same.

link.sh file contents..
Code:
#!/bin/bash
# Script to link persistent directories to non-persistent directories

# Directory variables definitions
RHOME='/raid/data/HOME'
NHOME='/home'

# Link home directories
ln -sf $RHOME/N4810 $NHOME/N4810

unset RHOME NHOME

the only thing i can think of is when i tried to do the useradd(OS7 has adduser) it replies the user already exists.
so i dont know if a shell is set,ect but this shouldnt affect login?

edit:
i looked in /ect/passwd and see this so its does have a shell,ect set

N4810:$1$auvkJEF6$bzuLkWmDY12fMqYQqJj7/.:1000:100:Linux User,,,:/raiddata/0/HOME/N4810:/bin/bash
Reply
#3
Hi Blackbear199,

I'm currently reformatting my N4100PRO and will have to set up my system again. I'm not sure if there are significant differences from OS5 to OS7 since my NAS only runs up to OS5. For instance my NAS does not create the 'HOME' directory in the RAID volume. Also it seems like your user directory path on your passwd file is wrong? (/raiddata/0/HOME/N4810). Shouldn't it be (/raid/data/HOME/N4810)? If the directory is right you need to update the link script to the right address. I'll review my instructions tomorrow and see if everything works as before. I have a suspicion that things are not quite the same going from OS5 to OS7.
Reply
#4
Quote:Also it seems like your user directory path on your passwd file is wrong? (/raiddata/0/HOME/N4810). Shouldn't it be (/raid/data/HOME/N4810)?

hmm the Home folder shows in multiple directories so i assumed they were all link.
i just checked and there's..

/raid/HOME
/raid/data/HOME
/raiddata/0/HOME

/raid/data is linked to /raid
Code:
N4810:~# ls -la /raid/data

lrwxrwxrwx    1 root     root             1 Jul  4  2017 /raid/data -> ./

/raid is linked to /raiddata/0/
Code:
N4810:~# ls -la /raid

lrwxrwxrwx    1 root     root            11 Feb 19 15:23 /raid -> /raiddata/0/

and finally it appears this is where the actual HOME folder is(there are also a bunch of other directories here)..
Code:
N4810:~# ls -la /raiddata/0/
drwxr-xr-x    4 nobody   users         4096 Dec 23 09:25 HOME/

/raiddata/0/HOME
Code:
N4810:~# ls -la /raiddata/0/HOME/
drwxr-xr-x    4 nobody   users         4096 Dec 23 09:25 ./
drwxr-xr-x   20 root     root          4096 Feb 19 15:23 ../
drwxrwx---    5 root     root          4096 Jul  4  2017 admin/
drwxrws---    4 N4810    users         4096 Sep  5 07:27 N4810/

so i think i show try it with it with /raiddata/0/HOME/N4810 linked to /home/N4810
think it makes a diff that in my first attempt it was a linked path?
lets see.

edit:
same results "Permission Denied" when trying to ssh.

Thanks again
Reply
#5
My NAS is still rebuilding after formatting yesterday. I guess I should have chosen fast formatting. From what I can remember of my NAS, the root home folder was mounted in memory, so whenever I would reboot the router, every change would be lost. What do you get at /home directory? Also post the contents of your /etc/passwd file. As soon as I'm able to SSH into my NAS again I'll probably be able to help better.
Reply
#6
i didn't followed the complete guide, but if you want to give to a particular user ssh access, edit the sshd_config within FaJoSSHD module WebUI. At the line AllowUsers at the end of config file

Code:
Subsystem    sftp    /raid/data/module/FaJoSSHD/system/libexec/sftp-server
AllowUsers backuppc root irinel

Also edit the /etc/passwd to allot shell login (/bin/sh)

Code:
,:/raid/data/HOME/irinel:/bin/sh
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#7
this is after a reboot as the N4810 user is created with the link.sh file and the META module.
Code:
N4810:/raid/NAS_WebGrab# ls -la /home
drwxr-xr-x    4 root     root          1024 Feb 20 05:08 ./
drwxr-xr-x   26 root     root          1024 Feb 20 04:28 ../
drwxr-xr-x    2 1001     root          1024 Dec 19  2004 admin/
drwxr-xr-x    3 root     root          1024 Feb 20 05:08 blkbr/
lrwxrwxrwx    1 root     root            22 Feb 20 04:27 N4810 -> /raiddata/0/HOME/N4810/

/etc/passwd
Code:
root:$1$QTL/bLXW$1MsZE1nbIz6lvOtCTBvmI.:0:0:root:/root:/bin/sh
rpcuser:*:29:492:RPC Service User:/var/lib/nfs:
rpc:*:32:32:Rpcbind Daemon:/var/lib/rpcbind:
sshd:*:33:33:sshd:/:
ftp:*:50:50:ftp:/raid/data/ftproot:/dev/null
admin:*:97:97:admin:/dev/null:/dev/null
nobody:*:99:99:nobody:/:
N4810:$1$auvkJEF6$bzuLkWmDY12fMqYQqJj7/.:1000:100:Linux User,,,:/raiddata/0/HOME/N4810:/bin/bash
i know this..
N4810:$1$auvkJEF6$bzuLkWmDY12fMqYQqJj7/.:1000:100:Linux User,,,:/raiddata/0/HOME/N4810:/bin/bash
should be
N4810:$1$auvkJEF6$bzuLkWmDY12fMqYQqJj7/.:1000:100:Linux User,,,:/home/N4810:/bin/bash

i left it as it was created when the user was added via the GUI for now.
even without the /home sym link i think it should be able to ssh to this directory?

@outkastm,
i was looking at fajosshd but i though it was only for root access not no root?

update:
i installed fajosshd and yes i can login as user N4810 but it has root access(which i dont want).
Reply
#8
what do you mean the user have root access ? as example try:
cd /root
the command should give you permission denied.
also try to create a folder
mkdir /etc/test
should give you permission denied.

Do you want to block the user N4810 to a specific folder (chroot) ?
-----------------------------------------------------------------------------------------------------
[Image: linkedinbutton.jpg]
Download modules from my forum pirinel.ro
Reply
#9
sorry outkastm,your are absolutely right.
it does work as you say.
i was changing directory to / and not /root.
now its the way i want it.thanks.
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)