authorized_keys overwritten at reboot
-
- New here
- Posts: 4
- Joined: Tue Sep 18, 2007 6:22 pm
authorized_keys overwritten at reboot
I want to access my TS-109 Pro remotely. To do that in a safe way, I want to:
- put my own key in ~/.ssh/authorized_keys
- switch ssh authorization to public key only
Unfortunately, at every reboot part of the server file system seems to be regenerated, and the authorized_keys file get overwritten with a preinstalled key. Of course, from a standpoint of security, this makes it impossible to open ssh to the Internet.
Is there a way to make sure that changes made are surviving a reboot (which could happen at any time as the place the TS is located suffers from extended power losses once in a while)?
Thanks
Michael
Edit: I should mention that I'm using the latest released firmware (1.1.2) - I'm not sure whether the described behaviour was the same in earlier releases!
- put my own key in ~/.ssh/authorized_keys
- switch ssh authorization to public key only
Unfortunately, at every reboot part of the server file system seems to be regenerated, and the authorized_keys file get overwritten with a preinstalled key. Of course, from a standpoint of security, this makes it impossible to open ssh to the Internet.
Is there a way to make sure that changes made are surviving a reboot (which could happen at any time as the place the TS is located suffers from extended power losses once in a while)?
Thanks
Michael
Edit: I should mention that I'm using the latest released firmware (1.1.2) - I'm not sure whether the described behaviour was the same in earlier releases!
- AndyChuo
- Experience counts
- Posts: 2388
- Joined: Thu Sep 13, 2007 11:56 am
- Location: Taipei, Taiwan
Hi Codex22,
Place your file on the hard drive first and follow this guide below to automatically copy the file from hard disk to root's home every time you reboot the device.
Andy
Place your file on the hard drive first and follow this guide below to automatically copy the file from hard disk to root's home every time you reboot the device.
Andy
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
-
- New here
- Posts: 2
- Joined: Sun Jan 13, 2008 12:00 pm
Re: authorized_keys overwritten at reboot
May I ask why there is a default authorized_keys file in the first place? Doesn't this mean that by default, QNAP admins have access to all QNAP boxes connected to the internet?
- AndyChuo
- Experience counts
- Posts: 2388
- Joined: Thu Sep 13, 2007 11:56 am
- Location: Taipei, Taiwan
Re: authorized_keys overwritten at reboot
dude, that's no way people at QNAP would do things like that and plus every user is strongly suggested to change their user/pass when they first log on, plus we don't know your IP as well. a default key? u should check to make sure because we never ship our box that way
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
-
- New here
- Posts: 2
- Joined: Sun Jan 13, 2008 12:00 pm
Re: authorized_keys overwritten at reboot
Apologies if my response came across as rude. I did not intend to insinuate or suggest that QNAP staff would abuse this. I'm merely pointing out, as codex22 did, that on each reboot there is a default authorized_keys file placed in /root/.ssh. This means that even if the admin password was changed on the device, the owner of the private key (corresponding to the public key in authorized_keys) can bypass the admin password. Furthermore, users leave IP trails by accessing and posting to your forums.QNAPAndy wrote:dude, that's no way people at QNAP would do things like that and plus every user is strongly suggested to change their user/pass when they first log on, plus we don't know your IP as well. a default key? u should check to make sure because we never ship our box that way
Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.
-
- New here
- Posts: 4
- Joined: Tue Sep 18, 2007 6:22 pm
Re: authorized_keys overwritten at reboot
I second that opinion!Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.
-
- New here
- Posts: 9
- Joined: Mon Jan 14, 2008 12:55 am
Re: authorized_keys overwritten at reboot
I third that opinion.codex22 wrote:I second that opinion!Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.
I was horrified to find my own file overwritten with what looks like a open door to some bloke called Richard who owns a TS209.
The whole point of this file is that it removes the need for a password to ssh onto the server, and by posting this message, QNAP now have my IP address. I cannot possibly open up my firewall until this is resolved, and I suggest it goes down as a fairly high priority fix if it hasn't already.
TS-109 pro 1.1.4 Build 1207T
TCP/IP: Fixed IP via DHCP, 1000 Mbps, MTU: 1500 Bytes
Enabled: Microsoft Networking (workgroup), FTP, UPnP MediaServer
Disabled: Apple Networking, NFS, Web File Manager, Multimedia Station, iTunes, Download Station, Web Server, DDNS, MySQL
SATA: Seagate ST3500320AS SD04 (7200.11)
TCP/IP: Fixed IP via DHCP, 1000 Mbps, MTU: 1500 Bytes
Enabled: Microsoft Networking (workgroup), FTP, UPnP MediaServer
Disabled: Apple Networking, NFS, Web File Manager, Multimedia Station, iTunes, Download Station, Web Server, DDNS, MySQL
SATA: Seagate ST3500320AS SD04 (7200.11)
-
- New here
- Posts: 9
- Joined: Mon Jan 14, 2008 12:55 am
Re: authorized_keys overwritten at reboot
By the way... here's the contents of the file to help QNAP guys track down the source:
# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu6ULf6SPQ1iEDfZH8i8fTWC/a
Wn8QEe0ESQU+sd84a2fzWQlRucNfWpM8fTq9GjrHOd7ZGsW4+YJDM/5HKm
o87DzEiU6o3TB7gDcAop4PKiFhUB8cxiK0yHpK9obC3uPUDacaB5/Zvk5yfpSN
ChS1mWyqOMQVroMe65FhqAdyCXAtobXjCDxYWm5uTekBpa/6Ze42bOh7yxI
bIMsFcglP70iWBD6ZoxLhXLSNg+WGotsUuztVQoIk42KcpsXyjMtgkZ4gZ6tPku
Q/n82ymKWQ089iFJMtIdTMfEzdj8ru3w+wkM7VpuJTwQDggmY33aZhX5NluD
nrbx9hZXrrBJC1Q== admin@Richard-TS209
(wrapped for display purposes)
c.
# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu6ULf6SPQ1iEDfZH8i8fTWC/a
Wn8QEe0ESQU+sd84a2fzWQlRucNfWpM8fTq9GjrHOd7ZGsW4+YJDM/5HKm
o87DzEiU6o3TB7gDcAop4PKiFhUB8cxiK0yHpK9obC3uPUDacaB5/Zvk5yfpSN
ChS1mWyqOMQVroMe65FhqAdyCXAtobXjCDxYWm5uTekBpa/6Ze42bOh7yxI
bIMsFcglP70iWBD6ZoxLhXLSNg+WGotsUuztVQoIk42KcpsXyjMtgkZ4gZ6tPku
Q/n82ymKWQ089iFJMtIdTMfEzdj8ru3w+wkM7VpuJTwQDggmY33aZhX5NluD
nrbx9hZXrrBJC1Q== admin@Richard-TS209
(wrapped for display purposes)
c.
TS-109 pro 1.1.4 Build 1207T
TCP/IP: Fixed IP via DHCP, 1000 Mbps, MTU: 1500 Bytes
Enabled: Microsoft Networking (workgroup), FTP, UPnP MediaServer
Disabled: Apple Networking, NFS, Web File Manager, Multimedia Station, iTunes, Download Station, Web Server, DDNS, MySQL
SATA: Seagate ST3500320AS SD04 (7200.11)
TCP/IP: Fixed IP via DHCP, 1000 Mbps, MTU: 1500 Bytes
Enabled: Microsoft Networking (workgroup), FTP, UPnP MediaServer
Disabled: Apple Networking, NFS, Web File Manager, Multimedia Station, iTunes, Download Station, Web Server, DDNS, MySQL
SATA: Seagate ST3500320AS SD04 (7200.11)
- AndyChuo
- Experience counts
- Posts: 2388
- Joined: Thu Sep 13, 2007 11:56 am
- Location: Taipei, Taiwan
Re: authorized_keys overwritten at reboot
got it, def be on high priority for this issue. thanks for the infocjb42 wrote:I third that opinion.codex22 wrote:I second that opinion!Users are protected by their router NAT hopefully, but I suggest removing the default authorized_keys file altogether.
I was horrified to find my own file overwritten with what looks like a open door to some bloke called Richard who owns a TS209.
The whole point of this file is that it removes the need for a password to ssh onto the server, and by posting this message, QNAP now have my IP address. I cannot possibly open up my firewall until this is resolved, and I suggest it goes down as a fairly high priority fix if it hasn't already.
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
TS-659-Pro [RAID6] rtorrent+SABnzbdplus+SickBeard+Couchpotato [Best PVR] Plex+PMS [Ultimate Streamer]
Apple iPad [Best Tablet] HTC One M8 [Mobile Phone] Samsung UA46ES6100 [My Screen] KRK Rokit 6 [Audio Speakers]
Chrome Cast [Screen Casting] Philips Hue [Personal Lighing]
Buffalo WZR-1750DHP [My Wifi Hub] D-Link DGS-1005D [Gbit Network]
=============================================================>>>
-
- Starting out
- Posts: 11
- Joined: Thu Jan 17, 2008 5:08 am
Re: authorized_keys overwritten at reboot
I spotted this too when setting up my SSH keys, I wondered whether this was something to do with the initial start-up configuration so didn't change it (since my box is not publicly available on SSH anyway due to my router settings). If I opened this box to the internet I would definitely remove that though.
It's also worth noting that in the same directory (/root/.ssh) Richard@TS-209 owns .rsync.key.pub and .rsync.key. Same issue?
It's also worth noting that in the same directory (/root/.ssh) Richard@TS-209 owns .rsync.key.pub and .rsync.key. Same issue?
-
- Starting out
- Posts: 25
- Joined: Fri Nov 23, 2007 10:42 pm
- Location: The Netherlands
- Contact:
Re: authorized_keys overwritten at reboot
I was also shocked by finding this key installed on my NAS by default. I DO need/want to access ny NAS from the internet, so I have to make some startup script to fix this issue.
I really hope these files are emptied in the next formware release. If possible I'd be happy if the file is not overwritten each time the NAS boots.
I really hope these files are emptied in the next formware release. If possible I'd be happy if the file is not overwritten each time the NAS boots.
TS-209 Pro (3.1.0 Build 0708)
2x Seagate Barracuda ES 500GB RAID1
2x Seagate Barracuda ES 500GB RAID1
-
- Starting out
- Posts: 15
- Joined: Thu Jan 24, 2008 5:14 am
Re: authorized_keys overwritten at reboot
Is there any fix for Qnaps backdoor on every user's Qnap box? I hope this has not been implemented on purpose.
- Epstein
- Easy as a breeze
- Posts: 294
- Joined: Mon Sep 03, 2007 1:43 am
- Location: Copenhagen, Denmark
Re: authorized_keys overwritten at reboot
Personally I remove the 3 files in my autorun script.
* TS-209PII 2.1.0 Build 0904T with: IPKG, Mail, Twonky, FTP
* TS-209 2.1.0 Build 0904T with: IPKG, Mail, Samba 3.0.28, Subversion, Twonky, FTP
* PS3 EU 60 GB XMB 2.43, YDL 6.0
* TS-209 2.1.0 Build 0904T with: IPKG, Mail, Samba 3.0.28, Subversion, Twonky, FTP
* PS3 EU 60 GB XMB 2.43, YDL 6.0
-
- Know my way around
- Posts: 105
- Joined: Fri Feb 15, 2008 8:41 am
Re: authorized_keys overwritten at reboot
Is this issue fixed in the latest fireware? Since I currently have the 2.0b 215 and richard's key is still in here...
QNAP TS-209 Pro, RAID1 with Samsung 2Tb HDDs
Firmware features used: FTP, Samba, SSH, Twonky UPnP MediaServer
UPnP Clients: Philips Cineos Flat TV 42PFL9703D, Dell XPS M1710 Windows 7 Ultimate, PlugPlayer with backgrounder on iPhone
Optware features: OpenVPN, Subversion
Firmware features used: FTP, Samba, SSH, Twonky UPnP MediaServer
UPnP Clients: Philips Cineos Flat TV 42PFL9703D, Dell XPS M1710 Windows 7 Ultimate, PlugPlayer with backgrounder on iPhone
Optware features: OpenVPN, Subversion