Synology Inc. Online Community Forum

[stevefpi]

I'm a complete newb on these Synology systems so bear with me.

I've got a DS508 and I've just set it up. Got mostly everything running the way I want but here's what I want it to do that it is not doing....

I want to have 3 shared files that all users can have RW access to. I want my Linux and Mac users to be able to use SCP to upload and download data from these three shared directories. I want my Windows users to only use something like WinSCP or Filezilla to upload and download data from these three shared directories. That's it.

I have the shared files setup and RW access for all users is set.

As the Admin user I can SSH in from Linux and I can use WinSCP to log in from Windows. As any other user, it refuses to accept the password and will not log in. I've got SSH turned on and FTP turned off. I really do not want to use the FTP protocols. I know I'm not using half the capabilities of this thing but for now I want to keep it simple. My users are not all that computer savvy so simple is best. I just don't see why the standard users passwords are not being accepted over SSH.

Any ideas as to what I'm missing would be greatly appreciated!

cheers

[Vorrux]

I am pushing this thread (instead of opening a new one) because I too would like to use ssh with other accounts than root/admin (for file access via sshfs).

[stevefpi]

I gave up and let someone else in my group use the DS508. Good luck getting an answer!

[maxxfi]

For what is worth, I use ssh from ipkg and it gives me ssh access for any account.

[Vorrux]

Thank you, I will look into that.

[desjarm1]

try this post. worked for me.
http://forum.synology.com/enu/viewtopic.php?f=36&t=9015&p=37923

[rtadams89]

You can edit the /etc/passwd file to change the user's login shell from

Code: Select all

/bin/csh

to

Code: Select all

/bin/ash

. after making that change and saving the file, the user will be able to login via SSH.

[norrellmeister]

Indeed, for some reason, with the latest DSMs only admin and root are allowed to have shells not equal to /bin/ash and still be able to login. Other users are apparently not allowed to login if they have shells that are not /bin/ash. This is all despite the fact that I've added my shell, /bin/zsh, to /etc/shells. Any reason you've made this restriction, Synology folks? Can it be disabled somehow? I've done a good bit of futzing with the sshd settings but have not been successful turning this restriction off. It appears to have nothing to do with PAM. Maybe it has something to do with the environment?
My current workaround is to add "exec /bin/zsh" to the .profile executed by my users /bin/ash shell on login.

[scooby2]

/bin/ash and /bin/sh are hardcoded in the sshd Synology is using as the only shells allowed. Using the sshd from ipkg will allow you to use any shell you want or you can do what you do now.

> strings /usr/syno/sbin/sshd |grep bin|grep sh
/bin/sh
/bin/ash

[maxxfi]

@scooby2: good point.
Looking at GPL sources, it is possible to see that built-in sshd not only allows only
/bin/sh and /bin/ash as shell, but also allows only root or admin as logins (as some
Syno users have already experienced).

e.g. from source/openssh-5.8p1/session.c :

Code: Select all

static int IsAllowShell(const struct passwd *pw)
{
        struct passwd *pUnPrivilege = NULL;
        char *szUserName = NULL;

        if (!pw || !pw->pw_name) {
                return 0;
        }

        szUserName = pw->pw_name;
        if(!strcmp(szUserName, "root") || !strcmp(szUserName, "admin")){
                return 1;
        }

        if (NULL != (pUnPrivilege = getpwnam(szUserName))){
                if (!strcmp(pUnPrivilege->pw_shell, "/bin/sh") ||
                        !strcmp(pUnPrivilege->pw_shell, "/bin/ash")) {
                        return 1;
                }
        }

        return 0;
}

[selfification]

This is an old thread but is high up on the relevant google results.

I need to point out that I just ran into this issue along with another one - the file browser and download manager all create files with 0777 perms. I would presume that if you gave shell access to other users, you have basically opened up all your private data to your users.

Given such a weird security model, I'm now afraid to put anything super sensitive on my DS212j without manually encrypting it with gpg.