Trace: ssh

SSH Access

Root user

Login as root. Default setting in /etc/sshd_config is PasswordAuthentication yes.

Attach a USB stick to the box which contains an authorized_keys file with the public keys of the machines you want to use to SSH access to the box. 

mkdir /root/.ssh
chmod 700 /root/.ssh
cp /volumeUSB1/authorized_keys /root/.ssh
chmod 400 /root/.ssh/authorized_keys

Non-root user

Log into the web interface 

Control Panel > Users > User Home > Enable user home services

This enables path /var/services/homes and below this, all users which are registered to the system.

Adding a user through the web interface does not set all necessary settings for SSH / shell access:

  1. create directory /var/services/homes and /var/services/homes/<username> with proper privileges as root
  2. copy .profile from /root to /var/services/homes/<username> and edit it's contents
  3. you might wish to change the default prompt to PS1=“\u@\h:\w\$ ” in .profile
  4. if you installed sudo, also add SUDO_PS1 with the same prompt to .profile

Do the following as root: 

chmod 4755 /bin/busybox
cd /var/services/homes/username
mkdir .ssh
chown username:users .ssh
cp /root/.ssh/authorized_keys .ssh
chown username:users .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
cp /root/.profile /var/services/homes/username
vi .profile
-- change the line that reads “HOME=/root” to “HOME=/var/services/homes/username”
chmod 600 .profile
vi /etc/passwd
-- make sure your home is /var/services/homes/username and change shell from /sbin/nologin to /bin/sh or /bin/ash

Hardening

# vi /etc/ssh/sshd_config
Port 50111
LoginGraceTime 15
PermitRootLogin without-password
PasswordAuthentication no

Tunneling

If you want to establish tunnels to services on the NAS, you need to enable TCP forwarding: 

# vi /etc/ssh/sshd_config
AllowTcpForwarding yes
PermitTunnel yes

Check configuration

Check configuration of sshd_config before reloading or restarting: 

# sshd -t
# /etc/init.d/ssh reload

Update for DSM5

Set the SSH Port in Control Panel / Terminal.

Trouble shooting

Make sure the NAS is configured correctly to access the internet, e.g. default gateway and DNS settings must be correct.

Enable telnet in web interface > Control Panel > Terminal 

telnet box # as username
ssh -v -v -v box # as root

Articles

Pubkey SSH for non-root users

Enabling the Command Line Interface

Know How

© 2007-2024 Bernard Condrau - Powered by DokuWiki