2012年11月16日 星期五

Synology SSH Setup for non root users

Refer link to :http://www.druhosting.com/content/synology-ssh-setup-non-root-users

Synology SSH Setup for non root users
Submitted by admin on Mon, 05/28/2012 - 13:30
As you may or may not know, I think Synology diskstation NAS's are the bomb. While they are often super easy to set up, one area that is more difficult is enabling SSH access for non root users. Why there isn't a script and a checkbox on the GUI I don't really know but this is one we have to do ourselves. Fortunately Bernhard Hensler at hensler.net has created a really great set of instructions that I am going to repost for you.

See his original article here: http://bernhard.hensler.net/2008/07/17/synology-enable-ssh-user-login-ot...

SSH can either be enabled using the latest firmware and a patch, or using the recent beta firmware which allows you enable and disable SSH from the web-based management interface. However, I was a little concerned about the default settings of SSHD, especially if one were to SSH over the internet and not just a local network. First, SSH protocol 1 is enabled which can be a security risk. Second, root login is permitted (which is understandable since regular users can’t seem to SSH in by default. Unfortunately, there are some caveats to disabling root login via SSH, which I discuss at the end of this post). Here are the steps I took to resolve the above issues (I assume you already have SSH working and can login as root or admin. Also, you should know how to use vi, or at least read this introduction):

1. Create a regular user from the web-based management interface if you have not done so already. Let’s say the username is frank.

2. Login as root via SSH.

3. Execute the following from the command line as root:

mkdir /volume1/users
mkdir /volume1/users/frank
cp /root/.profile /volume1/users/frank
chown -R frank:users /volume1/users/frank
vi /volume1/users/frank/.profile

Change the line that reads “HOME=/root” to “HOME=/volume1/users/frank”, then quit saving changes.

4. Execute the following from the command line as root:

cp -p /etc/passwd /etc/passwd.orig
vi /etc/passwd

Change frank’s home directory (entry before the last “:”)from “/nonexist” to “/volume1/users/frank”
and his shell (entry after the last “:”) from “/sbin/nologin” to “/bin/sh”, then quit saving changes.*

5. Make sure you can login as frank by executing the following from the command line as root:

su – frank
pwd
echo $HOME
exit

6. Execute the following from the command line as root:

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config

Change the line “#Protocol 2,1″ to “Protocol 2″ and the line “#PermitRootLogin yes” to “PermitRootLogin no”, then quit saving changes (notice we removed the “#” from both lines).

You may also want to adjust the “LoginGraceTime” and “MaxAuthTries” settings, just be sure to remove the leading “#” from those lines.

7. Restart SSHD. If you are using the beta firmware you can disable then enable the service using the web-based management interface. If not, you may be able to use the disable SSH patch, then the enable SSH patch which may restart your NAS device (I have not tested this), or you can simply execute the following from the command line as root:

/usr/syno/etc.defaults/rc.d/S95sshd.sh restart

I have not personally tested the above command either, and it may end your SSH session if that is where you execute it from. Alternatively, you could temporarily enable Telnet, login as root to execute the command above, then log out and disable Telnet.

8. Test the changes. If you use “ssh -1 user@host” when connecting to your NAS device, you should get an error that reads something like “Protocol major versions differ: 1 vs. 2″. If you try to SSH in as root, it should prompt you for the password, but give you an error like “Permission denied, please try again.” even if you supply the correct password. Finally, you should be able to login via SSH as your regular user (i.e. frank).

*Please note, that if you change your regular user’s info (like password, etc.) using the web-based management interface, the information in /etc/passwd will revert back to the defaults, which will no longer let you login via SSH using that user. If this happens, don’t panic, you can always SSH in as admin (which should have the same password as root, but not the same privileges). Unfortunately, only root can execute the “su” command, so to allow your regular user to use SSH again you will have to temporarily enable Telnet, login as root, repeat step #4 above, logout and disable Telnet.

Telnet is also the only way to regain root command line access, which is required to edit “/etc/ssh/sshd_config”, should you want to restore root SSH logins at some point. Alternatively, one could install sudo to execute commands as root, but that is beyond the scope of this post.

Hope this helps anyone wanting to secure SSH access. I used information from the following posts to accomplish this:
how to rsync over ssh as an unprivileged user
how restart SSH server

沒有留言:

TeraTerm是一款開放原始碼的遠程客戶端操作軟體

因為工作需求,有時我們需要從遠端登入某設備或是主機,又或者因為故障排除,需要透過serial port連入某設備進行檢查和操控。 偶然看到某SI的工程師,使用這個工具,想說也來使用看看。心中相信這應該是好工具,人家才會用它。 我自己通常都是簡單使用的話用 putty,想要用好一...