GUIDE: Change ssh configuration on OS 5

I will explain how to change your ssh configuration to allow other users (for e.g. filezilla, winscp or sshfs etc.) and optionally to disable password authentication.

Enable ssh and log in to the nas.

If you make a mistake during this process and need to reset ssh to the default settings so you can login, open the webgui and disable and re-enable ssh. Your config settings won’t be affected.

cp /etc/ssh/sshd_config /usr/local/config

edit /usr/local/config/sshd_config with vi or copy it to your computer, edit it, and copy it back.

Add the following:

AuthorizedKeysFile /usr/local/config/authorized_keys
PermitRootLogin yes
PubkeyAuthentication yes

Change the AllowUsers line to include the other users you want to allow, for example mine is:

AllowUsers sshd rkitover

If you want to disable passwords add the following:

PasswordAuthentication no
ChallengeResponseAuthentication no

From your computer copy the authorized_keys file with the keys you want to allow to the nas:

scp ~/.ssh/authorized_keys sshd@nas:/usr/local/config

MAKE SURE ALL KEYS ARE A SINGLE LINE WITH NO SPACES OR THEY WON’T WORK

Now, edit /usr/local/config/config.xml as described here, make sure to do this very VERY CAREFULLY because you can make your device unbootable.

Find the crond section and add another name entry, call it sshd_config, e.g.:

<name id="9">sshd_config</name>

Add it at the bottom with the next sequential id.

At the bottom of the crond section, add the new sshd_config section, like so:

<sshd_config>                     
    <item id="1">             
        <method>3</method>                                                
        <1>@reboot</1>                                                    
        <run>sleep 120; pkill sshd; /usr/sbin/sshd -E /var/log/sshd.log -f /usr/local/config/sshd_config &amp;</run>
    </item>         
</sshd_config>        

Now reboot the nas (e.g. with the reboot command) and wait about 5 minutes.

Your new ssh configuration should be active.

Thanks to dswv42 for the persistent system changes guide which I used to do this.

1 Like

Can someone please explain what is <method>3</method> and how many methods are there.

Regards

I followed this carefully. However, my system became unbootable.
Is there a way to fix this?

Please pay attention, there is a failure! you need to replace &amp with & only.

<sshd_config>                     
    <item id="1">             
        <method>3</method>                                                
        <1>@reboot</1>                                                    
        <run>sleep 120; pkill sshd; /usr/sbin/sshd -E /var/log/sshd.log -f /usr/local/config/sshd_config &</run>
    </item>         
</sshd_config> 

I did the same config change and it stopped rebooting as well.
Good thing is you can do a “Factory reset” by using the reset button (plug a trombone in the hole at the back actually).
Then the device restarted, with all my data again !
I just had to reconfigure it afterwards.

I’ll never try to change the system files again !

I’m sorry if people are having problems, it is actually &amp; not & if you are editing the config.xml directly and you have to make sure you use the NEXT SEQUENTIAL ID for the new section.

If someone had success doing this, can you please reply here?

At the time of writing I am using the latest firmware v5.26.300. So the following must be working on this version.
After hours of testing and testing, I came up with the solution:
The <run> section is wrong both in the article and in some comments as well. Instead of semicolons, use && and place delays in between, too. Whenever you use & symbol, use the HTML entity (&amp;)!

<run>sleep 90 &amp;&amp; pkill sshd &amp;&amp; sleep 15 &amp;&amp; /usr/sbin/sshd -E /var/log/sshd.log -f /usr/local/config/sshd_config &amp;</run>

In the section <crond> you will need to perform a few things. You can find a few tasks here already but not all of them will be running. Each task has an ID. Only the ID less or equals to the yyy <count>yyy</count> will be executed. Therefore when you add the <name id="xxx">sshd_config</name> line, xxx should be yyy and then shift the rest +1 and also, increase the yyy+1 in <count>yyy</count>. Basically you will replace the last running task with the new one and shift the rest +1.

Original

<crond>
	<list>
		<count>5</count>
		<name id="1">stime</name>
		<name id="2">wd_crontab</name>
		<name id="3">app_get_info</name>
		<name id="4">recycle_bin_clear</name>
		<name id="5">user_expire_chk</name>
		<name id="6">pull_wdlog_config</name>
	</list>

Modified

<crond>
	<list>
		<count>6</count>
		<name id="1">stime</name>
		<name id="2">wd_crontab</name>
		<name id="3">app_get_info</name>
		<name id="4">recycle_bin_clear</name>
		<name id="5">sshd_config</name>
		<name id="6">user_expire_chk</name>
		<name id="7">pull_wdlog_config</name>
	</list>

The task config sections have to follow the above order (just in case).

<sshd_config>
	<item id="1">
		<method>3</method>
		<1>@reboot</1>
		<run>sleep 90 &amp;&amp; pkill sshd &amp;&amp; sleep 15 &amp;&amp; /usr/sbin/sshd -E /var/log/sshd.log -f /usr/local/config/sshd_config &amp;</run>
	</item>
</sshd_config>

If you use an XLM editor, it fill cry about the <1>…<2>…<30> tags as they are not standard. Don’t worry about it, just save the file.
If you screw up something, you have to do the 40-second reset.

  1. unplug the power
  2. insert a pin into the reset hole above USB port
  3. plug the power back but do not release the pin for min. 40 seconds
  4. release the pin and after booting up (could take a few minutes) open the web GUI (if you had HTTPS previously enabled, it will be disabled until you finish the initial wizard
  5. enable SSH again and check what you’ve done wrong

Thank you for going through this, it’s been a while since I did the original mod and it worked for me at that time.

I will try to update the article.