N4100 Module: SSH

From Thecus Wiki

Jump to: navigation, search

Contents

Name: SSH (Secure Shell)

Maintainer(s): Mshapf, Lzimmerma

Target: N2100

Latest version: 4.0.00

Warning: If you are not familiar with Linux please be aware that logging in as root with ssh will allow you to corrupt the entire N2100. If you don't know what you are doing you better find another Linux box to play around with. Nevertheless, having ssh access will allow you to identify and fix one or the other issue.

Security Alert: Every N2100 is delivered with the exact same ssh host keys. This leaves all Thecus devices extremely vulnerable to man-in-the-middle attacks. You are therefore urged to update to SSH module version 4.0.00 or higher and flush the existing host keys.

The SSH module allows to store ssh keys for user root. The public part of the ssh key pair may be uploaded to directory sshkeys (found in /raid/module/SSH/). A set of sample scripts (located here) show how to use those keys for different tasks. The scripts are compatible with both Linux and Mac OS X.

  • keyless-entry.sh : generates sshkeys and loads public key to server (shell access only).
  • secafp-keygen.sh : generate sshkeys and loads public key to server (port forwarding only).
  • secafp-launch.sh : open secure tunnel to server and access afp share via tunnel.
  • secrsync-keygen.sh : generates sshkey which will allow rsync usage only.
  • secrsync-simple-backup.sh : backup single directory, targeted for interactive use, does not require sshkey.
  • secrsync-backup.sh : backup multiple directories, requires ssh key, suitable for automatic backups using cron.

To activate a new public key the N2100 either needs to be rebooted or alternatively the SSH module may simply be disabled and re-enabled again. During module upgrades ssh keys are preserved. To remove all public keys use the flush button.

Software package openssl is integrated as well. You may thus generate ssh keys or web certificates on the N2100 itself. Please have a look at N2100 Fixing Certificate problems for a detailed description how to use the on-board tools to setup your own certificate authority and issue a proper web certificate for your N2100.

When installing SSH for the first time you may need root password initialization. The init button will reset the root password to "irresistible". You are advised to log in immediately after initialization and change the default password to something more secure. Please note that the root password is independent from the admin password used exclusively for the web interface.

A root password backup and restore functionality is also part of the SSH module. Before upgrading the Thecus firmware you are advised to backup your root password. After the firmware upgrade just hit the restore button and your own root password will be active again. The backup function also takes care of your apache web certificates and your root ssh keys. The SSH module will automatically perform a backup when being installed.

The final release of the SSH module updates OpenSSH to version 4.6p1 and patches SSHJail functionality into sshd. See here for instructions how to confine any user into a root jail and have a look at the options page of the SSH module for further instructions. SSHd user logins have to be enabled first before you may see the detailed instructions on SSHJail. Home directories will be created in /raid/home/$user or in /raid/$user if a share name matches a user name.

To improve security ssh host key flushing has been added to the existing ssh key flush function. A new set of host keys will be generated after flushing (on the next reboot).

This release also features updated client executables ssh, sftp and scp and utility ssh-keygen to generate ssh (host) keys on the N2100 itself.

  • 2006-11-02: Simplified the handling/uploading of ssh (public) keys
  • 2006-11-06: Fixed ssh flush function, added/improved sample scripts
  • 2006-11-07: Added tools for generating ssh keys and (web) certificates
  • 2006-11-17: Added local sshd server software (incl sftp subsystem)
  • 2006-11-26: Added scp, implemented root password backup/restore, keeps ssh keys on module upgrades
  • 2006-12-15: Code cleanup, added root password init plus backup/restore of apache web certificate
  • 2007-01-07: root passwd init fixed, will now properly reset root password and create a backup thereof
  • 2007-04-21: Enable (smb)user logins via ssh, added client programs ssh, sftp and scp
  • 2007-05-27: Added chroot support to sshd, included ssh-keygen utility
  • 2007-06-03: Added ssh host key flushing to existing key flush function
  • 2007-08-02: Major upgrade, consolidating versions 3.1.x to 3.2.x into 4.0.00
  • 2008-01-25: Simplified module instructions, retired obsolete releases.
  • Version 4.1.00
    • Release date: 2008-07-01
    • Works on firmware: 1.3.06
    • Download (tar): N4100 SSH 4.1.00
  • Version 4.0.00
    • Release date: 2007-08-02
    • Works on firmware: 2.1.05
    • Does not work on firmware:
    • Download (tgz): N4100+ SSH 4.0.00
    • Download (tgz): N2100 SSH 4.0.00
    • DL mirror (zip): N2100 SSH 4.0.00
    • Major changes: moved to OpenSSH 4.6p1, patched sshd with SSHjail, added programs ssh, sftp, scp and sshkey, implemented ssh host key flushing, added user login support (with individual homes for each user).
  • Version 3.0.01
    • Release date: 2007-01-07
    • Works on firmware: 2.1.00, ..., 2.1.05
    • Does not work on firmware:
    • Download (tgz): SSH 3.0.01
    • DL mirror (zip): SSH 3.0.01
    • Major changes: Adds root password init button plus backup/restore of apache web certificate.
Retrieved from "http://onbeat.dk/thecus/index.php/N2100_Module:_SSH"
Personal tools