Pubkey SSH for non-root users

Any questions about the Command Line Interface can be placed here!
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
dvizard
I'm New!
I'm New!
Posts: 4
Joined: Tue Jan 24, 2012 12:33 am

Pubkey SSH for non-root users

Unread post by dvizard » Sun Apr 01, 2012 11:37 pm

Hi,

I'm trying to make SSH available to non-root with Pubkey auth.

Pubkey works fine as root. I made a homedir for the user, set the login shell in /etc/passwd, and su'd into the user's directory, which works fine. Then I made a .ssh dir and the authorized_keys file (actually, I went back to root, copied the root's authorized_keys file over and chown/chmodded it to have 644 and username:users).

Code: Select all

>pwd
/var/services/homes/hg/.ssh
>ls -lap
drwx------    2 hg       users         4096 Apr  2 00:03 ./
drwxrwxrwx    3 hg       users         4096 Apr  2 00:02 ../
-rw-r--r--    1 hg       users         1716 Apr  2 00:03 authorized_keys
-rwxr-xr-x    1 hg       users           40 Apr  2 00:02 environment
To me, this looks fine...

However, when I try to log into SSH, I get "Server refused our key." Why could that be?

rmortier
I'm New!
I'm New!
Posts: 9
Joined: Mon Jul 04, 2011 9:14 pm

Re: Pubkey SSH for non-root users

Unread post by rmortier » Thu Apr 05, 2012 4:47 pm

I'm having the exact same problem, these Synology boxes are turning out to be a waste of money and I should have just built my own with FreeNAS from the very start.

I've got pubkey working for root with password authentication disabled. However, I want pubkey auth without the root user.

I've enabled home directories, I've copied the authorized_keys file into the users home/.ssh folder, still nothing.

I've tried editing the /etc/ssh/sshd_config file and adding AllowUsers root,admin,username but for some [Please control your language] up reason this blocks the root user from logging in saying key denied. You then have to enable telnet to go make changes.

What a waste of money these things are.

rmortier
I'm New!
I'm New!
Posts: 9
Joined: Mon Jul 04, 2011 9:14 pm

Re: Pubkey SSH for non-root users

Unread post by rmortier » Thu Apr 05, 2012 5:27 pm

I finally got it working.

Log into the web interface
Control Panel > Users > User Home > Enable user home services

chmod 4755 /bin/busybox

cd /var/services/homes/username
mkdir .ssh
chown username:users .ssh
(put your key file named "authorized_keys" into the .ssh folder now)
chmod 600 authorized_keys
chown username:users authorized_keys

cp /root/.profile /var/services/homes/username
vi .profile
(change the line that reads “HOME=/root” to “HOME=/var/services/homes/username”)
save and exit .profile

vi /etc/passwd
(make sure your home is /var/services/homes/username and change shell from nologin to /bin/sh)


Let me know if that works for you.

User avatar
maxxfi
Compiler
Compiler
Posts: 6794
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

Re: Pubkey SSH for non-root users

Unread post by maxxfi » Fri Apr 06, 2012 2:14 pm

Just install openssh from IPKG.
It makes pubkey access for non-root possible and it add more features to the ssh/scp connectivity access.
No longer using Synology NAS, moved to more open source solutions.
DS-106j > DS-210j > DS-411

chaoslaw0362
Trainee
Trainee
Posts: 12
Joined: Sun May 23, 2010 8:11 am

Re: Pubkey SSH for non-root users

Unread post by chaoslaw0362 » Tue Jun 05, 2012 1:47 pm

It works.

Thanks a lot.

User avatar
CoolRaoul
Seasoned
Seasoned
Posts: 560
Joined: Tue May 18, 2010 7:08 pm

Re: Pubkey SSH for non-root users

Unread post by CoolRaoul » Wed Jun 06, 2012 8:54 am

rmortier wrote: chmod 4755 /bin/busybox
Why, why, why making busibox suid :shock: ?

Where have you found that "tip" ?

Do you have any concerns about security?

What you have done implicitly gives root privileges to *all* commands symlinked to /bin/busybox (and there are a lot, just try "ls -l /bin /usr/bin" to check) when executed by *any* account. (and more, this has nothing to do with sshd authentication mecanism, since "sshd" is not one of the commands symlinked to busybox)

To make sshd public key authentication works for non root users, enabling user home services and changing user shell to /bin/sh or /bin/ash is sufficient (just checked it)
CR

chaoslaw0362
Trainee
Trainee
Posts: 12
Joined: Sun May 23, 2010 8:11 am

Re: Pubkey SSH for non-root users

Unread post by chaoslaw0362 » Wed Jun 06, 2012 1:58 pm

Hi, if I want to change back the original mode of the busybox, can u give me the command. Thanks.

User avatar
CoolRaoul
Seasoned
Seasoned
Posts: 560
Joined: Tue May 18, 2010 7:08 pm

Re: Pubkey SSH for non-root users

Unread post by CoolRaoul » Wed Jun 06, 2012 2:01 pm

chaoslaw0362 wrote:Hi, if I want to change back the original mode of the busybox, can u give me the command. Thanks.

Code: Select all

chmod -s /bin/busybox
CR

User avatar
LocoDelColor
Novice
Novice
Posts: 55
Joined: Sun Jul 08, 2012 12:57 am

Re: Pubkey SSH for non-root users

Unread post by LocoDelColor » Tue Jul 17, 2012 12:46 am

CoolRaoul wrote:
rmortier wrote: chmod 4755 /bin/busybox
Why, why, why making busibox suid :shock: ?

Where have you found that "tip" ?

Do you have any concerns about security?

What you have done implicitly gives root privileges to *all* commands symlinked to /bin/busybox (and there are a lot, just try "ls -l /bin /usr/bin" to check) when executed by *any* account. (and more, this has nothing to do with sshd authentication mecanism, since "sshd" is not one of the commands symlinked to busybox)

To make sshd public key authentication works for non root users, enabling user home services and changing user shell to /bin/sh or /bin/ash is sufficient (just checked it)
Related question, then. I set permissions on busybox to 4755 so that I could su to root from my non-root account. I then disabled root logins via SSH. Do you know of a way I could accomplish the same goal?
DS411j | DSM 4.3-3776 | 4x1TB (RAID5)

User avatar
CoolRaoul
Seasoned
Seasoned
Posts: 560
Joined: Tue May 18, 2010 7:08 pm

Re: Pubkey SSH for non-root users

Unread post by CoolRaoul » Tue Jul 17, 2012 8:44 am

LocoDelColor wrote:Related question, then. I set permissions on busybox to 4755 so that I could su to root from my non-root account. I then disabled root logins via SSH. Do you know of a way I could accomplish the same goal?
You may make a copy of "/bin/su" to, for example, "/usr/local/bin/su", "chmod +s" and "chmod+x" *that* file and then take care of having the enclosing directory in front of users's PATH (via /etc/profile)

Another option would be to add the following block at the very end of "/etc/ssh/sshd_config" file and restart ssh daemon (or simply kill -HUP master sshd process):

Code: Select all

Match Host 127.0.0.1
        PermitRootLogin yes
(indentation is only for readability)

This will add an exception to the "ssh root logins disable" rule (which, I suppose, you have achieved by adding "PermitRootLogin no" to that conf file) allowing those logins from local host.
Then instead of "su - root" you will use "ssh root@localhost" to become root.
CR

User avatar
maxxfi
Compiler
Compiler
Posts: 6794
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

Re: Pubkey SSH for non-root users

Unread post by maxxfi » Tue Jul 17, 2012 10:22 am

CoolRaoul wrote: Another option would be to add the following block at the very end of "/etc/ssh/sshd_config" file and restart ssh daemon (or simply kill -HUP master sshd process):

Code: Select all

Match Host 127.0.0.1
        PermitRootLogin yes
(indentation is only for readability)
Cool hack... but would it resist to a DSM upgrade, or would the new /etc/ssh/sshd_config overwrite it ?
No longer using Synology NAS, moved to more open source solutions.
DS-106j > DS-210j > DS-411

User avatar
CoolRaoul
Seasoned
Seasoned
Posts: 560
Joined: Tue May 18, 2010 7:08 pm

Re: Pubkey SSH for non-root users

Unread post by CoolRaoul » Tue Jul 17, 2012 11:06 am

maxxfi wrote:
CoolRaoul wrote: Cool hack... but would it resist to a DSM upgrade, or would the new /etc/ssh/sshd_config overwrite it ?
Do not know, but since "LocoDelColor" has already edited that file (since he said having "disabled root logins via SSH" and, AFAIK, it's the natural way to to this), in any case he will be faced to that question.
CR

User avatar
LocoDelColor
Novice
Novice
Posts: 55
Joined: Sun Jul 08, 2012 12:57 am

Re: Pubkey SSH for non-root users

Unread post by LocoDelColor » Tue Jul 17, 2012 9:11 pm

CoolRaoul wrote:
LocoDelColor wrote:Related question, then. I set permissions on busybox to 4755 so that I could su to root from my non-root account. I then disabled root logins via SSH. Do you know of a way I could accomplish the same goal?
You may make a copy of "/bin/su" to, for example, "/usr/local/bin/su", "chmod +s" and "chmod+x" *that* file and then take care of having the enclosing directory in front of users's PATH (via /etc/profile)
This seemed like a good idea, but...

Code: Select all

lrwxrwxrwx    1 root     root             7 Mar  2  2011 /bin/su -> busybox
su is just a symbolic link to busybox.
Another option would be to add the following block at the very end of "/etc/ssh/sshd_config" file and restart ssh daemon (or simply kill -HUP master sshd process):

Code: Select all

Match Host 127.0.0.1
        PermitRootLogin yes
(indentation is only for readability)

This will add an exception to the "ssh root logins disable" rule (which, I suppose, you have achieved by adding "PermitRootLogin no" to that conf file) allowing those logins from local host.
Then instead of "su - root" you will use "ssh root@localhost" to become root.
Seems like a decent solution. Thanks for your help!
Do not know, but since "LocoDelColor" has already edited that file (since he said having "disabled root logins via SSH" and, AFAIK, it's the natural way to to this), in any case he will be faced to that question.
I keep a backup copy of that config elsewhere so I can revert any change that a firmware upgrade makes.
DS411j | DSM 4.3-3776 | 4x1TB (RAID5)

User avatar
CoolRaoul
Seasoned
Seasoned
Posts: 560
Joined: Tue May 18, 2010 7:08 pm

Re: Pubkey SSH for non-root users

Unread post by CoolRaoul » Wed Jul 18, 2012 7:22 am

LocoDelColor wrote: This seemed like a good idea, but...

Code: Select all

lrwxrwxrwx    1 root     root             7 Mar  2  2011 /bin/su -> busybox
su is just a symbolic link to busybox.
So what?
After the copy wou will get a full copy of busibox (not a symlink) named "su" and the chmod +s will apply to that copy and not to /bin/busibox
Since the copy will be named "su" it will act like a normal "su"

(but I must admit that I'm not completely sure that there are not security holes remaining when using that approach, I prefer the sshd_config trick)
CR

User avatar
delebre
Student
Student
Posts: 67
Joined: Wed Jun 06, 2012 6:51 pm
Location: Finland

Re: Pubkey SSH for non-root users

Unread post by delebre » Wed Feb 19, 2014 5:57 pm

So, I have reached the point in my tweaking of SSH that I need help and this is the only thread that addresses what I am trying to do.

I have set up SSH with key pairs on my NAS. I want to disable the root login for security. Many tutorials I read keep trying to change the permissions of busybox by chmod 4755, which as CoolRaoul pointed out was dangerous.

I tried the suggestion by CoolRaoul to do the following:

Code: Select all

Match Host 127.0.0.1
        PermitRootLogin yes
However, I have set up my root to utilize a different port. So it didn't work. I tried again by invoking:

Code: Select all

ssh -p 12345 root@localhost
With 12345 being the alternative port. (No I don't really use that port.)

Then I get this:

Code: Select all

Failed to add the host to the list of known hosts (/volume1/homes/TheDude/.ssh/known_hosts).
Permission denied (publickey).
Now, I am assuming I can create this known_hosts file. But how do I address the fact that I have set the root user to utilize a key pair for extra security?

TL;DR: I want to keep my root ssh disabled, but be able to invoke root commands as needed while using a different user account. I use a keypair, and the awesome workaround by CoolRaoul didn't work.

Post Reply

Return to “Command Line Interface”