authorized_keys overwritten at reboot

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
codex22
New here
Posts: 4
Joined: Tue Sep 18, 2007 6:22 pm

authorized_keys overwritten at reboot

Postby codex22 » Sun Oct 14, 2007 9:20 am

I want to access my TS-109 Pro remotely. To do that in a safe way, I want to:

- put my own key in ~/.ssh/authorized_keys
- switch ssh authorization to public key only

Unfortunately, at every reboot part of the server file system seems to be regenerated, and the authorized_keys file get overwritten with a preinstalled key. Of course, from a standpoint of security, this makes it impossible to open ssh to the Internet.

Is there a way to make sure that changes made are surviving a reboot (which could happen at any time as the place the TS is located suffers from extended power losses once in a while)?

Thanks
Michael

Edit: I should mention that I'm using the latest released firmware (1.1.2) - I'm not sure whether the described behaviour was the same in earlier releases!

User avatar
AndyChuo
Experience counts
Posts: 2396
Joined: Thu Sep 13, 2007 11:56 am
Model: TS-659 Pro
Location: Taipei, Taiwan
Contact:

Postby AndyChuo » Mon Oct 15, 2007 6:09 pm

Hi Codex22,

Place your file on the hard drive first and follow this guide below to automatically copy the file from hard disk to root's home every time you reboot the device.

Andy
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>

codex22
New here
Posts: 4
Joined: Tue Sep 18, 2007 6:22 pm

Postby codex22 » Mon Oct 15, 2007 8:39 pm

Thanks!

TTT
New here
Posts: 2
Joined: Sun Jan 13, 2008 12:00 pm

Re: authorized_keys overwritten at reboot

Postby TTT » Sun Jan 13, 2008 12:02 pm

May I ask why there is a default authorized_keys file in the first place? Doesn't this mean that by default, QNAP admins have access to all QNAP boxes connected to the internet?

User avatar
AndyChuo
Experience counts
Posts: 2396
Joined: Thu Sep 13, 2007 11:56 am
Model: TS-659 Pro
Location: Taipei, Taiwan
Contact:

Re: authorized_keys overwritten at reboot

Postby AndyChuo » Tue Jan 15, 2008 8:29 pm

dude, that's no way people at QNAP would do things like that and plus every user is strongly suggested to change their user/pass when they first log on, plus we don't know your IP as well. a default key? u should check to make sure because we never ship our box that way
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>

TTT
New here
Posts: 2
Joined: Sun Jan 13, 2008 12:00 pm

Re: authorized_keys overwritten at reboot

Postby TTT » Tue Jan 15, 2008 9:02 pm

QNAPAndy wrote:dude, that's no way people at QNAP would do things like that and plus every user is strongly suggested to change their user/pass when they first log on, plus we don't know your IP as well. a default key? u should check to make sure because we never ship our box that way


Apologies if my response came across as rude. I did not intend to insinuate or suggest that QNAP staff would abuse this. I'm merely pointing out, as codex22 did, that on each reboot there is a default authorized_keys file placed in /root/.ssh. This means that even if the admin password was changed on the device, the owner of the private key (corresponding to the public key in authorized_keys) can bypass the admin password. Furthermore, users leave IP trails by accessing and posting to your forums.

Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.

codex22
New here
Posts: 4
Joined: Tue Sep 18, 2007 6:22 pm

Re: authorized_keys overwritten at reboot

Postby codex22 » Wed Jan 16, 2008 12:20 am

Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.

I second that opinion!

cjb42
New here
Posts: 9
Joined: Mon Jan 14, 2008 12:55 am

Re: authorized_keys overwritten at reboot

Postby cjb42 » Sat Jan 19, 2008 7:27 am

codex22 wrote:
Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.

I second that opinion!

I third that opinion. :evil:

I was horrified to find my own file overwritten with what looks like a open door to some bloke called Richard who owns a TS209.
The whole point of this file is that it removes the need for a password to ssh onto the server, and by posting this message, QNAP now have my IP address. I cannot possibly open up my firewall until this is resolved, and I suggest it goes down as a fairly high priority fix if it hasn't already.
TS-109 pro 1.1.4 Build 1207T
TCP/IP: Fixed IP via DHCP, 1000 Mbps, MTU: 1500 Bytes
Enabled: Microsoft Networking (workgroup), FTP, UPnP MediaServer
Disabled: Apple Networking, NFS, Web File Manager, Multimedia Station, iTunes, Download Station, Web Server, DDNS, MySQL
SATA: Seagate ST3500320AS SD04 (7200.11)

cjb42
New here
Posts: 9
Joined: Mon Jan 14, 2008 12:55 am

Re: authorized_keys overwritten at reboot

Postby cjb42 » Sat Jan 19, 2008 7:31 am

By the way... here's the contents of the file to help QNAP guys track down the source:

# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu6ULf6SPQ1iEDfZH8i8fTWC/a
Wn8QEe0ESQU+sd84a2fzWQlRucNfWpM8fTq9GjrHOd7ZGsW4+YJDM/5HKm
o87DzEiU6o3TB7gDcAop4PKiFhUB8cxiK0yHpK9obC3uPUDacaB5/Zvk5yfpSN
ChS1mWyqOMQVroMe65FhqAdyCXAtobXjCDxYWm5uTekBpa/6Ze42bOh7yxI
bIMsFcglP70iWBD6ZoxLhXLSNg+WGotsUuztVQoIk42KcpsXyjMtgkZ4gZ6tPku
Q/n82ymKWQ089iFJMtIdTMfEzdj8ru3w+wkM7VpuJTwQDggmY33aZhX5NluD
nrbx9hZXrrBJC1Q== admin@Richard-TS209


(wrapped for display purposes)

c.
TS-109 pro 1.1.4 Build 1207T
TCP/IP: Fixed IP via DHCP, 1000 Mbps, MTU: 1500 Bytes
Enabled: Microsoft Networking (workgroup), FTP, UPnP MediaServer
Disabled: Apple Networking, NFS, Web File Manager, Multimedia Station, iTunes, Download Station, Web Server, DDNS, MySQL
SATA: Seagate ST3500320AS SD04 (7200.11)

User avatar
AndyChuo
Experience counts
Posts: 2396
Joined: Thu Sep 13, 2007 11:56 am
Model: TS-659 Pro
Location: Taipei, Taiwan
Contact:

Re: authorized_keys overwritten at reboot

Postby AndyChuo » Sat Jan 19, 2008 8:34 am

cjb42 wrote:
codex22 wrote:
Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.

I second that opinion!

I third that opinion. :evil:

I was horrified to find my own file overwritten with what looks like a open door to some bloke called Richard who owns a TS209.
The whole point of this file is that it removes the need for a password to ssh onto the server, and by posting this message, QNAP now have my IP address. I cannot possibly open up my firewall until this is resolved, and I suggest it goes down as a fairly high priority fix if it hasn't already.


got it, def be on high priority for this issue. thanks for the info
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>

sinbad
Starting out
Posts: 11
Joined: Thu Jan 17, 2008 5:08 am

Re: authorized_keys overwritten at reboot

Postby sinbad » Sat Jan 19, 2008 10:21 pm

I spotted this too when setting up my SSH keys, I wondered whether this was something to do with the initial start-up configuration so didn't change it (since my box is not publicly available on SSH anyway due to my router settings). If I opened this box to the internet I would definitely remove that though.

It's also worth noting that in the same directory (/root/.ssh) Richard@TS-209 owns .rsync.key.pub and .rsync.key. Same issue?

nethyperon
Starting out
Posts: 25
Joined: Fri Nov 23, 2007 10:42 pm
Location: The Netherlands
Contact:

Re: authorized_keys overwritten at reboot

Postby nethyperon » Sat Jan 26, 2008 1:51 am

I was also shocked by finding this key installed on my NAS by default. I DO need/want to access ny NAS from the internet, so I have to make some startup script to fix this issue.

I really hope these files are emptied in the next formware release. If possible I'd be happy if the file is not overwritten each time the NAS boots.
TS-209 Pro (3.1.0 Build 0708)
2x Seagate Barracuda ES 500GB RAID1

navah
Starting out
Posts: 15
Joined: Thu Jan 24, 2008 5:14 am

Re: authorized_keys overwritten at reboot

Postby navah » Sun Feb 24, 2008 3:58 pm

Is there any fix for Qnaps backdoor on every user's Qnap box? I hope this has not been implemented on purpose. :evil:

User avatar
Epstein
Easy as a breeze
Posts: 294
Joined: Mon Sep 03, 2007 1:43 am
Location: Copenhagen, Denmark

Re: authorized_keys overwritten at reboot

Postby Epstein » Sun Feb 24, 2008 4:30 pm

Personally I remove the 3 files in my autorun script.
* TS-209PII 2.1.0 Build 0904T with: IPKG, Mail, Twonky, FTP
* TS-209 2.1.0 Build 0904T with: IPKG, Mail, Samba 3.0.28, Subversion, Twonky, FTP
* PS3 EU 60 GB XMB 2.43, YDL 6.0

symphys
Know my way around
Posts: 105
Joined: Fri Feb 15, 2008 8:41 am
Model: TS-409U

Re: authorized_keys overwritten at reboot

Postby symphys » Tue Mar 18, 2008 12:48 am

Is this issue fixed in the latest fireware? Since I currently have the 2.0b 215 and richard's key is still in here...
QNAP TS-209 Pro, RAID1 with Samsung 2Tb HDDs
Firmware features used: FTP, Samba, SSH, Twonky UPnP MediaServer
UPnP Clients: Philips Cineos Flat TV 42PFL9703D, Dell XPS M1710 Windows 7 Ultimate, PlugPlayer with backgrounder on iPhone
Optware features: OpenVPN, Subversion


Return to “Miscellaneous”

Who is online

Users browsing this forum: No registered users and 6 guests