[WANTED] SSH login as anyone but Admin

[QSISteve]

Wanted Dead or Alive

Ability to be able to login via ssh as anyone but admin. Would love to be able to access home dirs via SFTP but would need to login as user X and not admin.

QSISteve

[niwa2]

just open the /etc/ssh/sshd_config file and add the username, you want to log in with, after "AllowUsers" (without quotes). there should already be admin and you can add as many users as you want, just seperated be a space. like this:

AllowUsers admin user1 user2 user3

after a reboot of your nas the new settings should work. but i think you have to reenter the usernames everytime you update the firmware.

[johngalt]

niwa2

Are you saying that you have been able to do this with firmware 2.0.0 Build 0122T?

I tried but the edits to sshd_config were replaced by some default file upon reboot.

Even when I could get the edits to survive a reboot ssh by non admin user would fail
with an immediate disconnect of the putty client when anything other than admin was
used.

[niwa2]

you are right. i just saw that the changes are overwritten.
that's strange

[johngalt]

Yes very strange. I've posted questions about this. Emailed support about this and submitted an online support form about this. No answers yet. Not even an acknowledgment.

[johngalt]

Niwa2,

Have you been able to resolve this? I just got a reply from QNAP support which was totally inadequate.

Have you found out where the default config file that is used to replace /etc/ssh/sshd_config upon reboot?

[niwa2]

hi
no i have not tried it anymore so far.

[sheats]

So I worked around this with a little bit of subtle trickery. As always, back up your data, I'm not responsible for loss, etc.

I have a TS209 Pro for the record.

First I duplicated the entire contents of /etc/ssh to /mnt/HDA_ROOT/.config

Code: Select all

cp -R /etc/ssh /mnt/HDA_ROOT/.config

Then I modified /mnt/HDA_ROOT/.config/ssh/sshd_config to add the users I wanted on the AllowUsers line.

Next I modify the autorun.sh:

Code: Select all

mount /dev/mtdblock5 /mnt/config
vi /mnt/config/autorun.sh

At the top just after #!/bin/sh Add in:

Code: Select all

# SSH Config
cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
/etc/init.d/login.sh restart

Then unmount it again:

Code: Select all

umount /dev/mtdblock5

Then reboot. At each reboot it will copy over your good config from your stash on HDA_ROOT and restart the login service to pickup the change.

You could see how this would be extensible to other services with similar limitations.

Good Luck. Matt

[johngalt]

Matt,

What version firmware are you running that you can ssh into as non admin?

Thanks

[sheats]

V1.1.5 but that is moot. It is the procedure I posted above that lets you SSH in as other users.

You have to add any users you want to allow to login to the AllowUsers line in sshd_config once you have copied it over to the .config dir.

Follow the procedure above and it should do it for you.

Matt

[johngalt]

Well I finally figured out the problem. In my case it was unprintable characters on the "AllowUsers" line.
Don't know how they got there.

When I recreated this line by hand ssh login as anyone but admin started working fine.

Thanks

[johngalt]

Upgrade to 2.0.0 build 0201T and ssh by non admin users is broken.

[johngalt]

I finally figured this issue out. I've got ssh & sftp login by any user working on my TS209 Pro, firmware 1.x and 2.x.

[QSISteve]

johngalt wrote:

I finally figured this issue out. I've got ssh & sftp login by any user working on my TS209 Pro, firmware 1.x and 2.x.

Well how do you do it?

QSISteve

[johngalt]

QSISteve,

By replacing the sshd executable supplied by QNAP. After many many hours of trying to get it to work with firmware 2.0.0
I decided to run strings on the sshd executable supplied by QNAP. I was surprised to find the word "admin" in there. Now one would expect "root" or Administrator" but....... Needles to say I then downloaded the exact same version of OpenSSH and ran strings on that sshd executable, no "admin". Fearing the worst that I was dealing with a altered executable I just installed via OptWare install the latest unaltered OpenSSH. Then replaced the stock "sshd". Now everything works as one would expect.