SSH connection to my WD My Cloud EX2 not as expected


#1

Hello,

I'm not an pro linux user, I just want to understand a few things regarding SSH on my EX2.

  1. SSH user as per sigle posible config from the Dashbord is "sshd".

   I can live with this.

   When I log in with ssh I give it the user "sshd" and then the passw and I log in.

   Now I am logedin with root not "sshd". ( used  id -u -n to get the current user).

   Why is this? I give the "sshd" user and I get logedin with "root"?

  1. I looked in the ssh config file and I can see that the only allowed users over SSH are "root" and "sshd".

   

    Problem: as I never changed the root passw I asume it has the default one.

    I wonder if I enable SSH access from the web to my EX2 how long will it take for some one that knows the default password for root to break in my EX2.

    So is it ok if I change the passw for "root", or if I edit the SSH seting to remove "root" from the allowed users? (from a warranty point of view).

Thank you!


Connexion ssh vers My Cloud EX2
#2

  1. SSH user as per sigle posible config from the Dashbord is "sshd".

   I can live with this.

   When I log in with ssh I give it the user "sshd" and then the passw and I log in.

   Now I am logedin with root not "sshd". ( used  id -u -n to get the current user).

   Why is this? I give the "sshd" user and I get logedin with "root"?


Don't worry about this - you are effectively logged in as root - that is the highest level of security you can log in as. The sshd is just an alias to root - but you cannot log in as root user - just as a security precaution.

 

  1. I looked in the ssh config file and I can see that the only allowed users over SSH are "root" and "sshd".

   

    Problem: as I never changed the root passw I asume it has the default one.

    I wonder if I enable SSH access from the web to my EX2 how long will it take for some one that knows the default password for root to break in my EX2.

    So is it ok if I change the passw for "root", or if I edit the SSH seting to remove "root" from the allowed users? (from a warranty point of view).

 

You are required to set the password for sshd when you turn the SSH to ON from the dashboard and click the Configure link right next to the On/Off button. As far as I know, there isn't a default password for sshd - you MUST set one yourself at the time of turning SSH access on. So changing the password for SSH is not going to void your warranty - rather you are required to set a password for SSH access...for your own security.

Not sure what you mean by "enable SSH access from web" - SSH is on port 22 and web access is usually port 80...so that is not possible. If you meant enabling SSH access from the Internet, well, there is no automatic/simple/easy way to enable SSH access from the Internet - you will have to setup port forwarding on port 22. But if you do setup port forwarding on port 22, you are opening your system up to a potential security breach...BUT even then unless you set a very short, simple password (a very foolish thing to do), no one can easily breach it by brute force. My advice - don't plan on doing SSH access from outside your network (and therefore don't setup port forwarding on port 22)...unless you are planning on doing SFTP access from outside using the sshd user.


#3

I need ssh in order to create and use a git server on my EX2.

Git is and accepted app on my EX2. I installed it but there is no config panel for it so I have to do this manually.
Which is actually sad, but I have deal with it.

I already did some tests on a ubuntu virtual machine on how to create a git server/repo and how to allow user acces over ssh with public keys.

Now I would like to now if some one has tried this on EX2.
How to do it without voiding warranty and also, how to make it secure?


#4

So the key issue (pun intended) here is about non-root access of EX2 via SSH by keys. Unfortunately, there is no easy way to do that. If you are good with shell scripting, there is a way to do that by modifying and compiling your own firmware using WD's GPL source code (even then it is quite tricky unless you can figure out just how)...but there is NO way of doing so without voiding your warranty. Otherwise, you'll always be restricted to the locked-down sshd_config. And if you succeed, it'll only be as secure as the strength of the weakest password of all users are...even if they aren't going to be using passwords but SSH keys to login, you'd still be assigning a password to them during those user account creations.

If you are able to successfully create a custom firmware enabling SSH access for non-root users, you will also need to preserve the users' keys because all home directories are wiped during a reboot. The simplest way to do that is to backup the users'  authorized_keys in a persitent location (like /usr/local/config). Better yet backup users' home directories because you will need to preserve the permissions of both the home directories, the .ssh directory and the authorized_keys file. But that is only after you get the main piece working - SSH login with keys using your custom firmware.


#5

For git, you can use WebDAV instead – the regular http run on port 8080 and https WebDAV runs on 4443.

Apparently there is no practical way to have regular users logged in via SSH – the sshd_config file gets overwritten every time it reboots. You can setup the home directories via the master copy of the passwd file in /usr/local/config but I can't find an equivalent of it for sshd_config


#6

I have been allowing a non-root, non-sshd account login into the sftp server running on my EX2 since March, a week after the product was launched and me buying it. There is a practical way but maybe not an easy way to have regular users login via SSH...since that way involves custom compiling the firmware.

BTW, the reason you do not find any sshd_config in that config backup directory (/usr/local/config) is because the prorgram /usr/sbin/ssh_daemon creates the sshd_cnfig on the fly at boot time and then starts sshd.


#7

Custom compiling a firmware is not a "practical" way IMO.

Since you said that sshd_config is generated on-the-fly, another possibility is to have a startup script somewhere (I'm not sure where exactly yet) that edit that file and amends it to allow additional users (and restart sshd afterwards).

But for now I'm pretty contempt with using WebDAV for git. I'm using this drive as an upgrade to WD MyBook Live (the single-drive green model) and our biggest use case for SSH for that drive was for git.

Thanks.


#8

adibs wrote:

 

Since you said that sshd_config is generated on-the-fly, another possibility is to have a startup script somewhere (I'm not sure where exactly yet) that edit that file and amends it to allow additional users (and restart sshd afterwards).

 

You are on the right track for the sshd issue. That startup script is located in /usr/local/modules/script/system_init (btw, that scrpt directory is where all the other shell scripts are kept too, some of which you might want to look at if you were curious about the workings of the EX2). But system_init script is the best starting point to discover a lot. However, the issue you'll discover is that you cannot still edit the file - because once sshd starts the sshd_config is already written by that program. Moreover, this startup script isread-only...the ONLY way to deal with these twin issues is to figure out how to stop the sshd and then restart sshd and then this change can be put in that startup script only be editing the script and then custom-compiling the firmware with that edited script.

And custom-compiling the firmware is not that difficult.


#9

Or otherwise modify one of the startup scripts in 

/mnt/HD/HD_a2/Nas_Prog/*/start.sh

In order to modify sshd_config on startup

Since the primary use case for ssh login is for git, I suppose its startup script is the best candidate to use to modify the ssh configuration file.

In conclusion - to allow normal user login, modify file

/mnt/HD/HD_a2/Nas_Prog/git/start.sh

 and add these two lines at the bottom

sed -ir 's/(AllowUsers .*)/\1 alice bob/' /etc/ssh/sshd_config
kill -HUP `cat /var/run/sshd.pid`

Be sure to replace "alice" and "bob" with actual user names that are already present. Separate each name with a space.

No firmware modification necessary.


#10

adibs wrote:

 

In conclusion - to allow normal user login, modify file

 

/mnt/HD/HD_a2/Nas_Prog/git/start.sh

 and add these two lines at the bottom

 

sed -ir 's/(AllowUsers .*)/\1 alice bob/' /etc/ssh/sshd_config
kill -HUP cat /var/run/sshd.pid

Be sure to replace "alice" and "bob" with actual user names that are already present. Separate each name with a space.

 

No firmware modification necessary.

 

Have you tested this and it worked? BTW, I don't see any line to start up the sshd after you kill it?


#11

Worked. The -HUP flag restarts it.