EX4100 Public Key auth over SSH, changes killed on REBOOT

Trying to setup SSH accounts to work with public key authentication, and after creating the directory and authorized_keys file, setting perms, etc, it all works fine. I restart the device to test and all of the changes to it are gone… essentially as if the thing has just re-imaged itself.

Some background as to why I want to bother: We purchased the device to make some remote backups to keep off-site of some mission critical materials. Having the features advertised (AD integration, etc), we figured it would function well in an enterprise environment. The ways we had planned on using it originally haven’t panned out, but I was happy to see it could support SSH, which got us around a big hurdle of being able to reach the device easily and programatically from a different network segment. The thing is, SSHing into a system as root with just a password is crazy insecure! We can’t possibly leave the device like that and put anything remotely sensitive on it.

So, I guess what I’m after here is a way to get the system to stop wiping out the /home and /etc/ssh directories so I can get the SSH keys and configurations to stick… or, failing a way to disable whatever is rewriting it, a way to modify the image it is using to include the changes I want.

Have a feeling I may be SOL, and if it had been up to me from the get go I’d of just setup a proper RAIDed workstation on the other end, but don’t want to give up without asking if maybe someone else has run into this and come out on top. Going to see if I can make everything work the way I want over FTP if this doesn’t work out, but I will be so.much.happier if I can get this puppy to do tricks over SSH.

Technically it IS doable what you are trying to do. In fact, I have been doing just that since last year shortly after my purchase of the EX2 model. There are two ways to do this - the painful manual way - or the automated way but that comes with a much harder obstacle to overcome.

So here’s the problem. The way all the My Cloud EX and Mirror products work is that at boot time they discard everything in the /home and /etc directories - where the user accts and configs are kept…and they rebuild them from the firmware that permanently resides in the flash memory. Because of this, all user accts that you used to store the keys are wiped clean - as you have discovered.

So one painful way to work around the problem is to make use of a small directory where WD saves its configs (& logs) during reboots - and that directory is /usr/local/config. What you can do is create a new directory under there - let’s call it UserHomesBackup (that’s what I call it in mine). Now, after you have setup all the user’s SSH keys in their home’s .ssh directories, you need to copy the entire user directory (not just the .ssh directory) using the cp -p command into that UserHomesBackup directory. The -p switch copies the crucial permissions of files and folders, along with the timestamps. Now, after you reboot you can simply cp -p back every directory from that backup directory to /home directory - and your SSH key-based authentication will work again. But yes, the big downside to this workaround is that you need to copy those directories back after a reboot every time. The other thing I’d caution about is that the /usr/local/config directory is mounted on a very small space (filesystem) - on my EX2 it is 12.2 MB (you can find out yours by running ‘df -h /usr/local/config’ command)…which is still quite good size for storing all types of config files - but not meant to store too much files or many big files…but it is okay for storing a bunch of users’ home directories with their .ssh folders.

So the more difficult thing for many is to automate this process. If you know shell scripting and can follow instructions on how to compile code, you can take WD’s firmware source code that they make available under GPL license and compile your own firmware after making a couple small tweaks to their startup script. Basically you’d be baking in that copy of the users’ home directories back to /home on restart. In order to do so, you MUST change the system_init script that’s in /usr/local/modules/script/ directory. That system_init runs during boot time - but that script cannot be edited since it runs off of the flash memory. So the only way to tweak that is to download the source code from WD’s site, modify that init script and then compile the firmware…and finally load the firmware. Once you have loaded the firmware, you will now automatically have those user directories copied back to /home on reboot. But of course, this requires a good comfort level with Linux/Unix and the acceptance that doing this voids your device’s warranty. But I have been doing this for 20 months now and have added many customizations to the firmware - from SSH logging to SFTP logging to log archiving to many, many other features I needed, all baked into my custom modded firmware. Here’s my post from April 2014 to demo that SFTP by a non-root user (using SSH key) -> SFTP possible on EX2

1 Like

Awesome writeup and reply Cybernut1 :slight_smile: I’m super appreciative of you sharing your experience and discoveries. I’ll see how the rest of the team feels and hopefully we’ll be implementing this soon!

Glad to be of help. If you need further detailed assistance - heck, I can even walk your hands through the whole compile code process and/or any other customization you might need for a small and reasonable fee, I’ll be more than happy to (but of course, only if you feel you could benefit from that). There’s a PM feature - you can PM me for that.