198 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
IBM Installation Manager and the Not-Well-Formed Markup
Fri, Sep 22nd 2017 43
IBM Business Process Manager 8.6
Fri, Sep 22nd 2017 49
Kubernetes 1.7 available in IBM Bluemix Container Service
Wed, Sep 20th 2017 62
Using openSSL on macOS to encrypt a file using a password
Wed, Sep 20th 2017 51
This time, it's about a freezer
Tue, Sep 19th 2017 72
Kubernetes and IBM Bluemix - again with the #HoldingItWrong
Tue, Sep 19th 2017 62
Testing JDBC Data Sources using Jython
Mon, Sep 18th 2017 79
Top 10
Testing JDBC Data Sources using Jython
Mon, Sep 18th 2017 79
This time, it's about a freezer
Tue, Sep 19th 2017 72
Secure Identity Propagation Using WS-Trust, SAML2, and WS-Security
Mon, Sep 18th 2017 67
Kubernetes and IBM Bluemix - again with the #HoldingItWrong
Tue, Sep 19th 2017 62
Kubernetes 1.7 available in IBM Bluemix Container Service
Wed, Sep 20th 2017 62
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 51
Using openSSL on macOS to encrypt a file using a password
Wed, Sep 20th 2017 51
IBM Business Process Manager 8.6
Fri, Sep 22nd 2017 49
New Technology Demonstration: BPM Analytics
Fri, Sep 15th 2017 43
IBM Installation Manager and the Not-Well-Formed Markup
Fri, Sep 22nd 2017 43


Synology NAS - More SSH Loveliness - Permissions and ACLs
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Following on from my earlier posts: -



I've gone a few steps further in my understanding.

I've now got to a point where I can access the NAS using a user other than root or admin.

Having created a new user via the Web UI ( DaveHay ) which was a member of the users and administrators groups, I went through the same steps as before: -

Client-side ( macOS )

Generate a public/private key

ssh-keygen -t rsa -b 4096 -f foobar -N passw0rd

Generating public/private rsa key pair.
Your identification has been saved in foobar.
Your public key has been saved in foobar.pub.
The key fingerprint is:
SHA256:w7rpoqt07lMZNhT9GVdCOpRKEunRq9+zGb6+YHl8kC4 davidhay@Davids-GhostRider-4.local
The key's randomart image is:
+---[RSA 4096]----+
|     o*  .oo..   |
|     = +.o...    |
|    o + +o+      |
|     = + oo      |
|    . = So       |
|     + .+..      |
| . .. oE.= .     |
|. o.. .+=o+      |
|..+=.o+ .B=      |
+----[SHA256]-----+


Copy the public key to the clipboard

pbcopy < foobar.pub 

Server-side ( Synology )

Logged in as admin

ssh admin@diskstation

admin@diskstation's password: 

Switched to the root user

admin@DiskStation:~$ sudo bash
Password: 

Switched to the DaveHay user

su - DaveHay

( NOTE the above steps are required because I deliberately didn't give the user a password, as I only ever want to authenticate via a public/private key )

Create .ssh subdirectory

mkdir ~/.ssh

Create authorised keys file in .ssh

vi ~/.ssh/authorized_keys

Add public key from clipboard

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCz6Nd1Zugpjbsaz0ceF8WK5ps7SExiV6bR3ITtufFd0jp+ZyIhGJY+iRMzqslGEGcrYHGWzZRUGwq+dT4rikm/3yI2usHUI7TE2pFXS0SVI0jdsSp76Yos7lTVdcRJVlVaXG6nCKPYY3zfLrgmNXwDArYUHkVotBuKeF19lXR5Uu5DvxWUCsXz1APuRaX6oylmmk9QgZGClqdn4rrPjzKguwSZpUIOFRIfIbJiEIKvfu1vrEF45QlAoxvx4BQ0Mqew7Dv9Nt/s5ByGs7w/YHwJiWDpbGx0KCMiaeuwLjuj8N/dxfh6DIllqKzEXRCniftU6hXDULKLLoQx8WZoU90kvRLob27SjcVDrdM6C1Q0yQ2OGY0/OjKl2QjFk99LmZbCvLA5hb46eQBJviM1l9BBlf6eBq0qQtADKGV2UfZb43Z32rYObyqPqQjnfYiAk1CdECtJUCCGPdXbviPfDOYKaXgseBCnLNpnAislcmvI0YsuKKTo3xz16PFvhyJel+5EEbIpZaRQTQNDPjpXqr2pzhP5vcKuh09Z/w7lFZ0oRP47SACryYgbQzTowDthJ135kW00AsGMMEP9Yz2HjqQLdZZv0NL0KZgGIxaFHXpshPuCOWK3MmYtEqoJtcSDr++JtLU+/59/b3N+BqZxYuFSoOEUMhiee3k7VMq1ZNT5/Q== davidhay@Davids-GhostRider-4.local

Client-side ( macOS )

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

As before, I went back into the Synology, and updated the directory / file permissions for the newly created .ssh subdirectory

Server-side ( Synology )

( As DaveHay, having logged on as admin and switched user via su - DaveHay )

Check current state

ls -al -R ~

.:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

./.ssh:
total 12
drwxrwxrwx+ 2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rwxrwxrwx+ 1 DaveHay users  762 Jan  5 18:40 authorized_keys

Set the .ssh subdirectory to 700

chmod 700 ~/.ssh


Set the authorized_keys file to 644 

chmod 644 ~/.ssh/authorized_keys



Check new state

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Attempt to connect using private key

ssh -i ~/foobar DaveHay@diskstation

which immediately prompted me for a password: -

DaveHay@diskstation's password: 

:-(

I added some debugging: -

ssh -v -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
DaveHay@diskstation's password: 


ssh -vv -i ~/foobar DaveHay@diskstation

which showed: -

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
DaveHay@diskstation's password: 

...

ssh -vv -i ~/foobar DaveHay@diskstation

debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: foobar
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

DaveHay@diskstation's password: 


Something I read online made me think about extended attributes, over and above the usual Unix permissions.

I re-visited the current state: -

ls -al -R ~

/var/services/homes/DaveHay:
total 20
drwxrwxrwx+ 3 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwxrwxrwx+ 1 DaveHay users  669 Jan  5 18:40 .viminfo

/var/services/homes/DaveHay/.ssh:
total 12
drwx------  2 DaveHay users 4096 Jan  5 18:40 .
drwxrwxrwx
+ 3 DaveHay users 4096 Jan  5 18:40 ..
-rw-r--r--  1 DaveHay users  762 Jan  5 18:40 authorized_keys

Yes, it was the additional plus character that made me wonder; +

As root I checked the permissions for the DaveHay user: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------+ 3 DaveHay users 4096 Jan  5 18:40 .
 [0] user:DaveHay:allow:rwxpdDaARWcCo:fd-- (level: 0)
 [1] user:DaveHay:allow:rwxpdDaARWc--:fd-- (level: 1)
 [2] user::allow:rwxpdDaARWc--:fd-- (level: 1)
 [3] user::allow:rwxpdDaARWc--:fd-- (level: 1)

d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------+ 1 DaveHay users  669 Jan  5 18:40 .viminfo
 [0] user:DaveHay:allow:rwxpdDaARWcCo:---- (level: 1)
 [1] user:DaveHay:allow:rwxpdDaARWc--:---- (level: 2)
 [2] user::allow:rwxpdDaARWc--:---- (level: 2)
 [3] user::allow:rwxpdDaARWc--:---- (level: 2)


and used chmod to recursively set ALL the permissions on the DaveHay user's home directory: -

chmod -R 700 /volume1/homes/DaveHay/

which removes the special attributes ( I think these may be the ACLs added by the NAS itself when I created the new user ), and validated: -

ls -ale /volume1/homes/DaveHay/

total 20
drwx------  3 DaveHay users 4096 Jan  5 18:40 .
d--x--x--x+ 7 root    root  4096 Jan  5 18:32 ..
drwx------  2 DaveHay users 4096 Jan  5 18:40 .ssh
-rwx------  1 DaveHay users  669 Jan  5 18:40 .viminfo

In other words, the extended attributes for the user have gone, apart from the parent directory ( /volume1/homes ) which is fine.

I re-tested my SSH connection: -

ssh -i foobar DaveHay@diskstation

Enter passphrase for key 'foobar': 
DaveHay@DiskStation:~$ 


In other words, I'm only now being presented with a request for the passphrase for the private key, rather than the password for the DaveHay user.

So, it was a long journey, but an enjoyable one :-)

As ever, #LifeIsGood






---------------------
http://portal2portal.blogspot.com/2017/01/synology-nas-more-ssh-loveliness.html
Jan 05, 2017
9 hits



Recent Blog Posts
43
IBM Installation Manager and the Not-Well-Formed Markup
Fri, Sep 22nd 2017 7:54p   Dave Hay
I saw this: -ERROR: Failed to read response file. ERROR: Problem in /mnt/installIIM186.rsp at line 5: The markup in the document following the root element must be well-formed.00:00.52 ERROR [main] com.ibm.cic.agent.core.application.HeadlessApplication run Failed to read response file. Problem in /mnt/installIIM186.rsp at line 5: The markup in the document following the root element must be well-formed.whilst trying to install IBM Installation Manager 1.8.7, using a response file: -/mnt/ins
49
IBM Business Process Manager 8.6
Fri, Sep 22nd 2017 11:35a   Dave Hay
As per my previous post: -Introducing IBM Business Process Manager 8.6 and there's moreIBM BPM 8.6 was released today, and I've started the download.This is what I'm pulling down as I type: -IBM Business Process Manager Server Version 8.6 For Linux X86 64Bit Multilingual (3 of 3) (CNM6BML )IBM Business Process Manager Server Version 8.6 For Linux X86 64Bit Multilingual (2 of 3) (CNM6AML )IBM Business Process Manager Server Version 8.6 For Linux X86 64Bit Multilingual (1 of 3) (CNM69ML )More t
62
Kubernetes 1.7 available in IBM Bluemix Container Service
Wed, Sep 20th 2017 6:02p   Dave Hay
This arrived in my inbox today: -We're excited to announce that Kubernetes 1.7 is available for IBM Bluemix Container Service. You can now update your Kubernetes master and worker nodes to the latest supported version of Kubernetes by using either the Bluemix dashboard or the CLI.Kubernetes 1.7 available in IBM Bluemix Container ServiceThis is perfect timing for me, as: -(a) I'm reading and reviewing Kubernetes Microservices with Docker (b) I've been tinkering with DB2 and WebSphere Liberty P
51
Using openSSL on macOS to encrypt a file using a password
Wed, Sep 20th 2017 8:44a   Dave Hay
I had a requirement to share a file with a colleague, which I did using Box. However, I wanted to go one step further and encrypt the file BEFORE sharing.This is known, in some circles, as Pre-Internet Encryption (PIE), which is funny, because I like pie - fish pie, apple pie, mince pie, you name it :-)This is what I did: -Encrypt the fileopenssl enc -aes-256-cbc -in Patent.doc > Patent_enc.doc This example uses the AES-256-CBC cipher and requests a password, which is used, with the chosen bl
72
This time, it's about a freezer
Tue, Sep 19th 2017 2:14p   Dave Hay
So almost all of my blog posts are technical, and most involve some kind of IT and/or IBM product or service.,This time, whilst still technology, it's all about …. freezers.We recently took delivery of a Zanussi ZFT10210WA freezer, and hit a problem ….Specifically, it was a UI problem.More specifically, the UI didn't match the documentation.This is what the documentation has: -whereas the freezer looks more like this: -In other words, how can I set it to -16 degrees C when the Temperature
62
Kubernetes and IBM Bluemix - again with the #HoldingItWrong
Tue, Sep 19th 2017 1:27p   Dave Hay
So I saw this: -kubectl get nodesUnable to connect to the server: could not refresh token: unrecognized error {"errorCode":"BXNIM0408E","errorMessage":"Provided refresh token is expired","context":{"requestId":"4294322993","requestType":"incoming.Kube_Token","startTime":"19.09.2017 11:58:26:739 UTC","endTime":"19.09.2017 11:58:26:741 UTC","elapsedTime":"2","instanceId":"tokenservice_dal06/1","host":"localhost","threadId":"1955e0","clientIp":"146.90.21
79
Testing JDBC Data Sources using Jython
Mon, Sep 18th 2017 5:35p   Dave Hay
One of my colleagues asked me about this …In essence, did I have a Jython script that allows one to test JDBC data source …Here's one I prepared earlier: -testDataSource.jycellID = AdminControl.getCell()cell=AdminConfig.getid( '/Cell:'+cellID+'/')for dataSource in AdminConfig.list('DataSource',cell).splitlines(): print dataSource AdminControl.testConnection(dataSource)Notes: -- To support the FOR loop, there are indentations ( thanks Python, we love you ) in front of the last two line
67
Secure Identity Propagation Using WS-Trust, SAML2, and WS-Security
Mon, Sep 18th 2017 10:43a   Dave Hay
I'm reading this: -Secure Identity Propagation Using WS-Trust, SAML2, and WS-Security [PDF]in the context of Single Sign-on (SSO), via this: -SAML 2.0 VS. JWT: UNDERSTANDING FEDERATED IDENTITY AND SAML and: -The Anatomy of a JSON Web Token
43
New Technology Demonstration: BPM Analytics
Fri, Sep 15th 2017 10:12a   Dave Hay
This from my IBM colleague, Allan Chan: -…A new BPM Analytics technology demonstration is available to use with the latest IBM Business Process Manager. The latest version works with V8.5.7.0 CF201706 release at the end of June 2017. The original version worked with V8.5.7.0 CF201703 released on 31st March 2017....The key value of IBM Business Process Manager (BPM) is in streamlining custom enterprise business processes to better optimize service and cost. It does this namely through 1) custom
14
IBM Redbook - Developing Node.js Applications on IBM Bluemix
Mon, Sep 11th 2017 1:44p   Dave Hay
Developing Node.js Applications on IBM BluemixThis IBM® Redbooks® publication explains how to create various applications based on Node.js and run them on IBM Bluemix®. In this book, you will do the following activities: • Develop a Hello World application in Node.js, executing on IBM Bluemix. Through this activity, you can learn about these technologies: • IBM SDK for Node.js • Eclipse Orion Web IDE • Use asynchronous callback • Create an Express application • Build a rich u




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition