Sunday, January 13, 2013

Synology, OpenSSH & BASH (the proper way)

Synology OpenSSH

I wrote in a past article about how to set up your Synology NAS to use OpenSSH, closing down a weird backdoor access in the process.  In that article, I warned to be careful as if you messed up you could lose access to your NAS.  Well, I should have taken my own advice as I did just that, and ended up locking myself out of my root account.

So, having to redo everything with a more experienced eye, I present a better (and safer) methodology to access your NAS via OpenSSH.  Throughout this, I strongly suggest keeping a terminal open with root user logged in so you can verify and fix things along the way.

If you get locked out of your root account, the only solution is to reinstall the system partition.  This should leave your data entirely safe, but as always it's advisable to make a backup first.

Boss User

Doing daily routines while logged in as root is considered dangerous since you can inadvertently do real and irrevocable damage with an errant "rm -r *" command or the like.  The preferred method is to do your daily business with a less privileged account and only act as root when you need it.

For this, we'll create a new user via the web interface control panel.  For our example, we'll use the name "boss".  Be sure to give all permissions to this new users, especially adding him to the "administrators" group.

Now to prep the boss account, log in as root and execute:

mkdir -p /var/services/homes/boss
chown admin:administrators /var/services/homes/boss
ln -s /var/services/homes /homes

To enable ssh access, edit the "/etc/passwd" file.  Find the line that starts with "boss" and change "/sbin/nologin" to "/bin/sh"

boss:x:1026:100::/var/services/homes/boss:/bin/sh 

Verify you can ssh into the NAS with the boss account.

SU Command

To run a command as root, you use the "su" command, which effectively lets you become root.
However, the stock install seems to have the permissions incorrect which prevents you from using the command.  The "su" command is actually just a symlink to "busybox" and we can set the suid bit (while logged in as root) with:

chmod 4755 /bin/busybox

You can test this by logging in as "boss" and trying:

su - -c whoami

If it returns "root" (after entering your password) then it is working.

Use OpenSSH & BASH

Assuming you've bootstrapped your system, install the relevant packages:

ipkg install bash
ipkg install zlib
ipkg install openssh

We can now configure our accounts to use this shell.  We'll do so in a more careful manner, though, to protect against future DSM updates which might make the BASH binary unreachable.  Edit the ~/.profile file for your user and add this at the end:

if [ -x /opt/bin/bash ] ; then
  exec bash             
fi                            
                           
This will run the normal "sh" shell during login then go to "bash" only if it exists.  You can then put your normal bash configuration in ".bashrc" as per normal.


Diable Root Access

If your NAS is visible to the internet then you'll want to disable the root ssh account entirely.  You can this by adding a line "PermitRootLogin no" to the /etc/ssh/sshd_config file.

You should also disable the "admin" and "guest" users from accessing the web-interface.  You will use the "boss" account for all your operations.  You do this from the "Users" part of the control panel.
  1. Log into the web interface as the "boss" user from above.
  2. Edit the "admin" and "guest" accounts and check the "Disable this account" box.

SUDO Convience

If you want to really get fancy, you can install the "sudo" package.  This will let you run individual commands as root (eg. sudo mkdir /homes/foo").

su -
ipkg install sudo

While still root, edit the file "/opt/etc/sudoers".  Find this line:

# %wheel ALL=(ALL) ALL

Remove the leading "#" character, and change "wheel" to "Administrators".

%Administrators ALL=(ALL) ALL

This gives all users in the "Administrators" group sudo access.
You can use this variant to skip the password prompt on use... be careful though!

%Administrators ALL=(ALL) NOPASSWD: ALL

10 comments:

  1. For using bash... your "if" statement works, but can be better (to invoke bash as a login shell so you can get /etc/profile loaded and .bashrc...etc)

    You can use the below in your .profile instead:

    case "$0" in
    *bash)
    ;;
    *)
    echo "Using shell: $0"
    BASH=$(type -p bash)
    if [ ! -z "$BASH" -a -x "$BASH" ]; then
    echo "Switching to bash"
    unset BASH
    exec bash -l
    fi
    ;;
    esac

    ReplyDelete
  2. Great tutorial. Nice to finally have the good old bash shell on my NAS.

    But… my when logging in my SSH key files don't get accepted anymore and I have to type in my user password everytime.

    I copied my RSA pub key into ~/.ssh/authorized_keys and set the permissions (see http://www.mauchle.name/blog/?p=239) but somehow this doesn't do the trick.

    Any ideas what I'm missing?

    ReplyDelete
    Replies
    1. I think the SSH public key is not the issue since it's not the key's password I have to enter, but the user password.

      Is this because I'm now using the bash shell? And if yes, is this normal or can I avoid it somehow?

      Delete
    2. ssh key issues have kept me up many a late night. It's almost always permissions, a corrupt key file (spurious newlines, etc) or a username mismatch. Hard to diagnose remotely unfortunately. Does it work with sh and not bash? Make sure both accounts are using the same $HOME directory. Wish I could be of more help :(

      Delete
    3. I've checked by commenting out the "exec bash" in my.profile and it's the same issue. I also found out that it's definitely a ssh key issue since I can't access my Nas with a key from any of my devices anymore.

      I think I have to triple check my ssh keys, although I'm a bit clueless on where to start since I already created a new one which should work.

      I'll read more ssh keys (no pro here) and let you know if I found the culprit.

      Thanks for replying.

      Cheers,
      Patrick

      Delete
    4. This comment has been removed by the author.

      Delete
    5. Patrick, I've come across the same issue with my ssh keys... DId you ever find the issue? Could it be the openssh ipkg?

      from my Synology box:
      ssh -V
      OpenSSH_5.9p1, OpenSSL 0.9.8v 19 Apr 2012

      -Mark

      Delete
    6. @Mark No, sorry I haven't fixed it, but if you do find a solution please do post it to this article (so I get notified and can apply the fix).

      Delete
  3. ~/.profile always resolves to /root/.profile for all users.
    Did you mean to say /etc/profile?

    ReplyDelete
  4. I was being stupid and did this as root, and of course locked myself out cause I didn't have /opt/bin in my PATH.

    In your code you check /opt/bin/bash, you you real should do exec /opt/bin/bash just in case it's not in the PATH ;)

    if [ -x /opt/bin/bash ] ; then
    exec /opt/bin/bash
    fi

    ReplyDelete