General NAS-Central Forums

Welcome to the NAS community
It is currently Tue Dec 12, 2017 11:23 pm

All times are UTC




Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Wed Jul 10, 2013 5:07 pm 
Offline

Joined: Wed Jul 10, 2013 3:18 pm
Posts: 18
Well, I think I know why I cannot login as a user other that root:

1. Seems my non-root user has his shell changed back to /bin/false after a reboot.
2. Also, /etc/ssh/sshd_config has "AllowUsers" set to only contain "root".

Yeah, and everybody's shell is changed to /bin/false by unicorn/authentication/local/user.py. Also looks like unicorn/sharing/ssh.py rewrites the sshd_config file. *sigh* The only thing for it is to install a different sshd into /opt/sbin/ and run that.


Top
 Profile  
 
PostPosted: Wed Jul 10, 2013 6:51 pm 
Offline

Joined: Mon Jan 07, 2013 1:23 pm
Posts: 7
jpl wrote:
Next? Perhaps I'll install some useful tools to replace the cut-down busybox ones - netstat and ps are too limited for my purposes.


I personally don't need the whole unicorn stuff. I commented it out in /etc/initng/runlevel/default.runlevel. Also /etc/initng/mdadm.i needed a straightforward edit so unicorn/ready isn't a prerequisite for mdadm/monitor:

Code:
need = mdadm/scan;


On the device is nfs, not in use by default, but waiting to be put to work. The following script exports the existing shares through nfs and eases the led:

Code:
#!/bin/bash

ngc -u lvm
mkdir /media/internal_11
mount /dev/dm-0 /media/internal_11 -o rw,relatime,barrier=1,data=ordered
mount --bind /media/internal_11/shares/1/data /lacie

echo '/lacie *(rw,no_subtree_check,no_wdelay,hide,insecure,secure_locks,async,root_squash,anonuid=65534,anongid=65534)' > /etc/exports
ngc -u nfs
exportfs -v

# choices are: none hdd nand-disk timer heartbeat backlight gpio default-on run-light
echo default-on > /sys/class/leds/familybox\:blue\:sata/trigger



Edit: mention /etc/initng/mdadm.i so unicorn really does not start.


Last edited by blong on Wed Jul 10, 2013 7:22 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jul 10, 2013 7:21 pm 
Offline

Joined: Wed Jul 10, 2013 3:18 pm
Posts: 18
Installed optware, works well. I created the dir /shares/admin/opt and bind-mounted over /opt. Then I downloaded the ipkg tarball and extracted, as described here:

http://lacie.nas-central.org/w/index.ph ... stall_ipkg

Worked exactly as advertised.

Then I copied rc.optware from a Buffalo box I have, and put it into /opt/etc/. It looks like this:

Code:
#!/bin/sh

# Start all init scripts in /opt/etc/init.d
# executing them in numerical order.
#
for i in /opt/etc/init.d/S??* ;do

        # Ignore dangling symlinks (if any).
        [ ! -f "$i" ] && continue

        case "$i" in
           *.sh)
                # Source shell script for speed.
                (
                        trap - INT QUIT TSTP
                        set start
                        . $i
                )
                ;;
           *)
                # No sh extension, so fork subprocess.
                $i start
                ;;
        esac
done


Then I created /etc/initng/optware.i as follows:

Code:
#!/sbin/itype
# This is a i file, used by initng parsed by install_service

service optware {
        need = unicorn/ready;
        stdall = /var/log/messages;
        script start = {
                if test -z "${REAL_OPT_DIR}"; then
                    REAL_OPT_DIR=/shares/admin/opt/
                fi
                if test -n "${REAL_OPT_DIR}"; then
                    if ! grep ' /opt ' /proc/mounts >/dev/null 2>&1 ; then
                        mkdir -p /opt
                        mount -o bind ${REAL_OPT_DIR} /opt
                    fi
                fi
                [ -x /opt/etc/rc.optware ] && /opt/etc/rc.optware
        };
        script stop = {
                umount /opt
        };
}


Then I added "optware" to the end of /etc/initng/runlevel/default.runlevel.

Finally, I ran "ngc --start optware" and I was all ready to go. This all survived a reboot. The optware init scripts don't get started until very late in the boot process, which is good because /shares/admin isn't mounted straight away.

If you change from the built-in ssh to openssh or dropbear installed from optware, it's a long wait before you can login using these, compared to the built-in sshd. Also, remember to set the port (in /opt/etc/openssh/sshd_config) to something other than 22 and 2222, as these are probably taken.


Last edited by jez on Thu Jul 11, 2013 4:12 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jul 10, 2013 7:38 pm 
Offline

Joined: Wed Jul 10, 2013 3:18 pm
Posts: 18
Quote:
I personally don't need the whole unicorn stuff. I commented it out


Great idea. This is for someone else (non-technical) to use so I want to leave it close to stock so it matches with the manual.

Quote:
On the device is nfs, not in use by default, but waiting to be put to work. The following script exports the existing shares through nfs and eases the led:


Awesome.


Top
 Profile  
 
PostPosted: Sun Apr 13, 2014 6:31 am 
Offline

Joined: Fri Mar 21, 2014 4:48 pm
Posts: 3
Hello some one can help me! I have a problem with ssh-rsa keys or at least I think thats the problem. I follow steps disassembling my box. I can conect with ssh command on my mac but it ask me for the password. I read that is a problem with id_rsa files and authorized_keys.

I am not sure if I miss something. I follow next steps:

Mount partition 6
in /0/etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf I change enabled from false to true.
create dir /0/root/.ssh with permission 700
Inside I paste id_rsa.pub renamed to authorized_keys with permission 600
It lets me use ssh on my computer and detects fingerprint. Ask me if I want to continue connecting. I set yes. But it ask me for a password.

Some one can help me to realize what I am doing wrong?

Thanks


Top
 Profile  
 
PostPosted: Sun Apr 13, 2014 10:31 am 
Offline

Joined: Wed Jul 10, 2013 3:18 pm
Posts: 18
sotoahs wrote:
It lets me use ssh on my computer and detects fingerprint. Ask me if I want to continue connecting. I set yes. But it ask me for a password.


Stock sshd or did you install another sshd like I did? If the latter then make sure your connecting on correct port.

Check that your authorized_keys works on another computer.

Run ssh with one ore more "-v" switches and see if it tells what the problem is.

J


Top
 Profile  
 
PostPosted: Sun Apr 13, 2014 9:08 pm 
Offline

Joined: Fri Mar 21, 2014 4:48 pm
Posts: 3
No I don´t install other sshd. Where can I found it to replace it?

here is the vervose:

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to 192.168.1.76 [192.168.1.76] port 2222.
debug1: Connection established.
debug1: identity file /Users/sotoahs/.ssh/id_rsa type 1
debug1: identity file /Users/sotoahs/.ssh/id_rsa-cert type -1
debug1: identity file /Users/sotoahs/.ssh/id_dsa type -1
debug1: identity file /Users/sotoahs/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH_5*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ad:7c:86:2e:31:22:de:d1:75:d1:61:b9:cc:1f:5a:d1
debug1: Host '[192.168.1.76]:2222' is known and matches the RSA host key.
debug1: Found key in /Users/sotoahs/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/sotoahs/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/sotoahs/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password

Thanks,
A.


Top
 Profile  
 
PostPosted: Sun Apr 13, 2014 11:56 pm 
Offline

Joined: Wed Jul 10, 2013 3:18 pm
Posts: 18
sotoahs wrote:
No I don´t install other sshd. Where can I found it to replace it?

If you setup Optware, using my instructions in this post then you can install Optware's ssh or dropbear (my preference is dropbear) by running something like
Code:
ipkg install dropbear


sotoahs wrote:
debug1: identity file /Users/sotoahs/.ssh/id_rsa type 1
debug1: identity file /Users/sotoahs/.ssh/id_rsa-cert type -1
debug1: identity file /Users/sotoahs/.ssh/id_dsa type -1
debug1: identity file /Users/sotoahs/.ssh/id_dsa-cert type -1

So ssh found four certificate files to use.

sotoahs wrote:
debug1: Offering RSA public key: /Users/sotoahs/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /Users/sotoahs/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password


And this shows that it failed when using id_rsa/id_rsa.pub. Check that id_rsa.pub is the file that you used to put into the authorized_keys file. If you used another identity key file, you can specify to ssh which to use with the "-i" switch like so:

Code:
ssh -i ~/.ssh/id_rsa-cert -p 2222 192.168.1.76


Top
 Profile  
 
PostPosted: Sun Apr 27, 2014 12:15 am 
Offline

Joined: Fri Mar 21, 2014 4:48 pm
Posts: 3
Hello I achieve to install optware and dropbear. But I have same result when I want to get connected. I also try to do it with the dropbear_dss_host_key. It ask me for a phrase. Then I neither can get connection.
I use passwd to change mi root password and using it I can get logged in. Problem is that each time I restart cloud box the pass is reset.
I realize dropbear keys are encrypted in different way. And there is a tool to change them from openssh to dropbear but I try different ways without positive result.

The procedure to setup dropbear keys is different than the described? I think it takes dropbear_dss_host_key instead of authorized_keys from /root/.ssh. I google it for a couple of days and I can´t do it work. I am not sure what I am doing wrong.

Here the new log: using dropbear_dss_host_key
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: Connecting to 192.168.1.76 [192.168.1.76] port 2020.
debug1: Connection established.
debug1: read_keyfile_line: dropbear_dss_host_key line 1 exceeds size limit
debug1: read_keyfile_line: dropbear_dss_host_key line 1 exceeds size limit
debug1: identity file dropbear_dss_host_key type -1
debug1: identity file dropbear_dss_host_key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version dropbear_0.52
debug1: no match: dropbear_0.52
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA 12:01:12:df:ac:42:e4:ae:c8:a9:c0:7a:eb:9b:4d:c6
debug1: Host '[192.168.1.76]:2020' is known and matches the RSA host key.
debug1: Found key in /Users/sotoahs/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: dropbear_dss_host_key
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Saving password to keychain failed
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Saving password to keychain failed
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Saving password to keychain failed
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: Next authentication method: password
root@192.168.1.76's password:


Top
 Profile  
 
PostPosted: Sun Apr 27, 2014 11:23 am 
Offline

Joined: Wed Jul 10, 2013 3:18 pm
Posts: 18
Try generating a new key pair.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2

All times are UTC


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group