192 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Book Review - Swift iOS 24-Hour Trainer, by Abishek Mishra
Thu, Feb 16th 2017 124
IBM Advantage Blog
Thu, Feb 16th 2017 296
WebSphere Application Server - Binary Scanner
Tue, Feb 14th 2017 108
WebSphere Liberty Profile - Where's my stuff ?
Tue, Feb 14th 2017 93
Improve IBM BPM performance with an Oracle database
Mon, Feb 13th 2017 72
java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version; class=com/ibm/rules/res/xu/spi/internal/XUResourceAdapter
Sun, Feb 12th 2017 68
Pango-WARNING **: failed to choose a font, expect ugly output
Sat, Feb 11th 2017 53
Top 10
IBM Advantage Blog
Thu, Feb 16th 2017 296
Book Review - Swift iOS 24-Hour Trainer, by Abishek Mishra
Thu, Feb 16th 2017 124
WebSphere Application Server - Binary Scanner
Tue, Feb 14th 2017 108
WebSphere Liberty Profile - Where's my stuff ?
Tue, Feb 14th 2017 93
Improve IBM BPM performance with an Oracle database
Mon, Feb 13th 2017 72
java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version; class=com/ibm/rules/res/xu/spi/internal/XUResourceAdapter
Sun, Feb 12th 2017 68
Pango-WARNING **: failed to choose a font, expect ugly output
Sat, Feb 11th 2017 53
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 31
java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version; class=com/davehay/EmployeeServlet, offset=6
Sat, Nov 8th 2014 30
WAS - How to clear the WebSphere class caches
Mon, Feb 10th 2014 28


Synology NAS - More SSH Loveliness - Permissions and ACLs
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Following on from my earlier posts: -



I've gone a few steps further in my understanding.

I've now got to a point where I can access the NAS using a user other than root or admin.

Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -

Client-side ( macOS )

Generate a public/private key

ssh-keygen -t rsa -b 4096 -f foobar -N passw0rd

Generating public/private rsa key pair.
Your identification has been saved in foobar.
Your public key has been saved in foobar.pub.
The key fingerprint is:
SHA256:w7rpoqt07lMZNhT9GVdCOpRKEunRq9+zGb6+YHl8kC4 davidhay@Davids-GhostRider-4.local
The key's randomart image is:
+---[RSA 4096]----+
|     o*  .oo..   |
|     = +.o...    |
|    o + +o+      |
|     = + oo      |
|    . = So       |
|     + .+..      |
| . .. oE.= .     |
|. o.. .+=o+      |
|..+=.o+ .B=      |
+----[SHA256]-----+


Copy the public key to the clipboard

pbcopy < foobar.pub 

Server-side ( Synology )

Logged in as admin

ssh admin@diskstation

admin@diskstation's password: 

Switched to the root user

admin@DiskStation:~$ sudo bash
Password: 

Switched to the DaveHay user

su - DaveHay

( NOTE the above steps are required because I deliberately didn't give the user a password, as I only ever want to authenticate via a public/private key )

Create .ssh subdirectory

mkdir ~/.ssh

Create authorised keys file in .ssh

vi ~/.ssh/authorized_keys

Add public key from clipboard

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz6Nd1Zugpjbsaz0ceF8WK5ps7SExiV6bR3ITtufFd0jp+ZyIhGJY+iRMzqslGEGcrYHGWzZRUGwq+dT4rikm/3yI2usHUI7TE2pFXS0SVI0jdsSp76Yos7lTVdcRJVlVaXG6nCKPYY3zfLrgmNXwDArYUHkVotBuKeF19lXR5Uu5DvxWUCsXz1APuRaX6oylmmk9QgZGClqdn4rrPjzKguwSZpUIOFRIfIbJiEIKvfu1vrEF45QlAoxvx4BQ0Mqew7Dv9Nt/s5ByGs7w/YHwJiWDpbGx0KCMiaeuwLjuj8N/dxfh6DIllqKzEXRCniftU6hXDULKLLoQx8WZoU90kvRLob27SjcVDrdM6C1Q0yQ2OGY0/OjKl2QjFk99LmZbCvLA5hb46eQBJviM1l9BBlf6eBq0qQtADKGV2UfZb43Z32rYObyqPqQjnfYiAk1CdECtJUCCGPdXbviPfDOYKaXgseBCnLNpnAislcmvI0YsuKKTo3xz16PFvhyJel+5EEbIpZaRQTQNDPjpXqr2pzhP5vcKuh09Z/w7lFZ0oRP47SACryYgbQzTowDthJ135kW00AsGMMEP9Yz2HjqQLdZZv0NL0KZgGIxaFHXpshPuCOWK3MmYtEqoJtcSDr++JtLU+/59/b3N+BqZxYuFSoOEUMhiee3k7VMq1ZNT5/Q== davidhay@Davids-GhostRider-4.local

Client-side ( macOS )

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

As before, I went back into the Synology, and updated the directory / file permissions for the newly created .ssh subdirectory

Server-side ( Synology )

( As DaveHay, having logged on as admin and switched user via su - DaveHay )

Check current state

ls -al -R ~

.:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

./.ssh:
total 12
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rwxrwxrwx+ 1 DaveHay users  762 Jan  5 18:40 authorized_keys

Set the .ssh subdirectory to 700

chmod 700 ~/.ssh


Set the authorized_keys file to 644 

chmod 644 ~/.ssh/authorized_keys



Check new state

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

:-(

I added some debugging: -

ssh -v -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
DaveHay@diskstation's password: 


ssh -vv -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
DaveHay@diskstation's password: 

...

ssh -vv -i ~/foobar DaveHay@diskstation

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

DaveHay@diskstation's password: 


Something I read online made me think about extended attributes, over and above the usual Unix permissions.

I re-visited the current state: -

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Yes, it was the additional plus character that made me wonder; +

As root I checked the permissions for the DaveHay user: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------+ 3 DaveHay users 4096 Jan  5 18:40 .
 [0] user:DaveHay:allow:rwxpdDaARWcCo:fd-- (level: 0)
 [1] user:DaveHay:allow:rwxpdDaARWc--:fd-- (level: 1)
 [2] user::allow:rwxpdDaARWc--:fd-- (level: 1)
 [3] user::allow:rwxpdDaARWc--:fd-- (level: 1)

d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------+ 1 DaveHay users  669 Jan  5 18:40 .viminfo
 [0] user:DaveHay:allow:rwxpdDaARWcCo:---- (level: 1)
 [1] user:DaveHay:allow:rwxpdDaARWc--:---- (level: 2)
 [2] user::allow:rwxpdDaARWc--:---- (level: 2)
 [3] user::allow:rwxpdDaARWc--:---- (level: 2)


and used chmod to recursively set ALL the permissions on the DaveHay user's home directory: -

chmod -R 700 /volume1/homes/DaveHay/

which removes the special attributes ( I think these may be the ACLs added by the NAS itself when I created the new user ), and validated: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------  3 DaveHay users 4096 Jan  5 18:40 .
d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------  1 DaveHay users  669 Jan  5 18:40 .viminfo

In other words, the extended attributes for the user have gone, apart from the parent directory ( /volume1/homes ) which is fine.

I re-tested my SSH connection: -

ssh -i foobar DaveHay@diskstation

Enter passphrase for key 'foobar': 
DaveHay@DiskStation:~$ 


In other words, I'm only now being presented with a request for the passphrase for the private key, rather than the password for the DaveHay user.

So, it was a long journey, but an enjoyable one :-)

As ever, #LifeIsGood






---------------------
http://portal2portal.blogspot.com/2017/01/synology-nas-more-ssh-loveliness.html
Jan 05, 2017
8 hits



Recent Blog Posts
124
Book Review - Swift iOS 24-Hour Trainer, by Abishek Mishra
Thu, Feb 16th 2017 7:48a   Dave Hay
This is another in my infrequent series of book reviews for the British Computer Society.Swift iOS 24-Hour Trainer, by Abishek MishraSo let me start by declaring that I did not read this book in 24 hours; in fact, it's taken me far longer to read, for no other reason than that I've been reading it in chunks, one lesson per day, and there are over 30 lessons.Therefore, I can't say, hand on heart, that the 24-hour programme actually works; however, for a committed reader, one who has made time
296
IBM Advantage Blog
Thu, Feb 16th 2017 6:11a   Dave Hay
Highlighting someone else's blog is always nice …IBM Advantage BlogThis blog is a collection of ideas, thoughts and links to interesting resources related to the competitive position of IBM software and cloud offerings. Customers have many choices in selecting the software to run their business and comparative information is hard to find. We strive to keep the information presented here purely factual and avoid FUD tactics. If you believe that any of the posts violate these principles – ple
108
WebSphere Application Server - Binary Scanner
Tue, Feb 14th 2017 2:24p   Dave Hay
From this: -The binary scanner…not just for migrations anymore!With the latest release of the binary scanner, two new enhancements are available that can help application developers and administrators outside the scope of a migration. Have you developed a new application for Liberty or moved one over from another application server and are wondering what features you need to configure in the server.xml file? Or maybe you are supporting a legacy application that has grown over time and you have
93
WebSphere Liberty Profile - Where's my stuff ?
Tue, Feb 14th 2017 11:11a   Dave Hay
I saw this: -[14/02/17 10:50:51:653 GMT] 0000002b com.ibm.ws.webcontainer.webapp W SRVE0190E: File not found: /foo.jsp[14/02/17 10:50:51:744 GMT] 0000002b com.ibm.ws.logging.internal.impl.IncidentImpl I FFDC1015I: An FFDC Incident has been created: "com.ibm.ws.jsp.webcontainerext.JSPErrorReport: JSPG0036E: Failed to find resource /foo.jsp com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter 144" at ffdc_17.02.14_10.50.51.0.log[14/02/17 10:5
72
Improve IBM BPM performance with an Oracle database
Mon, Feb 13th 2017 3:10p   Dave Hay
This was published last week: -Improve IBM BPM performance with an Oracle databaseIBM® Business Process Manager (BPM) is a platform for processing and orchestrating enterprise business tasks. With proper planning, you can prevent performance issues before the end users of your process applications report them. This article focuses on what you can learn from the BPMDB database in IBM BPM to prevent problems and to troubleshoot issues when they occur.This is part of a 3-part series: -Improve IBM
68
java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version; class=com/ibm/rules/res/xu/spi/internal/XUResourceAdapter
Sun, Feb 12th 2017 9:06p   Dave Hay
Not sure why I've not seen this before, but that's a problem for another day.During a build of an IBM Operational Decision Manager (ODM) 8.8.1 environment, I saw this: -... [wsadmin] GBRPT0017I: Install resource adapter on the node: Node1 [wsadmin] WASX7017E: Exception received while running file "/opt/ibm/WebSphereProfiles/Dmgr01/bin/rules/configureDSRulesNetworkDeployer.py"; exception information: com.ibm.websphere.management.exception.ConfigServiceException [wsadmin] javax.management.
53
Pango-WARNING **: failed to choose a font, expect ugly output
Sat, Feb 11th 2017 9:18a   Dave Hay
I saw this: -(IBM Installation Manager:105744): Pango-WARNING **: failed to choose a font, expect ugly output. engine-type='PangoRenderFc', script='common'when starting IBM Installation Manager 1.8.6 in GUI mode: -/opt/ibm/InstallationManager/eclipse/IBMIM on a Red Hat Enterprise Linux 7.3 box.It was easily fixed: -yum install gtk2 libXtst xorg-x11-fonts-Type1 psmiscLoaded plugins: langpacks, product-id, rhnplugin, search-disabled-repos, subscription-managerThis system is receiving updates f
18
Just because we can doesn't mean we should - Serving Static Content from WebSphere Application Server's Web Container
Wed, Feb 8th 2017 3:35p   Dave Hay
This ties up with something about which I've been talking with one of my colleagues.Using my BPM 8.5.7 VM, I created an HTML file: -Hello.html Hello World! here: -/opt/ibm/WebSphereProfiles/AppSrv01/installedApps/PCCell1/IBM_BPM_Portal_AppCluster.ear/process-portal.warThis location hosts the Heritage Process Portal, which has two URIs: - The first URI - /portal - actually references a different WAR file ( process-portal-support.war ) whereas the second URI - /HeritagePortal - refe
16
Red Hat Enterprise Linux 7 - Driving Network Manager via Command-Line
Wed, Feb 8th 2017 7:13a   Dave Hay
This is definitely a WIP, and results from my experiences with Red Hat Enterprise Linux 7.3, which does networking subtly differently to older versions of RHEL.Having restored a VM from an OVA export ( using VMware Fusion on macOS ), I realised that I no longer had any network connectivity, even though the VM configuration hadn't changed.I saw this from the VM console, whilst logged in as a root.Firstly I checked the IP stack with ifconfig : -ifconfig -aens33: flags=4163 mtu 1500 ether
9
WebSphere Liberty Profile on macOS - SuperSnooping
Fri, Jan 27th 2017 6:41p   Dave Hay
So I've run this on Liberty multiple times, including most recently on my Mac, natively.This is what I have: -Check Liberty Version~/Downloads/wlp/bin/server versionobjc[43120]: Class JavaLaunchHelper is implemented in both /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/bin/java (0x10761e4c0) and /Library/Java/JavaVirtualMachines/jdk1.8.0_112.jdk/Contents/Home/jre/lib/libinstrument.dylib (0x1077184e0). One of the two will be used. Which one is undefined.WebSphere Application S




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition