193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
JVMCFRE003 bad major version; class=org/apache/derby/jdbc/EmbeddedConnectionPoolDataSource40, offset=6
Wed, Mar 15th 2017 64
WebSphere Application Server - DNS, you can't fool it - or can you ?
Mon, Mar 13th 2017 24
Weirdness - The database is not consistent with the BPM Product version
Sun, Mar 12th 2017 15
Scripting in Python and Jython with added OS commands
Sat, Mar 11th 2017 14
CTGSK3046W - IBM HTTP Server - Certificates and Permissions
Fri, Mar 10th 2017 14
CloudFoundry Enablement
Fri, Mar 10th 2017 16
At last, LDAP Test Query feature added to WebSphere Application Server
Fri, Mar 10th 2017 14
Top 10
JVMCFRE003 bad major version; class=org/apache/derby/jdbc/EmbeddedConnectionPoolDataSource40, offset=6
Wed, Mar 15th 2017 64
Executing external Python/Jython scripts from within WebSphere Application Server's wsadmin tool
Thu, Feb 27th 2014 33
Hmmmm, HTTP404 and SRVE0190E seen with IBM HTTP Server and WebSphere Application Server
Fri, Nov 14th 2014 33
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 33
IBM HTTP Server / IBM WebSphere Plugin - Using Transport Layer (TLS) 1.2
Tue, Nov 10th 2015 30
Securing the Database - IBM DB2 10.5 and Transport Layer Security 1.2
Wed, Jun 3rd 2015 29
WebSphere Application Server 8.5.54 and IBM BPM Advanced 8.5.5.0 - Available commands
Sat, Jan 24th 2015 28
WAS - How to clear the WebSphere class caches
Mon, Feb 10th 2014 26
WebSphere Application Server - DNS, you can't fool it - or can you ?
Mon, Mar 13th 2017 24
CRIMA1161E ERROR: Failed to find required installation files.
Sun, Aug 24th 2014 21


Synology NAS - More SSH Loveliness - Permissions and ACLs
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Following on from my earlier posts: -



I've gone a few steps further in my understanding.

I've now got to a point where I can access the NAS using a user other than root or admin.

Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -

Client-side ( macOS )

Generate a public/private key

ssh-keygen -t rsa -b 4096 -f foobar -N passw0rd

Generating public/private rsa key pair.
Your identification has been saved in foobar.
Your public key has been saved in foobar.pub.
The key fingerprint is:
SHA256:w7rpoqt07lMZNhT9GVdCOpRKEunRq9+zGb6+YHl8kC4 davidhay@Davids-GhostRider-4.local
The key's randomart image is:
+---[RSA 4096]----+
|     o*  .oo..   |
|     = +.o...    |
|    o + +o+      |
|     = + oo      |
|    . = So       |
|     + .+..      |
| . .. oE.= .     |
|. o.. .+=o+      |
|..+=.o+ .B=      |
+----[SHA256]-----+


Copy the public key to the clipboard

pbcopy < foobar.pub 

Server-side ( Synology )

Logged in as admin

ssh admin@diskstation

admin@diskstation's password: 

Switched to the root user

admin@DiskStation:~$ sudo bash
Password: 

Switched to the DaveHay user

su - DaveHay

( NOTE the above steps are required because I deliberately didn't give the user a password, as I only ever want to authenticate via a public/private key )

Create .ssh subdirectory

mkdir ~/.ssh

Create authorised keys file in .ssh

vi ~/.ssh/authorized_keys

Add public key from clipboard

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz6Nd1Zugpjbsaz0ceF8WK5ps7SExiV6bR3ITtufFd0jp+ZyIhGJY+iRMzqslGEGcrYHGWzZRUGwq+dT4rikm/3yI2usHUI7TE2pFXS0SVI0jdsSp76Yos7lTVdcRJVlVaXG6nCKPYY3zfLrgmNXwDArYUHkVotBuKeF19lXR5Uu5DvxWUCsXz1APuRaX6oylmmk9QgZGClqdn4rrPjzKguwSZpUIOFRIfIbJiEIKvfu1vrEF45QlAoxvx4BQ0Mqew7Dv9Nt/s5ByGs7w/YHwJiWDpbGx0KCMiaeuwLjuj8N/dxfh6DIllqKzEXRCniftU6hXDULKLLoQx8WZoU90kvRLob27SjcVDrdM6C1Q0yQ2OGY0/OjKl2QjFk99LmZbCvLA5hb46eQBJviM1l9BBlf6eBq0qQtADKGV2UfZb43Z32rYObyqPqQjnfYiAk1CdECtJUCCGPdXbviPfDOYKaXgseBCnLNpnAislcmvI0YsuKKTo3xz16PFvhyJel+5EEbIpZaRQTQNDPjpXqr2pzhP5vcKuh09Z/w7lFZ0oRP47SACryYgbQzTowDthJ135kW00AsGMMEP9Yz2HjqQLdZZv0NL0KZgGIxaFHXpshPuCOWK3MmYtEqoJtcSDr++JtLU+/59/b3N+BqZxYuFSoOEUMhiee3k7VMq1ZNT5/Q== davidhay@Davids-GhostRider-4.local

Client-side ( macOS )

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

As before, I went back into the Synology, and updated the directory / file permissions for the newly created .ssh subdirectory

Server-side ( Synology )

( As DaveHay, having logged on as admin and switched user via su - DaveHay )

Check current state

ls -al -R ~

.:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

./.ssh:
total 12
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rwxrwxrwx+ 1 DaveHay users  762 Jan  5 18:40 authorized_keys

Set the .ssh subdirectory to 700

chmod 700 ~/.ssh


Set the authorized_keys file to 644 

chmod 644 ~/.ssh/authorized_keys



Check new state

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

:-(

I added some debugging: -

ssh -v -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
DaveHay@diskstation's password: 


ssh -vv -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
DaveHay@diskstation's password: 

...

ssh -vv -i ~/foobar DaveHay@diskstation

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

DaveHay@diskstation's password: 


Something I read online made me think about extended attributes, over and above the usual Unix permissions.

I re-visited the current state: -

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Yes, it was the additional plus character that made me wonder; +

As root I checked the permissions for the DaveHay user: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------+ 3 DaveHay users 4096 Jan  5 18:40 .
 [0] user:DaveHay:allow:rwxpdDaARWcCo:fd-- (level: 0)
 [1] user:DaveHay:allow:rwxpdDaARWc--:fd-- (level: 1)
 [2] user::allow:rwxpdDaARWc--:fd-- (level: 1)
 [3] user::allow:rwxpdDaARWc--:fd-- (level: 1)

d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------+ 1 DaveHay users  669 Jan  5 18:40 .viminfo
 [0] user:DaveHay:allow:rwxpdDaARWcCo:---- (level: 1)
 [1] user:DaveHay:allow:rwxpdDaARWc--:---- (level: 2)
 [2] user::allow:rwxpdDaARWc--:---- (level: 2)
 [3] user::allow:rwxpdDaARWc--:---- (level: 2)


and used chmod to recursively set ALL the permissions on the DaveHay user's home directory: -

chmod -R 700 /volume1/homes/DaveHay/

which removes the special attributes ( I think these may be the ACLs added by the NAS itself when I created the new user ), and validated: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------  3 DaveHay users 4096 Jan  5 18:40 .
d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------  1 DaveHay users  669 Jan  5 18:40 .viminfo

In other words, the extended attributes for the user have gone, apart from the parent directory ( /volume1/homes ) which is fine.

I re-tested my SSH connection: -

ssh -i foobar DaveHay@diskstation

Enter passphrase for key 'foobar': 
DaveHay@DiskStation:~$ 


In other words, I'm only now being presented with a request for the passphrase for the private key, rather than the password for the DaveHay user.

So, it was a long journey, but an enjoyable one :-)

As ever, #LifeIsGood






---------------------
http://portal2portal.blogspot.com/2017/01/synology-nas-more-ssh-loveliness.html
Jan 05, 2017
6 hits



Recent Blog Posts
64
JVMCFRE003 bad major version; class=org/apache/derby/jdbc/EmbeddedConnectionPoolDataSource40, offset=6
Wed, Mar 15th 2017 9:37p   Dave Hay
I saw this today: -[ERROR ] An error has occurred in trying to access data source 'jdbc/ilogDataSource': Could not lookup datasource named 'jdbc/ilogDataSource'. Check that the data source exists on the application server or contact your administrator.An error has occurred in trying to access data source 'jdbc/ilogDataSource': Could not lookup datasource named 'jdbc/ilogDataSource'. Check that the data source exists on the application server or contact your administrator.[E
24
WebSphere Application Server - DNS, you can't fool it - or can you ?
Mon, Mar 13th 2017 7:12a   Dave Hay
I saw this: -[3/12/17 19:55:21:158 UTC] 00000001 LogAdapter E DCSV9403E: Received an illegal configuration argument. Parameter MulticastInterface, value: 9.20.65.171. Exception is java.lang.Exception: Network Interface 9.20.65.171 was not found in local machine network interface list. Make sure that the NetworkInterface property is properly configured! at com.ibm.rmm.mtl.transmitter.Config.(Config.java:238)while attempting to start a WebSphere Application Serve (WAS) Deployment Manager ( as
15
Weirdness - The database is not consistent with the BPM Product version
Sun, Mar 12th 2017 7:52p   Dave Hay
So we saw this issue last week: -[3/9/17 7:06:35:804 UTC] 00000001 WsServerImpl E WSVR0009E: Error occurred during startupcom.ibm.ws.exception.RuntimeError: The database [jndi = jdbc/PerformanceDB] version [8.5.7.201612] is not consistent with the BPM Product version [8.5.7.0], please ensure the database is updated successfully before starting server.during the build of a new IBM Business Process Manager (BPM) Advanced 8.5.7 Deployment Environment with an Oracle 12c database.The problem appea
14
Scripting in Python and Jython with added OS commands
Sat, Mar 11th 2017 7:42p   Dave Hay
I was writing a generic ( use anywhere ) script to add a BPM URL to my IBM BPM Advanced 8.5.7 environment.For me, all of the components ( IBM HTTP Server, WebSphere Plugin and WebSphere Application Server / BPM ) are on the same VM.For the record, I'm running the VM on OpenStack.Therefore, I wanted a script that would get the hostname of the VM on which IHS/WAS is running.This served as source: -How can I use Python to get the system hostname?and this was my test script: - foo.jy import socketh
14
CTGSK3046W - IBM HTTP Server - Certificates and Permissions
Fri, Mar 10th 2017 7:44p   Dave Hay
I saw this: -CTGSK3046W The key file "/tmp/ad2012.cer" could not be imported.whilst trying to add a CA Signer certificate to a keystore using IBM HTTP Server: -/opt/ibm/HTTPServer/bin/gskcapicmd -cert -add -file /tmp/ad2012.cer -db /opt/ibm/HTTPServer/BPM/ssl/keystore.kdb -stashedHaving checked and double-checked my command, I then tried to use openSSL to validate the certificate: -openssl x509 -inform der -in /tmp/ad2012.cer -text -nooutError opening Certificate /tmp/ad2012.cer140581419276192
16
CloudFoundry Enablement
Fri, Mar 10th 2017 12:05p   Dave Hay
Shared by one of my team: -Overview: Cloud Foundry BasicsJoin us for a hands-on training workshop to learn about deploying and managing applications on Cloud Foundry. We will give an overview of Cloud Foundry and how it works, including specifics relating to services, buildpacks, and architecture. We will also look at how to effectively work with Cloud Foundry in your organization.This training is targeted at people with little or no Cloud Foundry experience but some experience delivering web-ba
14
At last, LDAP Test Query feature added to WebSphere Application Server
Fri, Mar 10th 2017 9:04a   Dave Hay
So this is something that I've wanted FOREVER …I don't know precisely when it appeared, but I just realised that WebSphere Application Server (WAS) Network Deployment 8.5.5.11 ( 8.5.5 Fixpack 11 ) now includes the ability to test LDAP connectivity: -Specifically, this: -which returns: -whereas if, for example, I use the wrong Bind Password, I get: -SECJ7340E: Exception raised trying to connect to LDAP serverException Name=javax.naming.AuthenticationException Reason=[LDAP: error code 49 - 800
7
Reminder - Insufficient ulimit Value Causes Native OutOfMemory
Fri, Mar 10th 2017 7:36a   Dave Hay
This from IBM: -An out of memory may be observed on a system running WebSphere Application Server on Linux or AIX that is due to ulimit restrictions on number of process/threads per user. Further investigation may reveal a "Failed to create a thread:" message within the generated javacore which would indicate a native out of memory issue has been encountered. The cause of the problem may be an insufficient ulimit setting. While this type of issue can occur on any level of Linux, or AIX, the is
14
WebSphere User Group - London - Thursday 30 March 2017
Thu, Mar 9th 2017 4:07p   Dave Hay
This popped up in my inbox today: -It's only 3 weeks to go until the next WebSphere User Group event in London - it's on Thursday, March 30th at IBM South Bank.Agenda Topics:The provisional agenda is now available! Take a look here. Based on user feedback we have moved a bit of the focus to topics like DevOps, Docker, Microservices and Cloud as well as providing the latest updates in the Application Server, Integration and Messaging spaces that this event is know for.This year we have restruct
9
Customize the style of IBM BPM coaches - A pattern and a hierarchical approach
Wed, Mar 8th 2017 10:11a   Dave Hay
I feel like a proud father :-)This was authored, and peer-reviewed, by members of my team :-)Customize the style of IBM BPM coaches - A pattern and a hierarchical approachThis article focuses on how to customize responsive coaches and gives you a pattern for maintaining the customizations across an entire enterprise. If you don't want to make major customizations to the style of your coaches, but you still want responsive user interfaces that work well on all devices, see the Access IBM BPM fro




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition