General NAS-Central Forums

Welcome to the NAS community
It is currently Thu Mar 22, 2018 11:09 pm

All times are UTC

Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Tue Dec 02, 2014 7:17 pm 

Joined: Tue Dec 02, 2014 6:49 pm
Posts: 1
Hi all,

Recently I had the privilege to configure a Medion NAS P89631 for somebody.
The only problem I had with the device, was the lack of security for setting up a safe FTP solution.

With some research on the webs, I managed to secure it just fine using SSH keys and SFTP.
For those interested in how I did it, I've made some sort of English how-to manual.

It also contains some links for reference, I hope this is not a problem for the board admins.
Here goes:

Install Dropbear to Medion Nas Version Life P89631:

- Knowledge of the Medion NAS manual and options
- Access to the backdoor of the NAS
- General knowledge of Telnet, Putty and SSH
- Dropbear and SFTP software
- Knowledge of tarring/zipping files
- General knowledge of Linux will come in handy

Usefull links:

How this document works:
Lines started with an $- character are command lines, which you will need to enter in the Telnet and/or Putty prompt of the NAS. Type only the text, AFTER the $- character
If you have a different version of the Medion NAS, some paths and folders may be different from what is written here. Keep that in mind.

Installing Dropbear:
Download the following debian package:

Extract the data.tar file from the dropbear_0.52-5+squeeze1_armel.deb package and again extract the following files from the tar archive:
- usr\sbin\dropbear COPY TO /i-data/Z1F4Y7V4/admin/bin/dropbear
- usr\sbin\dropbearkey COPY TO /i-data/Z1F4Y7V4/admin/bin/dropbearkey

- Log in on the Medion NAS (http://<ip-of-NAS>)
- Go to NAS via Telnet (http://<ip-of-NAS>/r38939,/adv,/cgi-bin/remote_help-cgi?type=backdoor)
- Make both files executable
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ chmod +x dropbear
$ chmod +x dropbearkey

- Generate RSA keys:
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ ./dropbearkey -t rsa -f dropbear_rsa_host_key

In the "/i-data/Z1F4Y7V4/admin/bin/" directory, create the file "" with the following content:

set -x
cd $(dirname ${0})
killall dropbear

./dropbear -I 480 -j -k -r dropbear_rsa_host_key -E


Make the .sh script executable:
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ chmod +x

Edit the file "/usr/local/zy-pkgs/etc/init.d/ZYPKG_DEPS"
Add the line "/i-data/Z1F4Y7V4/admin/bin/" below START-UP (DON'T REMOVE THIS LINE!)

It should look like this:
# Dependency for zypkgs




After a restart the SSH server will run. Alternatively, you can start it with this command:
$ /i-data/Z1F4Y7V4/admin/bin/

You can now use Putty with password authentication to connect to the NAS.

Setup SSH for SFTP:
To allow authentication through SSH without passwords, you will need to setup an authorized_keys store for each user. Default, only root has a home directory in place. To setup a home directory for other users, you will need to edit the file /etc/passwd.

This poses several problems. After every reboot the passwd file gets restored back to its previous settings. Second, each directory created in the /home/shares folder also disappears after a reboot. You can work around this problem, by copying the passwd file and automate the creation of the home folders through the script.

The entries for root and a custom user (e.g. user1) in the /etc/passwd file would look like this:

This tells us the root has a home folder on /root, while user1 and user 2 have their home folders on /home/shares. In fact, every user created on the NAS will share their home folder on /home/shares
In order to setup SSH for root, we only need to create a .ssh folder and copy a public key to it.

However, to give each user access to their own .ssh folder, we need to change the passwd file accordingly for each user, like this:
user1:x:505:500:type&admin:/home/shares/ user1:/bin/sh
user2:x:505:500:type&admin:/home/shares/ user1:/bin/sh


First we need to make a copy of the /etc/passwd file and store it in our central admin location:
$ cp /etc/passwd /i-data/Z1F4Y7V4/admin/bin/passwd
$ vi /i-data/Z1F4Y7V4/admin/bin/passwd

Change the user entries to give each user their own /home/shares/<username>- folders, so they will look like this:

Now we need to edit the script so it will have the following content:

set -x
cd $(dirname ${0})
killall dropbear

mkdir -p /root/.ssh/
mkdir -p /home/shares/user1/.ssh
mkdir -p /home/shares/user2/.ssh
cp /i-data/Z1F4Y7V4/admin/bin/ pubkey1 /root/.ssh/authorized_keys
cp /i-data/Z1F4Y7V4/admin/bin/ pubkey2 /home/shares/user1/.ssh/authorized_keys
cp passwd /etc/passwd
./dropbear -I 480 -j -k -s -r dropbear_rsa_host_key -E


As you can see here, the script creates the home folders and the .ssh folder with the mkdir command. The public keys (pubkey1 and pubkey2 in this example) which we will create in the next step, will be copied with the cp command to the folder of each user.

Now it’s time to create the right keyset with puttygen.exe for Windows.
- Open puttygen.exe
- Create a new SSH-2 RSA key with 2048 bits
- Enter a key passphrase to encrypt the key on disk (and confirm the same passphrase)
- Save the private key to disk. You will need this key on your client to connect to the NAS
- Copy the data from the field "Public key for pasting into OpenSSH authorized_keys file:"
- Paste the key into a custom named file, e.g. pubkey1 in the folder /i-data/Z1F4Y7V4/admin/bin/
- Make sure you create a keyset for each user to increase security (so user2 gets pubkey2, etc.)
- Give the created pubkeys the proper permissions with the following command:
$ cd /i-data/Z1F4Y7V4/admin/bin/
$ chmod 600 pubkey1
$ chmod 600 pubkey2

Continue doing this for every user required to authenticate through SSH.
You're now able to connect to your NAS with Putty while using a private and public key.
Make you sure you set the right private key .ppk file when connecting.
To do this, go to Connection > SSH > Auth and point to your .ppk file.

Install SFTP server to Medion Nas:
To connect to SFTP by SSH, we will need to install the openssh-server package:

Extract the data.tar file from the openssh-server_5.5p1-6+squeeze5_armel.deb package and again extract the following files from the tar archive:
- usr\lib\openssh\sftp-server COPY TO /i-data/Z1F4Y7V4/admin/bin/sftp-server

The sftp-server file actually needs to be placed in the /usr/lib folder. However the /usr filesystem has no free space. We can solve this by creating softlink to that destination:

$ mount -n -o remount,rw /usr
$ ln -s /i-data/Z1F4Y7V4/admin/bin/sftp-server /usr/lib/sftp-server
$ mount -n -o remount,ro /usr

After a reboot SFTP should be functioning.


Badabada that's all folk!

Hope it's understandable enough to follow. If I've made errors, giant missteps or typo's anywhere in this document, feel free to address me on that.
In fact, all reactions and feedback are most welcome.



Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC

Who is online

Users browsing this forum: No registered users and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group