[GUIDE] SSH Lockout Fix for people messing with sshd_config

WD Legacy Products My Book Live
1

FIX_SSH.ZIP UPDATED TO WORK WITH FUTURE FIRMWARE

I have had a couple of folks PM me over the months where they have messed with the sshd_config settings and set

PermitRootLogin no

This will lock you out of SSH with no way back in

I put together a small .deb file that will fix this issue

  1. Download fix_ssh.zip from http://www.mediafire.com/?bqfu5hwwcr35rjf

  2. Unzip updateFile.deb from the zip file

  3. Go to the Dashboard and do an update from file

  4. Point it to the updateFile.deb

  5. The dashboard will copy the factory sshd_config file to the proper location with the correct permissions and reboot your MyBookLive

  6. After the drive reboots, you should now be able to SSH back into your drive again

Tested and working 100%

5 Likes
2

Updated fix_ssh.zip so that it should work with any future firmware upgrades

3

Wrong thread

4

Great as usual nfo, I’m glad we have you here :slight_smile:

Kudos all the way

5

The other option would be to create a new user, with limited permissions, and then give that user sudo permission and ssh access. Then disable root login, for security.

Edit: Didn’t realize that’s how manual update worked. So I guess it just passes it directly to dpkg. interesting… gives me ideas.

6

I hate to admit it, but I actually managed to lock myself out of sshd on my brand new Duo. I didn’t find this post until I had already reverse-engineered your old solution, and created an update deb to recover it.  I had to change the package name to ap2nc in order to get it to load onto the DUO.

When I locked myself out of root, I also added a username to AllowUsers, but logged off before I actually created the user. And of course I restarted sshd before logging out. Whoops. Instead of simply creating a new sshd_config, which I honestly didn’t think of, I instead used the postinstall scripts to create and activate the new user. It took me more than a couple tries to get it to work.

Which got me thinking… Do you think there’s a (scriptable) way to abort the reboot cycle when you do an update via the WebUI? Because little things like this do not require a reboot. The preinstall script can stop sshd and postinstall can re-start it. Then the new sshd_config would be loaded, and you didn’t have to wait 5 minutes. I added a 30-second sleep to the end of the postinstall, and was able to (successfully) test login before it rebooted. It would be nice to be able to abort the unnecessary reboot cycle.

I also added a fairly useless feature - essentially a visual countdown to reboot on the LED. During install, the LED is solid yellow. After install completes, the install script waits 30 seconds before rebooting. The LED flashes white for the first 20 seconds, then yellow for 5 seconds, and then red for the last 5 seconds.

control (MBL Duo):

Package: ap2nc
Version: 02.42.02-012
Section: base
Priority: Important
Architecture: powerpc
Maintainer: <EDITED>
Installed-size: 1999828
Description: Apollo xNC upgrade package
 This is the overall upgrade package for the Apollo xNC program.

 preinst

#!/bin/sh
PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
. /usr/local/sbin/disk-param.sh
echo "upgrading 1" > /tmp/fw_update_status
echo y > /usr/local/nas/led_color
echo n > /usr/local/nas/led_blink
# Stop SSHd
/etc/init.d/ssh stop
echo "upgrading 10" > /tmp/fw_update_status

 postinst

#!/bin/sh
PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
echo "upgrading 25" > /tmp/fw_update_status
useradd -d /home/addchild314 -g addchild314 -m -p $(echo "p@ssw0rd" | openssl passwd -1 -stdin) addchild314
echo "upgrading 50" > /tmp/fw_update_status
/etc/init.d/ssh start
echo "upgrading 90" > /tmp/fw_update_status
echo w > /usr/local/nas/led_color
echo y > /usr/local/nas/led_blink
sleep 20
echo y > /usr/local/nas/led_color
sleep 5
echo r > /usr/local/nas/led_color
sleep 5
echo n > /usr/local/nas/led_blink
echo "Done"
7

addchild!!! Nice to see you back :slight_smile:

Yeah the reboot probably isn’t needed but I’m not the best with scripting so I left most of what was there alone at the time. I need to get back in the swing of things here and update some mods but have been rather busy lately. I got to the point where my test box was turned into an all in one server and don’t like to mess with it as it’s usually doing something. I may need to break out my 3rd backup MBL from the closet and play around again.

Hope all is well with you and hope to see you around here more :slight_smile:

8

thank you very much, I thought that there was no solution (sorry google translate)

one question

 if exist the possibility of reinstall de S.O. this need access to ssh to do? ( sorry my translate) jejejje