Hi {EDITED. FORGOT THE USUAL WARNINGS]
USING SSH MAY INVALIDATE YOUR WARRANTY. PROCEED AT YOUR OWN RISK.
This is useful if you are using remote ssh to your wdmycloud to do some housekeeping and
especially if using WinSCP for file transfers or synchronisation.
If you are not using remote ssh, then is of little use (apart from extra security) just remember not to forward ssh port on your router.
The reason for this “HOWTO” is that although SSH is secure, however, by default it uses username
and password sent in clear text over ssh tunnel, which can be compromised with a man-in-the-middle
attack as it sends them through ssh tunnel in clear text.
TRUST ME I have seen quite few people with packet sniffers on their laptops, in cafe, airports, hotels etc.
However, with a private encryption key and a passphrase on that key, it will be extremely hard to crack
which gives you enough time to regenerate a new keys, delete the public key on the server,
and put a new passphrase on the new private and public keys if your existing private key has been compromised.
Also, this method, will authenticate the client against a public key and the private key. Without
private key and passphrase no client can connect.
Briefly of how ssh work:
- SSH is a way to remotely login securely to your sever.
- client initiate the connection to the server on port 22 (default but can be changed),
example client is WinSCP or plain old ssh. - when connecting for the fist time the server will identify itself (fingerprint you see
when first conencted). - A session will be established for encryption/decryption (auto negotiated by the client and server).
- Now the client identified the server, the server will challenge the client with your public key
(which we will generate shortly). - The client will send a public key authtentication to the sever.
- Sever will look into its authorized public key and challenge the client with this key.
- if the client has the private key (in order to decrypt the server’s challenge)
then it can answer the challenge). - We will put a pssphrase on the private key for security in case the private key is lost.
- client will ask you for the passphrase for the private key. So even if you stole the
private key you still need to know the passphrase. The passphrase is not stored with the
private key but rather encrypted and only a hash to that passphrase is stored. This hash is sent
to the server which will regenerate the hash and if found to be a match the client will gain
access to the server.
(This is really simplified but gives the overall picture).
Don’t worry it all happens behind the scenes and all you have to do is to have the private key ready
and recall the passphrase (without it you are locked out).
The procedure is straight forward and no installation of anything on the WDMYCLOUD is required.
FIRST OF ALL CHANGE YOU CURRENT DEFAULT PASSWORD (always a good idea).
1. log in into your cloud with ssh (first enable it in the dashboard) and use the
standard username:root and password=welc0me (ZERO not O).
2. once you are inside type
passwd
Enter the new password, and it will ask to confirm. DO NOT PRESS RETURN YET.
Write down the new password, or better still write it down and memorize it. Keep the note secret somewhere.
Or use one of the many apps that exist for Iphone/Android or even online to store passwords safely.
Exit and test that you can login with the new password.
We will be using WinSCP for this. So make sure you download a copy from the ORIGINAL WEBSITEONLY.
When you are done, run WinSCP.
1. In Session panel enter your hostname (mine is called wdmycloud). For this to work you need to log in to your router and reserve the IP address for your device. Look for something like "DHCP RESERVATION". WinSCP doesn't understand "Windows netbios" names and will not be able to resolve the host.
Alternatively you can just enter the IP address. Enter the user name "root". DO NOT LOG IN YET.
2. In WinSCP left panel, click on tools and navigate down to the item "run puttygen". We will use this to generate 2 keys Public key and Private key):
a. public key to install at the server (this is used by the server to
challenge the client).
b. Private key to keep with you.
3. click on "run puttygen"
4. in the opened window click on "Generate" and follow the instructions.
5. This procedure will generate the keys. Enter the passphase (again write it down or memorize it or preferably both).
When finished the top panel will have the Public key. Copy the whole content of the window to clipboard.
MAKE SURE YOU COPY EVERY THING EXACTLY. We will need this to install it in the server (wdmycloud).
Now, bottom panel has 2 options to save the public and private key. Save them somewhere
secure. I typically save them on a secure encrypted USB flash stick. This way I always
have the private key with me and I can log in securely from any machine, public or otherwise.
6. Now that we have the keys we need to save the public key on the server. There are many ways to accomplish this. One way is to save it into a file called authorized_keys" (Naming is very important here). login with WinSCP and transfer the file.
7. Now use "putty" (again download putty from original website) to log in to your cloud.
8. do not change directory. If you did, then go go back to /root directory.
9. Create a directory called .ssh
mkdir .ssh
and copy the " authorized_keys" file to it. OR you can use “vi” editor to open a new file and then right click to paste. (Make sure the pasted text matched what is in the clipboard exactly). Either way, the file “authorized_keys” will live in /root/.ssh/authorized_keys.
While you are still there do:
cd /root
chmod 700 .ssh
chmod 644 .ssh/authorized_keys
10 EXIT (putty or winscp)
11 run Winscp. Enter the session information as before.
12. click on tools.
13. click on run "puttygen". click on "Load" and give it the path to where you
saved the private key.
14. Enter the passphrase for the private key.
15. close the top window. this will take you back to WinSCP login window.
16. click login
17. WinSCP will authenticate, but this time it will ask you for the passphrase
for your private key. Enter it (You did write it down and memorize it,
right?)
WinSCP will now authenticate itself with the private key and passphrase.
Now do this test multiple times. Logout and login and make absolutely sure you can login with
passphrase not normal password. MAKE SURE YOU HAVE THE PASSPHRASE AND THE KEYS TO HAND.
If all is well then we are almost done. Otherwise retrace your steps and do it again (making
sure you delete any old files around if you are generating new key pairs.)
if you are using “putty” only, the same procedure is similar:
1. run puttygen (it is in the same directory as putty)
2. create the keys, "Generate"
3. copy the public key from top window.
4. save both keys.
When you want to login with "putty" you need to tell it where is the private key.
1. run putty
2. Enter session information (hostname) (DO NOT LOG IN YET)
3. In the left panel expand SSH, and highlight Auth
4. in right panel click on "browse" and navigate to where you saved the private key.
5. click open. this will take you to login window where you can login as normal.
SSH will fall back to standard username and password using tunneled clear text if private key
authentication has failed which defeats the object of what we just did. We need to change one
line in /etc/ssh/sshd_config and restart the server on wdmycloud.
IT IS IMPORTANT HERE THAT YOU HAVE TESTED THAT YOU CAN LOG IN WITH PASSPHRASE NOT normal PASSWORD FOR ROOT.
ONE MISTAKE OR IF YOU HAE NOT TESTED, YOU WILL BE LOCKED OUT OF YOUR SERVER. IT STILL WORKS, YOU JUST CANNOT LOG BACK INTO YOUR DEVICE USING SSH.
YOU CAN GET IT BACK IF YOU MADE A MISTAKE BY REFLASHING YOUR DEVICE USING A FIRMWARE FILE WHICH YOU CAN DOWNLOAD FROM WD.
1. open /etc/ssh/sshd_config with an editor, and find the following 2 lines
# Change to no to disable tunneled clear text passwords
# PasswordAuthentication yes
remove the second "#" infront of "PasswordAuthentication yes" and change "yes" to "no".
save the file.
on command line type:
service ssh restart
Now we are done. without private key and passphrase no computer will be able to connect.
If you are using Linux or any Unix you will use the following commands:
-
in your home directory do
mkdir .ssh
chmod 700 .ssh
- generate the keys as follows (it will proabalby generate the directory for you):
ssh-keygen -t rsa
3. do not forget to enter the passphrase.
4. copy the public key to wdmycloud as follows: ssh-copy-id root@wdmycloud
5. make sure the key is there on wdmycloud, login as normal and navigate to /root/.ssh. there should be a key called “authorized_keys”. if not copy it by hand and do chmod 644 /root/.ssh/authorized_keys
The rest of the procedure is the same as above.
on Linux and other Unixes you can also install “putty”" and use the same procedure as above.
NOTE: Putty keys are not in openssh format (as used in Linux or Unixes command line) and you
will need to convert the private keys as follows:
1. run "puttygen"
2. Load your private key.
3. Click on "conversions" menu. navigate to export OpenSSHKey.
4. Save the newfile with a new name in the same place as your "[putty]" private key
(which ends in xxxx.ppk).
This way you can use the same key on any machine regardless if putty is there or not.
you can login with ssh command line using “-i” flag and give it the path to your private key.
For example:
ssh -i /media/KEYS/puttykeys/my-openssh-key root@wdmycloud
Finally make sure ssh enabled in your dashboard and port 22 is forwarded to your device in your
router.
Now you can log in remotely using putty or ssh (your host will be your WAN/internet address).
As a matter of fact, you can use any ssh application that supports keys. for example I am using an application called “Serverauditor” on my Ipad. It supports importing keys (or pasting or sharing from Itunes). Also, I am testing “rednif” app on ipad. It is a graphical ssh filemanager (Full GUI). It seems nice so far.
NOTE: You can also have a look on how to secure FTPas well if you are using it remotely.
That is it. Enjoy safer sshing.
