SSH only with keys

[greensabath]

Hi,

I am following the qnap wiki guide with no success. I will provide a brief description of my environment along with what I am doing. If you see anything that seems wrong without further troubleshooting, please let me know, thanks!

QNAP 453Be Firmware version 4.4.1.1216 Build 20200214

1. I am doing everything from the wiki in MobaXTerm on a Windows machine.
2. My Windows machine is using OpenVPN and connected to my QNAP Server using QVPN
3. My Windows machine Timezone is set to Eastern, while my QNAP is set to Pacific Timezone. (Not sure if this could cause an issue with key generation)
4. I've replaced the username I'm trying to setup to be <user> in my copy/paste results below

From the following link:
https://cinhtau.net/2016/02/03/use-ssh- ... mobaxterm/
-- I have set the persistent home directory
-- Set my SSH setting to use the private key that I generated

1. I am able to generate the ssh key files and add a passphrase in a MobaXTerm local terminal. It places the files within my Windows home directory.
2. The following command does not work (does not connect to my QNAP, does not ask for password):

Code: Select all

#   scp id_rsa.pub admin@ClientIPAddress /etc/config/ssh/

3. I work around this by creating a new SSH session in MobaXTerm as admin in my QNAP. It also opens a SFTP drag/drop interface on the side.
4. I navigate to /etc/config/ssh/

5. I drag/drop the id_rsa.pub file to this directory.
6. I run the following cmd as admin

Code: Select all

#   cat id_rsa.pub >> authorized_keys

When I "vi" the authorized_keys file it has the ssh-rsa in the front and seems to already be on one line. (I think the Note/Example is out of date for this step)

7. I also tried running

Code: Select all

#   chown admin.administrators /mnt/HDA_ROOT/.config

Under the permissions, I have made the following changes:

file/directory chmod cmd
authorized_keys 600
ssh 700
config 711 (also tried 755 per viewtopic.php?t=132424)

Code: Select all

[~] # ls -ld /share/homes/<user> /share/homes/<user>/.ssh /share/homes/<user>/.ssh/authorized_keys
drwx--x--x 4 <user> everyone       4096 2020-04-23 12:26 /share/homes/<user>/
drwx------ 2 <user>  everyone       4096 2020-04-23 14:45 /share/homes/<user>/.ssh/
-rw------- 1 admin       administrators  392 2020-04-23 14:45 /share/homes/<user>/.ssh/authorized_keys

Here is a list of all files sitting in the ssh directory on my qnap (ignore bkup, it's a folder I created):

Code: Select all

[/etc/config/ssh] # ls -ltr
total 32
lrwxrwxrwx 1 admin administrators   20 2019-04-06 04:39 id_rsa.pub -> ssh_host_rsa_key.pub
lrwxrwxrwx 1 admin administrators   16 2019-04-06 04:39 id_rsa -> ssh_host_rsa_key
-rw------- 1 admin administrators 1675 2019-04-06 04:43 ssh_host_rsa_key
-rw-r--r-- 1 admin administrators  605 2019-04-06 04:43 ssh_host_dsa_key.pub
-rw------- 1 admin administrators  672 2019-04-06 04:43 ssh_host_dsa_key
-rw-r--r-- 1 admin administrators   29 2020-04-23 09:26 sshd_user_config
drwxr-xr-x 2 admin administrators 4096 2020-04-23 12:47 bkup/
-rw-r--r-- 1 admin administrators  396 2020-04-23 13:26 known_hosts
-rw-r--r-- 1 admin administrators  392 2020-04-23 13:40 ssh_host_rsa_key.pub
-rw------- 1 admin administrators  392 2020-04-23 13:44 authorized_keys

Trying to login as the user results in:
NOTE: It seems to accept the correct passphrase (I tried wrong one on purpose), but says key is refused.

Code: Select all

Passphrase for OpenSSH private key:
Wrong passphrase
Passphrase for OpenSSH private key:
Server refused our key
<user>@IPADDRESS's password:

[OneCD]

1. I am doing everything from the wiki in MobaXTerm on a Windows machine.

I've not heard of that one but I'm not a daily Windows user. Have you tried a different terminal program?

If I recall correctly, Microsoft were working on adding an integrated OpenSSH client and server. If you're on Windows 10, it might be worth a try?

edit: I've just checked and was able to SSH from Windows 10 #1909 into QTS 4.2.6 without issue.

2. The following command does not work (does not connect to my QNAP, does not ask for password):

Code: Select all

#   scp id_rsa.pub admin@ClientIPAddress /etc/config/ssh/

• You've specified your client IP address, not the NAS IP address,
• Your syntax shouldn't have that whitespace between user@host and the remote path,
• You also don't want to copy the client public key filename as-is because you'll overwrite the NAS's public keyfile symlink. If you've already done this, please reboot your NAS to restore the original NAS public keyfile symlink, then use a copy-and-rename from within your Windows SSH app like:

  Code: Select all

  scp id_rsa.pub admin@NASIP:/etc/config/ssh/windows-client1_rsa.pub
  

6. I run the following cmd as admin

Code: Select all

#   cat id_rsa.pub >> authorized_keys

This now becomes:

Code: Select all

cd /etc/config/ssh
cat windows-client1_rsa.pub >> authorized_keys

Your file and directory permissions look OK.

That's probably enough for now. Please adjust as shown above and retest.

[greensabath]

Thanks for the suggestions OneCD! I was able to use the scp command that you suggested and rebooted my QNAP to restore the default id_rsa keys. However, I still have the same issue.

Some notes/questions about the article (https://wiki.qnap.com/wiki/SSH:_How_To_ ... rized_Keys)

1. The article refers to the user's device as the Host and the QNAP as the client. This is weird, and not sure why they did this.
2. The scp command in this article no longer works (if it ever did) per OneCD's comment.
3. The article states conflicting information regarding the public key file. It says to create key with -C however, the example it gives when talking about making sure the key is all on one line does not show the comment at the end. Also, NOTE that this instruction is no longer needed. The key is generated correctly now and all on one line.
4. This article is missing critical steps. It has no mention of how authorized_keys is being linked to.


After further research/testing (per viewtopic.php?t=132424) I found the missing steps that need to be done. I'm currently working on testing some of these changes and will provide an update when I have results.

[OneCD]

Good work!

It would be great if you could write a how-to topic for the forum, while it’s all fresh in your mind.

[greensabath]

Just to provide an update:

I have tried doing some more testing and research but have now come to a wall. I can edit the sshd_config file, however, I cannot test those changes without rebooting the SSH service. The only thing I've found in regards to this is to do the following:

Code: Select all

cd /etc/init.d
./login.sh restart

This results in a message saying "services shutting down". However, that's it. It doesn't reboot and I'm locked out of SSH. I can still login via the web interface though. However, if I reboot the Qnap, it overwrites the sshd_config file, thus, an infinite loop of not being able to test anything. I know I can setup autorun.sh to script making those mods to sshd_config on reboot. However, I don't want to do that in case I mess up the sshd_config file and lose total access to it. Rebooting/resetting gives me that safety in case I need it (at least until I verify that it all works, then I will apply to the autorun.sh process)

I've submitted a support ticket asking how to restart the SSH Service. Hopefully, they come back with a working solution and I can finish testing.

Interesting Note: I found another forum thread (viewtopic.php?f=50&t=51651&start=15) that points to /etc/ssh. It seems the issue with this was with an older version of QTS. I went to this directory and it has a much more complete sshd_config file with various options, etc. Looking in the login.sh script, it does point to the newer /etc/config/ssh directory.

[JustRob]

Hello, thanks for the posters. This may be related to this forum post:
viewtopic.php?t=129820

HOWEVER no one ever answers the question about how to only allow key-based authentication. Note that I already can login automagically with key authentication (authorized_keys), so that's not my problem. I want to *DISABLE* password challenge authentication. How do I test this? I use a portable version of PuTTY with no knowledge of my keys. I tried the following:

1) edit /etc/ssh/sshd_config
and add:
PasswordAuthentication no
ChallengeResponseAuthentication no
2) copy that to /root/.ssh/sshd_config
3) /etc/init.d/sshd_lab.sh stop; /etc/init.d/sshd_lab.sh start

This still allows password logins. It seems when you disable and re-enable SSH, the file in /root/.ssh/sshd_config is overwritten too.
So we have two problems here:
1) How to disable password challenge authentication for SSH
2) How to make #1 persistent

Next, I'll ask about a denyhosts implementation (to ban IPs based on hosts.deny ) for multiple failed logins, based on time, and then a way to reset/clear the IP address (optional).

[OneCD]

It seems when you disable and re-enable SSH, the file in /root/.ssh/sshd_config is overwritten too.

This is quite common for QTS. Many of the OS init scripts rewrite their related daemon config files just prior to launching the daemon.

1) How to disable password challenge authentication for SSH

Suggest putting your commands into [/etc/init.d/login.sh]. Look for the 'update_sshd_config()' function, then find the line that says "#Set PermitRootLogin yes". Add your lines just after that section.

2) How to make #1 persistent

Persistence is a pain. QTS has been designed as an embedded OS. Your customisations are lost when the NAS is powered off, and so they must be re-applied after each startup.

You might look at automating the installation of your commands via a shell-script, then launching that script via RunLast.