193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
WebSphere MQ - Advanced Message Security - Some tinkering and AMQ9021
Fri, Apr 21st 2017 41
IBM Operational Decision Manager - Adding a LDAP server via the Decision Center Business Console
Thu, Apr 20th 2017 45
JMSMQ1112: The operation for a domain specific object was not valid. The operation 'createProducer()' is not valid for type 'com.ibm.mq.jms.MQQueue'
Thu, Apr 13th 2017 58
IBM Business Process Manager - RESTing on my laurels
Thu, Apr 13th 2017 51
WebSphere Application Server - manageprofiles.sh and the missing Java security policies
Thu, Apr 13th 2017 66
IBM Operational Decision Manager - Where's my Decision Center Business Console gone ?
Thu, Apr 13th 2017 51
IBM Business Process Manager 8.5.7 Cumulative Fix (CF) 2017-03 - Out on Friday 31 March
Wed, Apr 5th 2017 15
Top 10
WebSphere Application Server - manageprofiles.sh and the missing Java security policies
Thu, Apr 13th 2017 66
JMSMQ1112: The operation for a domain specific object was not valid. The operation 'createProducer()' is not valid for type 'com.ibm.mq.jms.MQQueue'
Thu, Apr 13th 2017 58
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 53
IBM Operational Decision Manager - Where's my Decision Center Business Console gone ?
Thu, Apr 13th 2017 51
IBM Business Process Manager - RESTing on my laurels
Thu, Apr 13th 2017 51
IBM Operational Decision Manager - Adding a LDAP server via the Decision Center Business Console
Thu, Apr 20th 2017 45
WebSphere MQ - Advanced Message Security - Some tinkering and AMQ9021
Fri, Apr 21st 2017 41
Hmmm, macOS Sierra and XQuartz and X11
Thu, Oct 27th 2016 38
WAS - How to clear the WebSphere class caches
Mon, Feb 10th 2014 34
Hmmmm, HTTP404 and SRVE0190E seen with IBM HTTP Server and WebSphere Application Server
Fri, Nov 14th 2014 33


Synology NAS - More SSH Loveliness - Permissions and ACLs
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Following on from my earlier posts: -



I've gone a few steps further in my understanding.

I've now got to a point where I can access the NAS using a user other than root or admin.

Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -

Client-side ( macOS )

Generate a public/private key

ssh-keygen -t rsa -b 4096 -f foobar -N passw0rd

Generating public/private rsa key pair.
Your identification has been saved in foobar.
Your public key has been saved in foobar.pub.
The key fingerprint is:
SHA256:w7rpoqt07lMZNhT9GVdCOpRKEunRq9+zGb6+YHl8kC4 davidhay@Davids-GhostRider-4.local
The key's randomart image is:
+---[RSA 4096]----+
|     o*  .oo..   |
|     = +.o...    |
|    o + +o+      |
|     = + oo      |
|    . = So       |
|     + .+..      |
| . .. oE.= .     |
|. o.. .+=o+      |
|..+=.o+ .B=      |
+----[SHA256]-----+


Copy the public key to the clipboard

pbcopy < foobar.pub 

Server-side ( Synology )

Logged in as admin

ssh admin@diskstation

admin@diskstation's password: 

Switched to the root user

admin@DiskStation:~$ sudo bash
Password: 

Switched to the DaveHay user

su - DaveHay

( NOTE the above steps are required because I deliberately didn't give the user a password, as I only ever want to authenticate via a public/private key )

Create .ssh subdirectory

mkdir ~/.ssh

Create authorised keys file in .ssh

vi ~/.ssh/authorized_keys

Add public key from clipboard

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz6Nd1Zugpjbsaz0ceF8WK5ps7SExiV6bR3ITtufFd0jp+ZyIhGJY+iRMzqslGEGcrYHGWzZRUGwq+dT4rikm/3yI2usHUI7TE2pFXS0SVI0jdsSp76Yos7lTVdcRJVlVaXG6nCKPYY3zfLrgmNXwDArYUHkVotBuKeF19lXR5Uu5DvxWUCsXz1APuRaX6oylmmk9QgZGClqdn4rrPjzKguwSZpUIOFRIfIbJiEIKvfu1vrEF45QlAoxvx4BQ0Mqew7Dv9Nt/s5ByGs7w/YHwJiWDpbGx0KCMiaeuwLjuj8N/dxfh6DIllqKzEXRCniftU6hXDULKLLoQx8WZoU90kvRLob27SjcVDrdM6C1Q0yQ2OGY0/OjKl2QjFk99LmZbCvLA5hb46eQBJviM1l9BBlf6eBq0qQtADKGV2UfZb43Z32rYObyqPqQjnfYiAk1CdECtJUCCGPdXbviPfDOYKaXgseBCnLNpnAislcmvI0YsuKKTo3xz16PFvhyJel+5EEbIpZaRQTQNDPjpXqr2pzhP5vcKuh09Z/w7lFZ0oRP47SACryYgbQzTowDthJ135kW00AsGMMEP9Yz2HjqQLdZZv0NL0KZgGIxaFHXpshPuCOWK3MmYtEqoJtcSDr++JtLU+/59/b3N+BqZxYuFSoOEUMhiee3k7VMq1ZNT5/Q== davidhay@Davids-GhostRider-4.local

Client-side ( macOS )

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

As before, I went back into the Synology, and updated the directory / file permissions for the newly created .ssh subdirectory

Server-side ( Synology )

( As DaveHay, having logged on as admin and switched user via su - DaveHay )

Check current state

ls -al -R ~

.:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

./.ssh:
total 12
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rwxrwxrwx+ 1 DaveHay users  762 Jan  5 18:40 authorized_keys

Set the .ssh subdirectory to 700

chmod 700 ~/.ssh


Set the authorized_keys file to 644 

chmod 644 ~/.ssh/authorized_keys



Check new state

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

:-(

I added some debugging: -

ssh -v -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
DaveHay@diskstation's password: 


ssh -vv -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
DaveHay@diskstation's password: 

...

ssh -vv -i ~/foobar DaveHay@diskstation

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

DaveHay@diskstation's password: 


Something I read online made me think about extended attributes, over and above the usual Unix permissions.

I re-visited the current state: -

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Yes, it was the additional plus character that made me wonder; +

As root I checked the permissions for the DaveHay user: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------+ 3 DaveHay users 4096 Jan  5 18:40 .
 [0] user:DaveHay:allow:rwxpdDaARWcCo:fd-- (level: 0)
 [1] user:DaveHay:allow:rwxpdDaARWc--:fd-- (level: 1)
 [2] user::allow:rwxpdDaARWc--:fd-- (level: 1)
 [3] user::allow:rwxpdDaARWc--:fd-- (level: 1)

d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------+ 1 DaveHay users  669 Jan  5 18:40 .viminfo
 [0] user:DaveHay:allow:rwxpdDaARWcCo:---- (level: 1)
 [1] user:DaveHay:allow:rwxpdDaARWc--:---- (level: 2)
 [2] user::allow:rwxpdDaARWc--:---- (level: 2)
 [3] user::allow:rwxpdDaARWc--:---- (level: 2)


and used chmod to recursively set ALL the permissions on the DaveHay user's home directory: -

chmod -R 700 /volume1/homes/DaveHay/

which removes the special attributes ( I think these may be the ACLs added by the NAS itself when I created the new user ), and validated: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------  3 DaveHay users 4096 Jan  5 18:40 .
d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------  1 DaveHay users  669 Jan  5 18:40 .viminfo

In other words, the extended attributes for the user have gone, apart from the parent directory ( /volume1/homes ) which is fine.

I re-tested my SSH connection: -

ssh -i foobar DaveHay@diskstation

Enter passphrase for key 'foobar': 
DaveHay@DiskStation:~$ 


In other words, I'm only now being presented with a request for the passphrase for the private key, rather than the password for the DaveHay user.

So, it was a long journey, but an enjoyable one :-)

As ever, #LifeIsGood






---------------------
http://portal2portal.blogspot.com/2017/01/synology-nas-more-ssh-loveliness.html
Jan 05, 2017
10 hits



Recent Blog Posts
41
WebSphere MQ - Advanced Message Security - Some tinkering and AMQ9021
Fri, Apr 21st 2017 7:18p   Dave Hay
This is the first of a few posts about my voyage of discovery with WebSphere MQ ( now IBM MQ ) Advanced Message Security (AMS), in the context of message authentication and encryption.Thus far, I've broken it twice :-)I'm following this tutorial: -Quick Start Guide for IBM MQ AMS on UNIX platformsand was able to successfully send messages from Alice to Bob, via a MQ Queue Manager.However, I did hit two exceptions: -/opt/ibm/mqm/samp/bin/amqsput TESTQ TESTQMSample AMQSPUT0 starttarget queue is
45
IBM Operational Decision Manager - Adding a LDAP server via the Decision Center Business Console
Thu, Apr 20th 2017 7:07p   Dave Hay
This has been on my To-Do list for some time.One of my colleagues was looking to configure connectivity between the IBM ODM Decision Center Business Console and an LDAP server.He, like me, is using ODM Advanced 8.8.1.I'd previously installed and configured this version on WebSphere Application Server (WAS) Network Deployment 8.5.5.This is what I have installed: -/opt/ibm/InstallationManager/eclipse/tools/imcl listInstalledPackagescom.ibm.cic.agent_1.8.6000.20161118_1611com.ibm.websphere.IBMJAVA
58
JMSMQ1112: The operation for a domain specific object was not valid. The operation 'createProducer()' is not valid for type 'com.ibm.mq.jms.MQQueue'
Thu, Apr 13th 2017 7:12p   Dave Hay
We saw this exception today: -Caused by: com.ibm.msg.client.jms.DetailedJMSException: JMSMQ1112: The operation for a domain specific object was not valid. The operation 'createProducer()' is not valid for type 'com.ibm.mq.jms.MQQueue'. A JMS application attempted to perform an operation on domain specific object, but the operation is valid only for the other messaging domain. Make sure that the JMS objects and operations used by your application are relevant for the required messaging domain
51
IBM Business Process Manager - RESTing on my laurels
Thu, Apr 13th 2017 9:28a   Dave Hay
A friend asked me about REST, in the context of the WebSphere Liberty Profile and the "new" Collectives management interface.Having provided some context about REST, I demonstrated how I can use a Firefox addon, REST Easy, to access the IBM BPM REST UI: -which returns: -and: -However, I also asked my Slack buddies for recommendations on other REST clients, and someone rightly pointed out the Swiss Army Knife that is curl which is built into most Unix OS, including macOS.So here's me accessing
66
WebSphere Application Server - manageprofiles.sh and the missing Java security policies
Thu, Apr 13th 2017 7:01a   Dave Hay
We saw a problem the other day, whilst creating a new IBM BPM Deployment Environment via the BPMConfig.sh script.When we dug into the problem further, it was apparent that the underlying manageprofiles.sh script was failing.Having resolved the problem ( more later ), I replicated it on a clean VM this morning.So, to start with, I attempt to create a new WAS profile: -/opt/ibm/WebSphere/AppServer/bin/manageprofiles.sh -create -templatePath /opt/ibm/WebSphere/AppServer/profileTemplates/managed -pr
51
IBM Operational Decision Manager - Where's my Decision Center Business Console gone ?
Thu, Apr 13th 2017 6:33a   Dave Hay
This is a new build of IBM ODM Advanced 8.8.1, and I'm trying to log into, and use, the Decision Center Business Console: -https://bpm857.uk.ibm.com:9443/decisioncenter/loginHaving logged in, with a valid user, I get this: -and, in the logs: -tail -f /opt/ibm/WebSphere/AppServer/profiles/AppSrv01/logs/Node1-DCServer/SystemOut.log[13/04/17 07:21:27:130 BST] 000000ac ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [teamserver] [/decisioncenter] [/WEB-INF/views/login
15
IBM Business Process Manager 8.5.7 Cumulative Fix (CF) 2017-03 - Out on Friday 31 March
Wed, Apr 5th 2017 5:20a   Dave Hay
From this: -IBM BPM 8.5.7 CF2017.03 will be available on 31 March 2017…IBM Business Process Manager (BPM) updates are now released as quarterly cumulative fixes to enable you to get the latest fixes and product enhancements with a simple in-place upgrade. IBM BPM 8.5.7 Cumulative Fix 2017.03 is now available for you to download and upgrade today. Key highlights are outlined below. See Knowledge Center for full details.…and this: -What's new in security IBM BPM 8.5.7.201703...This 2017.03 cu
13
IBM Microservice Builder (Beta): Come Build Dockerized Microservices With Us - TODAY - April 4, 2017
Tue, Apr 4th 2017 1:00p   Dave Hay
Saw this on Slack earlier today: -Webinar - Microservice Builder (Beta): Come Build Dockerized Microservices With UsYou are INVITED to attend webcast titled "Microservice Builder (Beta): Come Build Dockerized Microservices With Us" sponsored by Chicago N-W Integration and Cloud Computing WUG.Overview: Microservices architecture is rapidly gaining traction as the choice of software architecture pattern to compose and release software more rapidly and predictably which in turn allows organizatio
11
DecisionCAMP 2017 - July 13-14 2017, Birkbeck University of London, London UK
Thu, Mar 30th 2017 5:37a   Dave Hay
DecisionCAMP 2017Business Rules and Decision Management TechnologyBest Practices, Standards, Real-World Business Cases, and SupportingJuly 13-14 2017, Birkbeck University of London, London UKDecisionCAMP is the latest incarnation of the series of popular events for Decision Management practitioners. It started in 2008 as October RulesFest, continued in 2009-2011 as RulesFest, became IntelliFest in 2012, and DecisionCAMP in 2013-2016. See the entire history of the events. DecisionCAMP-2017 is org
9
IBM WebSphere Liberty App Accelerator
Mon, Mar 27th 2017 9:14p   Dave Hay
I heard about this at InterConnect last week: -Liberty app acceleratorEasily start building apps for WebSphereLiberty, a Java EE application serverConfigure WebSphere Liberty with a set of selected technologies. Then download the project as a zip file.https://liberty-app-accelerator.wasdev.developer.ibm.com/start/




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition