191 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
IBM WebSphere Liberty Profile - To Java or not to Java
Sat, Jan 21st 2017 104
WebSphere Developer Tools - Also does Liberty on Docker
Tue, Jan 17th 2017 79
WebSphere Developer Tools on macOS - It's been a while
Tue, Jan 17th 2017 76
IBM Operational Decision Manager 8.7.0.0 and IBM WebSphere Application Server 8.5.5.11 - Perhaps Not BFFs
Tue, Jan 10th 2017 25
Interesting, WebSphere Application Server 8.5.5.11 and Java 6
Tue, Jan 10th 2017 20
Synology NAS - Where's my Unzip command gorn ?
Tue, Jan 10th 2017 19
IBM BPM 8.5.7 - Key Assist ( or how do I do XXX ? )
Tue, Jan 10th 2017 13
Top 10
IBM WebSphere Liberty Profile - To Java or not to Java
Sat, Jan 21st 2017 104
WebSphere Developer Tools - Also does Liberty on Docker
Tue, Jan 17th 2017 79
WebSphere Developer Tools on macOS - It's been a while
Tue, Jan 17th 2017 76
The EAR file could be corrupt and/or incomplete. Make sure that the application is at a compatible Java(TM) Platform, Enterprise Edition (Java EE) level for the current version of WebSphere(R) Application Server.
Sat, Nov 8th 2014 42
Hmmm, macOS Sierra and XQuartz and X11
Thu, Oct 27th 2016 33
IBM UrbanCode Deploy - I remember my first time
Mon, Dec 15th 2014 29
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 28
WAS and Kerberos and SPNEGO - it's been a while - but it's all right now, in fact it it's a gas
Thu, Jun 25th 2015 27
IBM Operational Decision Manager 8.7.0.0 and IBM WebSphere Application Server 8.5.5.11 - Perhaps Not BFFs
Tue, Jan 10th 2017 25
"SECJ0371W: Validation of the LTPA token failed because the token expired with the following info..." - much more useful with WAS 8.5
Wed, Feb 12th 2014 24


Synology NAS - More SSH Loveliness - Permissions and ACLs
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Following on from my earlier posts: -



I've gone a few steps further in my understanding.

I've now got to a point where I can access the NAS using a user other than root or admin.

Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -

Client-side ( macOS )

Generate a public/private key

ssh-keygen -t rsa -b 4096 -f foobar -N passw0rd

Generating public/private rsa key pair.
Your identification has been saved in foobar.
Your public key has been saved in foobar.pub.
The key fingerprint is:
SHA256:w7rpoqt07lMZNhT9GVdCOpRKEunRq9+zGb6+YHl8kC4 davidhay@Davids-GhostRider-4.local
The key's randomart image is:
+---[RSA 4096]----+
|     o*  .oo..   |
|     = +.o...    |
|    o + +o+      |
|     = + oo      |
|    . = So       |
|     + .+..      |
| . .. oE.= .     |
|. o.. .+=o+      |
|..+=.o+ .B=      |
+----[SHA256]-----+


Copy the public key to the clipboard

pbcopy < foobar.pub 

Server-side ( Synology )

Logged in as admin

ssh admin@diskstation

admin@diskstation's password: 

Switched to the root user

admin@DiskStation:~$ sudo bash
Password: 

Switched to the DaveHay user

su - DaveHay

( NOTE the above steps are required because I deliberately didn't give the user a password, as I only ever want to authenticate via a public/private key )

Create .ssh subdirectory

mkdir ~/.ssh

Create authorised keys file in .ssh

vi ~/.ssh/authorized_keys

Add public key from clipboard

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz6Nd1Zugpjbsaz0ceF8WK5ps7SExiV6bR3ITtufFd0jp+ZyIhGJY+iRMzqslGEGcrYHGWzZRUGwq+dT4rikm/3yI2usHUI7TE2pFXS0SVI0jdsSp76Yos7lTVdcRJVlVaXG6nCKPYY3zfLrgmNXwDArYUHkVotBuKeF19lXR5Uu5DvxWUCsXz1APuRaX6oylmmk9QgZGClqdn4rrPjzKguwSZpUIOFRIfIbJiEIKvfu1vrEF45QlAoxvx4BQ0Mqew7Dv9Nt/s5ByGs7w/YHwJiWDpbGx0KCMiaeuwLjuj8N/dxfh6DIllqKzEXRCniftU6hXDULKLLoQx8WZoU90kvRLob27SjcVDrdM6C1Q0yQ2OGY0/OjKl2QjFk99LmZbCvLA5hb46eQBJviM1l9BBlf6eBq0qQtADKGV2UfZb43Z32rYObyqPqQjnfYiAk1CdECtJUCCGPdXbviPfDOYKaXgseBCnLNpnAislcmvI0YsuKKTo3xz16PFvhyJel+5EEbIpZaRQTQNDPjpXqr2pzhP5vcKuh09Z/w7lFZ0oRP47SACryYgbQzTowDthJ135kW00AsGMMEP9Yz2HjqQLdZZv0NL0KZgGIxaFHXpshPuCOWK3MmYtEqoJtcSDr++JtLU+/59/b3N+BqZxYuFSoOEUMhiee3k7VMq1ZNT5/Q== davidhay@Davids-GhostRider-4.local

Client-side ( macOS )

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

As before, I went back into the Synology, and updated the directory / file permissions for the newly created .ssh subdirectory

Server-side ( Synology )

( As DaveHay, having logged on as admin and switched user via su - DaveHay )

Check current state

ls -al -R ~

.:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

./.ssh:
total 12
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rwxrwxrwx+ 1 DaveHay users  762 Jan  5 18:40 authorized_keys

Set the .ssh subdirectory to 700

chmod 700 ~/.ssh


Set the authorized_keys file to 644 

chmod 644 ~/.ssh/authorized_keys



Check new state

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

:-(

I added some debugging: -

ssh -v -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
DaveHay@diskstation's password: 


ssh -vv -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
DaveHay@diskstation's password: 

...

ssh -vv -i ~/foobar DaveHay@diskstation

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

DaveHay@diskstation's password: 


Something I read online made me think about extended attributes, over and above the usual Unix permissions.

I re-visited the current state: -

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Yes, it was the additional plus character that made me wonder; +

As root I checked the permissions for the DaveHay user: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------+ 3 DaveHay users 4096 Jan  5 18:40 .
 [0] user:DaveHay:allow:rwxpdDaARWcCo:fd-- (level: 0)
 [1] user:DaveHay:allow:rwxpdDaARWc--:fd-- (level: 1)
 [2] user::allow:rwxpdDaARWc--:fd-- (level: 1)
 [3] user::allow:rwxpdDaARWc--:fd-- (level: 1)

d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------+ 1 DaveHay users  669 Jan  5 18:40 .viminfo
 [0] user:DaveHay:allow:rwxpdDaARWcCo:---- (level: 1)
 [1] user:DaveHay:allow:rwxpdDaARWc--:---- (level: 2)
 [2] user::allow:rwxpdDaARWc--:---- (level: 2)
 [3] user::allow:rwxpdDaARWc--:---- (level: 2)


and used chmod to recursively set ALL the permissions on the DaveHay user's home directory: -

chmod -R 700 /volume1/homes/DaveHay/

which removes the special attributes ( I think these may be the ACLs added by the NAS itself when I created the new user ), and validated: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------  3 DaveHay users 4096 Jan  5 18:40 .
d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------  1 DaveHay users  669 Jan  5 18:40 .viminfo

In other words, the extended attributes for the user have gone, apart from the parent directory ( /volume1/homes ) which is fine.

I re-tested my SSH connection: -

ssh -i foobar DaveHay@diskstation

Enter passphrase for key 'foobar': 
DaveHay@DiskStation:~$ 


In other words, I'm only now being presented with a request for the passphrase for the private key, rather than the password for the DaveHay user.

So, it was a long journey, but an enjoyable one :-)

As ever, #LifeIsGood






---------------------
http://portal2portal.blogspot.com/2017/01/synology-nas-more-ssh-loveliness.html
Jan 05, 2017
7 hits



Recent Blog Posts
104
IBM WebSphere Liberty Profile - To Java or not to Java
Sat, Jan 21st 2017 9:39p   Dave Hay
One of my friends asked me about the implications of installing or not installing Java when one installs WebSphere Liberty Profile (WLP)This is what I told him ...It depends upon what you actually download and install. For example, I downloaded this: -IBM WebSphere Application Server Liberty Core V8.5.5 for Multiplatform Multilingual (installed using IBM Installation Manager) CIK2VMLfrom, as per this: -How to download WebSphere Application Server Liberty Core V8.5.5 from Passport Advantage Onli
79
WebSphere Developer Tools - Also does Liberty on Docker
Tue, Jan 17th 2017 4:40p   Dave Hay
Following my earlier post: -WebSphere Developer Tools on macOS - It's been a whileI did not know ( but do now ) that the WebSphere Developer Tools also supports the WebSphere Liberty Profile on a Docker container: -which is good to know :-)
76
WebSphere Developer Tools on macOS - It's been a while
Tue, Jan 17th 2017 3:18p   Dave Hay
I had a need to tinker with some Java in the context of WebSphere Application Server (WAS) Network Deployment (ND) 8.5.I'm using a Mac, with WAS ND 8.5.5.11 on Red Hat Enterprise Linux 6.6 on VMware, as well as WebSphere Liberty Profile 8.5.59 on Docker natively on macOS. Having downloaded the latest and greatest Eclipse ( Neon ) from here ( actually from IBM Bluemix here ) I then dived across to the WebSphere Developer Tools page here: IBM WebSphere Application Server traditional V8.5x Develop
25
IBM Operational Decision Manager 8.7.0.0 and IBM WebSphere Application Server 8.5.5.11 - Perhaps Not BFFs
Tue, Jan 10th 2017 3:55p   Dave Hay
I tried / failed to install IBM Operational Decision Manager (ODM) Rules 8.7.0.0 onto a newly installed copy of WebSphere Application Server (WAS) 8.5.5.11 ( aka Fixpack 11 ) today.This is what I was trying to install: -/opt/ibm/InstallationManager/eclipse/tools/imcl listAvailablePackages -repositories /mnt/hgfs/Software/Repo/ODM87/Product/DecisionServerRules/,/mnt/hgfs/Software/Repo/ODM87/Product/ProfileTemplateRulescom.ibm.websphere.odm.ds.rules.v87_8.7.0.20141114_0949com.ibm.websphere.odm.pt.
20
Interesting, WebSphere Application Server 8.5.5.11 and Java 6
Tue, Jan 10th 2017 1:36p   Dave Hay
I saw this: -ERROR: Support for using Java SE 6 with WebSphere Application Server ends in April 2018.Java SE 8 is the recommended Java SDK because it provides the latest features and security updates. You can continue to use Java SE 6, but no service can be provided after the end of support date, which could expose your environment to security risks.You must specify the default Java SDK version on the 'user.wasjava' property. To install the Java 8 SDK, specify '-properties user.wasjava=java8
19
Synology NAS - Where's my Unzip command gorn ?
Tue, Jan 10th 2017 1:13p   Dave Hay
I hit a wee snag earlier today, whilst attempting to unpack some IBM software on my NAS.Being a command-line junkie, I'd SSH'd into the box: -Synology NAS - From My Mac, Via SSHSynology NAS - Broke SSH but Telnet saved meSynology NAS - More SSH Loveliness - Permissions and ACLsand was attempting to use the unzip command, as per this example: -unzip ../../IIM18/agent.installer.linux.gtk.x86_64_1.8.5001.20161016_1705.zipwhich, alas, returned: --sh: unzip: command not foundThankfully, the Synolog
13
IBM BPM 8.5.7 - Key Assist ( or how do I do XXX ? )
Tue, Jan 10th 2017 9:18a   Dave Hay
I'm not sure if it's a mild case of CDO ( surely the letters ODC aren't in order ! ), but I was struggling to align some elements in a Business Process Definition.Thus, I was looking for the zoom controls, and stumbled across Key AssisThis is, of course, a feature of Eclipse, and I've written about similar capabilities in IBM NotesAnyway, here's the Key Assist panes for Process Designer ( I'm using 8.5.7 on Windows 7 )For the record, the zoom controls are right there :-)
14
IBM BPM 8.5.7 - Web Process Designer - On YouTube
Tue, Jan 10th 2017 7:10a   Dave Hay
On YouTube here: -IBM BPM 8.5.7 Build From Scratch part 1Intro to IBM BPM 8.5.7 - Intro, build from scratch, process modeling, variables, playbacks, snapshots, default UI, new web based process editor.IBM Business Process Manager (BPM) 8.5.7: Building a Business ProcessWe will build a Mortgage Approval process application that can run in IBM BPM. We'll take an iterative approach to building the solution. It's all done in a web browser, connected to IBM BPM in an IBM cloud.
11
IBM Business Process Manager 8.5.7 - Web Process Designer
Mon, Jan 9th 2017 3:57p   Dave Hay
This caught me out, albeit briefly.I'm using the very latest IBM BPM 8.5.7 with the December 2016 update, and am running through a tutorial: -Hiring Tutorial: Create the processOne thing that I noticed was that, even if I created the Process Application in the Eclipse-based Process Designer tool, I was still automatically directed to the web-based Process Designer tool when I created a new Process.I looked here: -Where to edit Process Designer artifactsand found this table: -which highlighted w
7
Synology NAS - More SSH Loveliness - Permissions and ACLs
Thu, Jan 5th 2017 7:33p   Dave Hay
Following on from my earlier posts: -Synology NAS - From My Mac, Via SSHSynology NAS - Broke SSH but Telnet saved meI've gone a few steps further in my understanding.I've now got to a point where I can access the NAS using a user other than root or admin.Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -Client-side ( macOS )Generate a public/private keyssh-keygen -t rsa -b 4096 -f foobar -N




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition