203 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
IBM DB2, Red Hat Enterprise Linux and the IBM Mainframe
Thu, Nov 16th 2017 47
Telnet, my Telnet - Or macOS High Sierra, what have you done ?
Tue, Nov 14th 2017 87
Vagrant and VMware - all the Vs together - or not
Tue, Nov 14th 2017 61
IBM Cloud Private - Tinkering with Vagrant
Mon, Nov 13th 2017 70
Cloud Foundry and Ruby on IBM Bluemix - Learning, learning, learning - keep those lessons learning
Thu, Nov 9th 2017 45
Hmmm, Segmentation Fault 11 with Cloud Foundry
Thu, Nov 9th 2017 39
Installing IBM DB2 on Linux using IBM Installation Manager - Fun and Games
Wed, Nov 8th 2017 33
Top 10
Telnet, my Telnet - Or macOS High Sierra, what have you done ?
Tue, Nov 14th 2017 87
IBM Cloud Private - Tinkering with Vagrant
Mon, Nov 13th 2017 70
Vagrant and VMware - all the Vs together - or not
Tue, Nov 14th 2017 61
Hmmm, macOS Sierra and XQuartz and X11
Thu, Oct 27th 2016 52
IBM DB2, Red Hat Enterprise Linux and the IBM Mainframe
Thu, Nov 16th 2017 47
Cloud Foundry and Ruby on IBM Bluemix - Learning, learning, learning - keep those lessons learning
Thu, Nov 9th 2017 45
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 41
Hmmm, Segmentation Fault 11 with Cloud Foundry
Thu, Nov 9th 2017 39
Hmmmm, HTTP404 and SRVE0190E seen with IBM HTTP Server and WebSphere Application Server
Fri, Nov 14th 2014 35
IBM HTTP Server / IBM WebSphere Plugin - Using Transport Layer (TLS) 1.2
Tue, Nov 10th 2015 34


Synology NAS - More SSH Loveliness - Permissions and ACLs
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Following on from my earlier posts: -



I've gone a few steps further in my understanding.

I've now got to a point where I can access the NAS using a user other than root or admin.

Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -

Client-side ( macOS )

Generate a public/private key

ssh-keygen -t rsa -b 4096 -f foobar -N passw0rd

Generating public/private rsa key pair.
Your identification has been saved in foobar.
Your public key has been saved in foobar.pub.
The key fingerprint is:
SHA256:w7rpoqt07lMZNhT9GVdCOpRKEunRq9+zGb6+YHl8kC4 davidhay@Davids-GhostRider-4.local
The key's randomart image is:
+---[RSA 4096]----+
|     o*  .oo..   |
|     = +.o...    |
|    o + +o+      |
|     = + oo      |
|    . = So       |
|     + .+..      |
| . .. oE.= .     |
|. o.. .+=o+      |
|..+=.o+ .B=      |
+----[SHA256]-----+


Copy the public key to the clipboard

pbcopy < foobar.pub 

Server-side ( Synology )

Logged in as admin

ssh admin@diskstation

admin@diskstation's password: 

Switched to the root user

admin@DiskStation:~$ sudo bash
Password: 

Switched to the DaveHay user

su - DaveHay

( NOTE the above steps are required because I deliberately didn't give the user a password, as I only ever want to authenticate via a public/private key )

Create .ssh subdirectory

mkdir ~/.ssh

Create authorised keys file in .ssh

vi ~/.ssh/authorized_keys

Add public key from clipboard

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz6Nd1Zugpjbsaz0ceF8WK5ps7SExiV6bR3ITtufFd0jp+ZyIhGJY+iRMzqslGEGcrYHGWzZRUGwq+dT4rikm/3yI2usHUI7TE2pFXS0SVI0jdsSp76Yos7lTVdcRJVlVaXG6nCKPYY3zfLrgmNXwDArYUHkVotBuKeF19lXR5Uu5DvxWUCsXz1APuRaX6oylmmk9QgZGClqdn4rrPjzKguwSZpUIOFRIfIbJiEIKvfu1vrEF45QlAoxvx4BQ0Mqew7Dv9Nt/s5ByGs7w/YHwJiWDpbGx0KCMiaeuwLjuj8N/dxfh6DIllqKzEXRCniftU6hXDULKLLoQx8WZoU90kvRLob27SjcVDrdM6C1Q0yQ2OGY0/OjKl2QjFk99LmZbCvLA5hb46eQBJviM1l9BBlf6eBq0qQtADKGV2UfZb43Z32rYObyqPqQjnfYiAk1CdECtJUCCGPdXbviPfDOYKaXgseBCnLNpnAislcmvI0YsuKKTo3xz16PFvhyJel+5EEbIpZaRQTQNDPjpXqr2pzhP5vcKuh09Z/w7lFZ0oRP47SACryYgbQzTowDthJ135kW00AsGMMEP9Yz2HjqQLdZZv0NL0KZgGIxaFHXpshPuCOWK3MmYtEqoJtcSDr++JtLU+/59/b3N+BqZxYuFSoOEUMhiee3k7VMq1ZNT5/Q== davidhay@Davids-GhostRider-4.local

Client-side ( macOS )

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

As before, I went back into the Synology, and updated the directory / file permissions for the newly created .ssh subdirectory

Server-side ( Synology )

( As DaveHay, having logged on as admin and switched user via su - DaveHay )

Check current state

ls -al -R ~

.:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

./.ssh:
total 12
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rwxrwxrwx+ 1 DaveHay users  762 Jan  5 18:40 authorized_keys

Set the .ssh subdirectory to 700

chmod 700 ~/.ssh


Set the authorized_keys file to 644 

chmod 644 ~/.ssh/authorized_keys



Check new state

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

:-(

I added some debugging: -

ssh -v -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
DaveHay@diskstation's password: 


ssh -vv -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
DaveHay@diskstation's password: 

...

ssh -vv -i ~/foobar DaveHay@diskstation

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

DaveHay@diskstation's password: 


Something I read online made me think about extended attributes, over and above the usual Unix permissions.

I re-visited the current state: -

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Yes, it was the additional plus character that made me wonder; +

As root I checked the permissions for the DaveHay user: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------+ 3 DaveHay users 4096 Jan  5 18:40 .
 [0] user:DaveHay:allow:rwxpdDaARWcCo:fd-- (level: 0)
 [1] user:DaveHay:allow:rwxpdDaARWc--:fd-- (level: 1)
 [2] user::allow:rwxpdDaARWc--:fd-- (level: 1)
 [3] user::allow:rwxpdDaARWc--:fd-- (level: 1)

d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------+ 1 DaveHay users  669 Jan  5 18:40 .viminfo
 [0] user:DaveHay:allow:rwxpdDaARWcCo:---- (level: 1)
 [1] user:DaveHay:allow:rwxpdDaARWc--:---- (level: 2)
 [2] user::allow:rwxpdDaARWc--:---- (level: 2)
 [3] user::allow:rwxpdDaARWc--:---- (level: 2)


and used chmod to recursively set ALL the permissions on the DaveHay user's home directory: -

chmod -R 700 /volume1/homes/DaveHay/

which removes the special attributes ( I think these may be the ACLs added by the NAS itself when I created the new user ), and validated: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------  3 DaveHay users 4096 Jan  5 18:40 .
d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------  1 DaveHay users  669 Jan  5 18:40 .viminfo

In other words, the extended attributes for the user have gone, apart from the parent directory ( /volume1/homes ) which is fine.

I re-tested my SSH connection: -

ssh -i foobar DaveHay@diskstation

Enter passphrase for key 'foobar': 
DaveHay@DiskStation:~$ 


In other words, I'm only now being presented with a request for the passphrase for the private key, rather than the password for the DaveHay user.

So, it was a long journey, but an enjoyable one :-)

As ever, #LifeIsGood






---------------------
http://portal2portal.blogspot.com/2017/01/synology-nas-more-ssh-loveliness.html
Jan 05, 2017
7 hits



Recent Blog Posts
47
IBM DB2, Red Hat Enterprise Linux and the IBM Mainframe
Thu, Nov 16th 2017 5:54p   Dave Hay
I'm running through the process to deploy IBM Business Process Manager (BPM) 8.6 onto an IBM mainframe ….This is something that I've done a number of times before, since I first joined the (then) IBM Software Services for WebSphere team in late 2012.In essence, although the underlying hardware is the IBM z platform ( also known as LinuxOne in this guise ), I'm installing BPM etc. onto Red Hat Enterprise Linux (RHEL) and Linux is …. Linux.So the approach to install BPM, and it's dependenc
87
Telnet, my Telnet - Or macOS High Sierra, what have you done ?
Tue, Nov 14th 2017 2:04p   Dave Hay
This harks back to a VERY old post: -Testing Times with Telnetwhich was penned back in 2010.Since I've upgraded to macOS High Sierra, I've lost the FTP and Telnet clients.Ordinarily that wouldn't be a problem but ….Telnet is often useful for testing ports e.g. telnet localhost 9443.Thankfully, we have a solution …. Netcat.Q: Checking TCP/UDP ports!nc -vnzu 127.0.0.1 9080found 0 associationsfound 1 connections: 1: flags=82 outif (null) src 127.0.0.1 port 59595 dst 127.0.0.1 port 9080 r
61
Vagrant and VMware - all the Vs together - or not
Tue, Nov 14th 2017 12:49p   Dave Hay
Further to my last: -IBM Cloud Private - Tinkering with VagrantI'm now looking at the options to use VMware Workstation ( this is on Linux, rather than my default home of macOS ) instead of VirtualBox.Following this: -https://www.vagrantup.com/docs/vmware/installation.htmlI've installed the appropriate plugin: -vagrant plugin install vagrant-vmware-workstationInstalling the 'vagrant-vmware-workstation' plugin. This can take a few minutes...Fetching: vagrant-share-1.1.9.gem (100%)Fetching: va
70
IBM Cloud Private - Tinkering with Vagrant
Mon, Nov 13th 2017 3:11p   Dave Hay
So I've been on a slow boat to IBM Cloud Private, over the past few weeks, and am continuing to self-enable in my "spare" time ( my formal enablement starts next week ). Looking at this: -Source: IBM Cloud Private 2.1.0 - Architectureit was clear that I really needed a few boxes onto which to actually install ICP.Whilst it is possible to run everything on one box ( as per this IBM Cloud Private - My first foray ), I thought that I really should do things properly.So, starting with Beast, whic
45
Cloud Foundry and Ruby on IBM Bluemix - Learning, learning, learning - keep those lessons learning
Thu, Nov 9th 2017 7:06p   Dave Hay
Following a previous post: -Hmmm, Segmentation Fault 11 with Cloud FoundryI'm running through this: -LFS132x Introduction to Cloud Foundry and Cloud Native Software Architectureand was hitting an issue with the version of Ruby specified within some of the lesson material.This is what I saw: -cf pushUsing manifest file /Users/davidhay/Downloads/LFS132x/Scaling/web_app/manifest.ymlCreating app web-app in org david_hay@uk.ibm.com / space david_hay as david_hay@uk.ibm.com...OKCreating route web-app
39
Hmmm, Segmentation Fault 11 with Cloud Foundry
Thu, Nov 9th 2017 5:15p   Dave Hay
Whilst following this online course: -LFS132x Introduction to Cloud Foundry and Cloud Native Software ArchitectureI was tinkering ( man, I love that word ) with Cloud Foundry ( CF ).Now it's been a while and I've been through a macOS upgrade from Sierra to High Sierra ( wonder if there's a clue there ? ).So this time around, I'm seeing "Segmentation Fault: 11" : -cf versionSegmentation fault: 11cf loginSegmentation fault: 11which cf/usr/local/bin/cfls -al `which cf`-rwxr-xr-x 1 root whee
33
Installing IBM DB2 on Linux using IBM Installation Manager - Fun and Games
Wed, Nov 8th 2017 3:49p   Dave Hay
I've installed DB2 a million (!) times over the past 17 years, since I joined what was then IBM Software Group.However, I've almost always installed it using the DB2 installation binaries and response files.For a long time now, it's been packaged with IBM BPM, and other products, and thus suitable to be installed using IBM Installation Manager (IIM).So now I'm trying that ….One thing of which to be aware; DB2 is typically only ever installed as root, which means ( to me, at least ) that BP
30
Hmmm, why can't root uninstall IBM DB2 ?
Wed, Nov 8th 2017 1:00p   Dave Hay
I'm cleaning up a VM, and looking to remove DB2 11.1: -/opt/ibm/db2/V10.5/install/db2_deinstall -aDBI1149E To execute this program, you must be the owner of the installation copy.Explanation: The current DB2 copy was not installed by the user who is running theprogram.User response: Log in as the user who installed the current copy of DB2 and rerun thecommand.Given that I'm doing this as root, I'm wondering "Whaaaaat?"So I dug further …/opt/ibm/db2/V10.5/install/db2lsInstall Path
13
Using curl to drive a SOAP-based web service
Mon, Nov 6th 2017 8:40p   Dave Hay
As part of some tinkering (!) with IBM BPM 8.6, specifically to test a SOAP-based Web Service, as exposed ( exported ) by a SCA module, I wanted to quickly test the service without needing to start/use SoapUI each and every time.Thankfully, there's a curl for that …I'd checked the SCA Module to check the Endpoint Address of the SCA module: -and then hit the ?wsdl action to pull back the WSDL itself: -https://bpmdb.uk.ibm.com:9443/CanaryWeb/sca/callTheCanary?wsdlThis auto-expands to this URL:
7
Amazon Web Services and a Salutary Learning Experience
Fri, Nov 3rd 2017 8:44a   Dave Hay
I received a small but costly reminder that little in life is free this AM.Whilst indulging in my usual bout of cross-trainer ( #GymOClock ), I checked my emails and saw one purportedly from Amazon Web Services (AWS), suggesting that I owed them $56.31.Being a cautious type, I did NOT click on the links in the email, but instead logged into my AWS dashboard: -https://console.aws.amazon.com/ec2and navigated across to the Billing Dashboard: -https://console.aws.amazon.com/billing/homeLo and behold




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition