193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Hmmm - ADMA5107E and CWWBA0008E seen whilst uninstalling a SCA module from IBM BPM Advanced 8.5.7
Sat, May 20th 2017 95
WebSphere to WebSphere - Problems with WAS to MQ Server Connection Channel
Sat, May 20th 2017 69
IBM Integration Bus - Tinkering with WebAdmin permissions
Thu, May 18th 2017 70
IBM Integration Bus - Modifying the Listener Ports for the HTTPConnector
Thu, May 18th 2017 54
WebSphere Liberty Collectives - Problems with the FileService MBean
Mon, May 15th 2017 21
macOS Sierra and Apple Mail - Tinkering with Mail Signatures
Sat, May 13th 2017 19
Doh, WebSphere Liberty Profile, still getting it wrong ...
Thu, May 11th 2017 14
Top 10
Hmmm - ADMA5107E and CWWBA0008E seen whilst uninstalling a SCA module from IBM BPM Advanced 8.5.7
Sat, May 20th 2017 95
IBM Integration Bus - Tinkering with WebAdmin permissions
Thu, May 18th 2017 70
WebSphere to WebSphere - Problems with WAS to MQ Server Connection Channel
Sat, May 20th 2017 69
IBM Integration Bus - Modifying the Listener Ports for the HTTPConnector
Thu, May 18th 2017 54
Executing external Python/Jython scripts from within WebSphere Application Server's wsadmin tool
Thu, Feb 27th 2014 41
Hmmmm, HTTP404 and SRVE0190E seen with IBM HTTP Server and WebSphere Application Server
Fri, Nov 14th 2014 38
IBM HTTP Server / IBM WebSphere Plugin - Using Transport Layer (TLS) 1.2
Tue, Nov 10th 2015 38
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 35
Hmmm, macOS Sierra and XQuartz and X11
Thu, Oct 27th 2016 32
WebSphere Application Server 8.5.54 and IBM BPM Advanced 8.5.5.0 - Available commands
Sat, Jan 24th 2015 29


Synology NAS - More SSH Loveliness - Permissions and ACLs
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Following on from my earlier posts: -



I've gone a few steps further in my understanding.

I've now got to a point where I can access the NAS using a user other than root or admin.

Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -

Client-side ( macOS )

Generate a public/private key

ssh-keygen -t rsa -b 4096 -f foobar -N passw0rd

Generating public/private rsa key pair.
Your identification has been saved in foobar.
Your public key has been saved in foobar.pub.
The key fingerprint is:
SHA256:w7rpoqt07lMZNhT9GVdCOpRKEunRq9+zGb6+YHl8kC4 davidhay@Davids-GhostRider-4.local
The key's randomart image is:
+---[RSA 4096]----+
|     o*  .oo..   |
|     = +.o...    |
|    o + +o+      |
|     = + oo      |
|    . = So       |
|     + .+..      |
| . .. oE.= .     |
|. o.. .+=o+      |
|..+=.o+ .B=      |
+----[SHA256]-----+


Copy the public key to the clipboard

pbcopy < foobar.pub 

Server-side ( Synology )

Logged in as admin

ssh admin@diskstation

admin@diskstation's password: 

Switched to the root user

admin@DiskStation:~$ sudo bash
Password: 

Switched to the DaveHay user

su - DaveHay

( NOTE the above steps are required because I deliberately didn't give the user a password, as I only ever want to authenticate via a public/private key )

Create .ssh subdirectory

mkdir ~/.ssh

Create authorised keys file in .ssh

vi ~/.ssh/authorized_keys

Add public key from clipboard

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz6Nd1Zugpjbsaz0ceF8WK5ps7SExiV6bR3ITtufFd0jp+ZyIhGJY+iRMzqslGEGcrYHGWzZRUGwq+dT4rikm/3yI2usHUI7TE2pFXS0SVI0jdsSp76Yos7lTVdcRJVlVaXG6nCKPYY3zfLrgmNXwDArYUHkVotBuKeF19lXR5Uu5DvxWUCsXz1APuRaX6oylmmk9QgZGClqdn4rrPjzKguwSZpUIOFRIfIbJiEIKvfu1vrEF45QlAoxvx4BQ0Mqew7Dv9Nt/s5ByGs7w/YHwJiWDpbGx0KCMiaeuwLjuj8N/dxfh6DIllqKzEXRCniftU6hXDULKLLoQx8WZoU90kvRLob27SjcVDrdM6C1Q0yQ2OGY0/OjKl2QjFk99LmZbCvLA5hb46eQBJviM1l9BBlf6eBq0qQtADKGV2UfZb43Z32rYObyqPqQjnfYiAk1CdECtJUCCGPdXbviPfDOYKaXgseBCnLNpnAislcmvI0YsuKKTo3xz16PFvhyJel+5EEbIpZaRQTQNDPjpXqr2pzhP5vcKuh09Z/w7lFZ0oRP47SACryYgbQzTowDthJ135kW00AsGMMEP9Yz2HjqQLdZZv0NL0KZgGIxaFHXpshPuCOWK3MmYtEqoJtcSDr++JtLU+/59/b3N+BqZxYuFSoOEUMhiee3k7VMq1ZNT5/Q== davidhay@Davids-GhostRider-4.local

Client-side ( macOS )

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

As before, I went back into the Synology, and updated the directory / file permissions for the newly created .ssh subdirectory

Server-side ( Synology )

( As DaveHay, having logged on as admin and switched user via su - DaveHay )

Check current state

ls -al -R ~

.:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

./.ssh:
total 12
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rwxrwxrwx+ 1 DaveHay users  762 Jan  5 18:40 authorized_keys

Set the .ssh subdirectory to 700

chmod 700 ~/.ssh


Set the authorized_keys file to 644 

chmod 644 ~/.ssh/authorized_keys



Check new state

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

:-(

I added some debugging: -

ssh -v -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
DaveHay@diskstation's password: 


ssh -vv -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
DaveHay@diskstation's password: 

...

ssh -vv -i ~/foobar DaveHay@diskstation

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

DaveHay@diskstation's password: 


Something I read online made me think about extended attributes, over and above the usual Unix permissions.

I re-visited the current state: -

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Yes, it was the additional plus character that made me wonder; +

As root I checked the permissions for the DaveHay user: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------+ 3 DaveHay users 4096 Jan  5 18:40 .
 [0] user:DaveHay:allow:rwxpdDaARWcCo:fd-- (level: 0)
 [1] user:DaveHay:allow:rwxpdDaARWc--:fd-- (level: 1)
 [2] user::allow:rwxpdDaARWc--:fd-- (level: 1)
 [3] user::allow:rwxpdDaARWc--:fd-- (level: 1)

d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------+ 1 DaveHay users  669 Jan  5 18:40 .viminfo
 [0] user:DaveHay:allow:rwxpdDaARWcCo:---- (level: 1)
 [1] user:DaveHay:allow:rwxpdDaARWc--:---- (level: 2)
 [2] user::allow:rwxpdDaARWc--:---- (level: 2)
 [3] user::allow:rwxpdDaARWc--:---- (level: 2)


and used chmod to recursively set ALL the permissions on the DaveHay user's home directory: -

chmod -R 700 /volume1/homes/DaveHay/

which removes the special attributes ( I think these may be the ACLs added by the NAS itself when I created the new user ), and validated: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------  3 DaveHay users 4096 Jan  5 18:40 .
d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------  1 DaveHay users  669 Jan  5 18:40 .viminfo

In other words, the extended attributes for the user have gone, apart from the parent directory ( /volume1/homes ) which is fine.

I re-tested my SSH connection: -

ssh -i foobar DaveHay@diskstation

Enter passphrase for key 'foobar': 
DaveHay@DiskStation:~$ 


In other words, I'm only now being presented with a request for the passphrase for the private key, rather than the password for the DaveHay user.

So, it was a long journey, but an enjoyable one :-)

As ever, #LifeIsGood






---------------------
http://portal2portal.blogspot.com/2017/01/synology-nas-more-ssh-loveliness.html
Jan 05, 2017
7 hits



Recent Blog Posts
95
Hmmm - ADMA5107E and CWWBA0008E seen whilst uninstalling a SCA module from IBM BPM Advanced 8.5.7
Sat, May 20th 2017 7:15a   Dave Hay
Hmmm, I started seeing this whilst attempting to remove an existing SCA module ( EAR file ) from a BPM Advanced 8.5.7 environment: -[5/20/17 6:10:25:473 UTC] 0000013b UninstallSche I ADMA5017I: Uninstallation of MQ_Test started.[5/20/17 6:10:25:535 UTC] 0000013b DMAdapter I com.ibm.ws.ffdc.impl.DMAdapter getAnalysisEngine FFDC1009I: Analysis Engine using data base: /opt/ibm/WebSphere/AppServer/properties/logbr/ffdc/adv/ffdcdb.xml[5/20/17 6:10:25:616 UTC] 0000013b FfdcProvider W com.ibm.ws
69
WebSphere to WebSphere - Problems with WAS to MQ Server Connection Channel
Sat, May 20th 2017 5:43a   Dave Hay
This was driving me batty for a few hours, until I really focused on the problem.This was what I was seeing in WAS: -/opt/ibm/WebSphereProfiles/AppSrv01/logs/AppClusterMember1/SystemOut.log... Caused by [5] --> Message : com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]...com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'TESTQM' with connection mode
70
IBM Integration Bus - Tinkering with WebAdmin permissions
Thu, May 18th 2017 8:51p   Dave Hay
This came up in a conversation with one of my team earlier.In brief, it's possible to configure the IIB 10 Web Admin UI to be protected by a user ID / password.This is what I did: -Define a user ID, password and role - iibadminsmqsiwebuseradmin TESTNODE_iibadmin -c -u davehay -a passw0rd -r iibadminsGrant the appropriate permissions to the iibadmins rolemqsichangefileauth TESTNODE_iibadmin -r iibadmins -p all+Stop the Integration Nodemqsistop TESTNODE_iibadminEnable the file-based authenticatio
54
IBM Integration Bus - Modifying the Listener Ports for the HTTPConnector
Thu, May 18th 2017 7:06a   Dave Hay
One of my colleagues was endeavouring to change the port on which the HTTPConnector object listens within an IBM Integration Bus 10 environment.In the past, she'd have run this command: -mqsichangeproperties TESTNODE_iibadmin -e default -o HTTPConnector -n 8000and then used this command to check: -mqsireportproperties TESTNODE_iibadmin -e default -o HTTPConnector -rHowever, she was finding that the port didn't change.We dug into the documentation, and found this: -…You must use the explicitl
21
WebSphere Liberty Collectives - Problems with the FileService MBean
Mon, May 15th 2017 10:10a   Dave Hay
I kept seeing this exception: -[15/05/17 09:16:25:071 BST] 0000031d com.ibm.ws.filetransfer.internal.mbean.FileService E CWWKX7900E: Access denied to the /opt/IBM/wlp path. in my Liberty Collective Controller's log: -/opt/IBM/work/servers/cc/logs/messages.logeven though I'd configured the appropriate permission using the remoteFileAccess stanza in my include.xml : - /tmp/nodejsApplications ${wlp.install.dir ${wlp.user.dir} ${se
19
macOS Sierra and Apple Mail - Tinkering with Mail Signatures
Sat, May 13th 2017 5:29p   Dave Hay
On behalf of a friend, I've been tinkering with the signatures in  Mail, as included with macOS Sierra 10.12.4.Things have changed since last I tried this, most importantly that it's not easy to add a HTML signature ( with fonts, images, links etc. ).Thankfully, this blog helped: -How to Make an HTML Signature in Apple Mail for Sierra OS X 10.12There are plenty of tutorials online to create an HTML signature in Apple Mail with older versions of OS X, and you have probably already seen one o
14
Doh, WebSphere Liberty Profile, still getting it wrong ...
Thu, May 11th 2017 1:50p   Dave Hay
I saw this from my Liberty runtime today: -...[AUDIT ] CWWKT0016I: Web application available (default_host): http://e88e0bcb807d:9080/IBMJMXConnectorREST/[AUDIT ] CWWKT0016I: Web application available (default_host): http://e88e0bcb807d:9080/ibm/api/collective/notify/[AUDIT ] CWWKT0016I: Web application available (default_host): http://e88e0bcb807d:9080/ibm/adminCenter/deploy-1.0/[AUDIT ] CWWKT0016I: Web application available (default_host): http://e88e0bcb807d:9080/ibm/adminCenter/serve
6
WebSphere Application Server Log Watcher: Using TrapIt.ear to watch for WebSphere Application Server events
Tue, Apr 25th 2017 8:02p   Dave Hay
Found this whilst looking for something completely different: -Problem(Abstract)While investigating a problem with WebSphere Application Server, you may need to watch for events such as messages to the SystemOut.log and take action when they occur.Resolving the problemThe TrapIt.ear provides an easy way to perform actions based on events(message ids) in the WebSphere Application Server or based on time. If you need to monitor files (for example SystemOut.log, ffdcs, application or operating syst
8
WebSphere MQ - Advanced Message Security - Some tinkering and AMQ9021
Fri, Apr 21st 2017 7:18p   Dave Hay
This is the first of a few posts about my voyage of discovery with WebSphere MQ ( now IBM MQ ) Advanced Message Security (AMS), in the context of message authentication and encryption.Thus far, I've broken it twice :-)I'm following this tutorial: -Quick Start Guide for IBM MQ AMS on UNIX platformsand was able to successfully send messages from Alice to Bob, via a MQ Queue Manager.However, I did hit two exceptions: -/opt/ibm/mqm/samp/bin/amqsput TESTQ TESTQMSample AMQSPUT0 starttarget queue is
13
IBM Operational Decision Manager - Adding a LDAP server via the Decision Center Business Console
Thu, Apr 20th 2017 7:07p   Dave Hay
This has been on my To-Do list for some time.One of my colleagues was looking to configure connectivity between the IBM ODM Decision Center Business Console and an LDAP server.He, like me, is using ODM Advanced 8.8.1.I'd previously installed and configured this version on WebSphere Application Server (WAS) Network Deployment 8.5.5.This is what I have installed: -/opt/ibm/InstallationManager/eclipse/tools/imcl listInstalledPackagescom.ibm.cic.agent_1.8.6000.20161118_1611com.ibm.websphere.IBMJAVA




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition