Latest News:
2017-11-15: NAS4Free 11.1.0.4.4899 - released!
2017-08-18: NAS4Free-ARM / 10.3.0.3.4529 released!
We really need "Your" help on NAS4Free https://translations.launchpad.net/nas4 ... s/nas4free translations. Please help today!

Producing and hosting NAS4Free cost money, please consider a donation to our project so we can continue to offer you the best.
We need your support! eg: PAYPAL

[HOWTO] - SSH & DSA Keys - Login NAS4Free - EMBEDDED

Only Admin's or Moderators can move thread's to this sub-forum.
Nobody should start a new thread on this sub-forum.
Anybody can reply to a thread on this sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
ldkraemer
Starter
Starter
Posts: 53
Joined: 26 Jun 2012 22:35
Status: Offline

[HOWTO] - SSH & DSA Keys - Login NAS4Free - EMBEDDED

Post by ldkraemer » 09 Jul 2012 16:19

[HOWTO] - Use SSH with DSA Authorized Keys to Login to NAS4Free EMBEDDED
for 9.0.0.1 - Sandstorm (revision 141) EMBEDDED i386 Image on 2Gig Compact Flash


You can always ssh into your NAS4Free Server from your Laptop using your NAS4Free Servers password, or if you want to automatically
login into the NAS4Free Server with no password, which is more Secure by using dsa keys, you can run the following on your Laptop:

Code: Select all

ssh-keygen -t dsa
and type a password, or press enter. (If you use a password, make sure you remember it!) Two keys will be generated, Private & Public
for dsa which will be Version 2 keys, located at /home/loginuser/.ssh

Code: Select all

~/.ssh/id_dsa
~/.ssh/id_dsa.pub
At this point it is assumed that your system is a fresh install and does not have an existing authorized_keys2 file.....
If you have an existing known_hosts file in your /home/login/.ssh folder you may want to copy it to a folder named "SAVE",
and ENABLE Password Authentication in the SSH setup. When you try to login, answer "yes" and a new known_hosts file
will be generated.

If you already have an authorized_keys file created you can use the following commands to add your key.

Code: Select all

cat /home/loginbozo/.ssh/id_dsa.pub >> /home/loginbozo/.ssh/authorized_keys2
chmod 600 ~/.ssh/authorized_keys
Copy your Private key from the Laptop to the NAS4Free SSH Setup Screen, and Paste the contents there.
(At this point in your testing, disable any Router Ports that are Open (FORWARDED), because you want to be the
only person setting up your NAS4Free System.) Also ENABLE the Root Login Directly, also located on the SSH
Setup Screen, so you can verify that the dsa key functions. IMMEDIATELY after everything is functional
go back, and UNCHECK the ENABLE for Root Login Directly...........You don't want this enabled long term.......

Now, you need to log in twice to locate the current working subdirectory, so you can place the dsa keys there
by a Postinit Script. The first login will be by root, and the second by the loginuser, using the password
you previously inserted in NAS4Free for the login user. I'm showing the SSH login by loginuser, and root will be similar.

My NAS4Free Server is on my Local Network as IP 192.168.1.250, with NO Router Ports Presently OPEN.........

Code: Select all

larry@debian:~$ ssh loginbozo@192.168.1.250
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

Welcome to FreeNAS!
At this point you are connected to your server and the normal commands apply. What if you need to become root
to change something? Well how about becoming root!

Code: Select all

$ su root
Password:
Now the secret of becoming root is this password isn't the loginuser password, but instead the WebGUI password for the WebGUI Interface.
(NOTE: - The command "exit" will get you out of the su command session, and another "exit" will terminate the ssh session.)

Code: Select all

freenas:/mnt# pwd
/mnt
freenas:/mnt# ls -alt
total 10
drwxr-xr-x 4 root wheel 512 May 30 03:19 .
drwxr-xr-x 19 root wheel 512 May 30 03:19 ..
drwx--x--x 2 root wheel 512 May 30 03:19 .ssh
drwxrwxrwx 9 root wheel 1024 May 29 17:19 mysata
freenas:/mnt# cd .ssh
freenas:/mnt/.ssh# ls -alt
total 6
drwx--x--x 2 root wheel 512 May 30 03:19 .
drwxr-xr-x 4 root wheel 512 May 30 03:19 ..
-rw------- 1 loginbozo wheel 602 May 29 16:37 authorized_keys2
freenas:/mnt/.ssh#
Notice the current working subdirectory is /mnt, and on the initial setup there will be no .ssh subdirectory with
permissions of 711 and belongs to root:wheel. The authorized_keys2 file has permissions of 600, and belongs to loginbozo:wheel

For the login of root the current working subdirectory is /root, and on the initial setup there will be no .ssh subdirectory.
The same file permissions for root will work, but the loginuser must be root...ie...root:wheel

These two subdirectories will need to be modified in a Postinit Script I named keysetup.
The contents of keysetup has:

Code: Select all

#!/bin/sh
#
# Script for FreeNAS Embedded 6412.img file to use ssh-keygen keys
# for secure logins with SSH
#
# Root Logon Script:
#               WARNING:..SYSTEM -> SERVICES -> SSH MUST HAVE LOGIN AS ROOT DIRECTLY CHECKED
#               WARNING:..THIS ISN'T SOMETHING YOU ALWAYS WANT ENABLED - TESTING OR LOCAL ONLY
#
USER="root"
KEYDIR="/mnt/mysata/apps/p910nd"
#----------------------------------------------
mkdir -p -m 711 /root/.ssh
cp -p $KEYDIR/authorized_keys2 /root/.ssh
chown $USER:wheel /root/.ssh/authorized_keys2
#
#
# User Logon Script:
# for 0.7.2 Sabanda (revision 6412) EMBEDDED i386 Image
# Hard drive located at /mnt/mysata
# with keysetup file located at /mnt/mysata/apps/p910nd/
#
USER="loginbozo"
KEYDIR="/mnt/mysata/apps/p910nd"
#----------------------------------------------
mkdir -p -m 711 /mnt/.ssh
cp -p $KEYDIR/authorized_keys2 /mnt/.ssh
chown $USER:wheel /mnt/.ssh/authorized_keys2

Code: Select all

-rwxr-xr-x 1 root root 945 May 30 06:27 keysetup
And this script is setup in SYSTEM -> ADVANCED -> COMMAND SCRIPTS as:

Code: Select all

/mnt/mysata/apps/p910nd/keysetup PostInit
At this point everything is setup except for copying the Public key to your storage subdirectory.
Mine for the moment is /mnt/mysata/apps/p910nd/.

I used the NFS feature to copy that file, but you may want to use scp, or have another method.
You will have to ENABLE NFS if you plan on using it. The scp commands would be something similar to this:

Code: Select all

cd .ssh
scp id_dsa.pub loginbozo@192.168.1.250:/mnt/mysata
# or use authorized_keys2 if it already contains valid keys.............See Above........
Then on your NAS4Free Server move the id_dsa.pub to your storage subdirectory and rename it to authorized_keys2.

NFS COMMANDS:

Code: Select all

sudo mount 192.168.1.250:/mnt/store /mnt/nas4free
and then I just went to /mnt/nas4free/ and copied the public dsa key to /mnt/store/apps/p910nd/
from /home/user/.ssh/ filename of id_dsa.pub This file needs to be renamed as authorized_keys2
with permissions of 600 at /mnt/store/apps/p910nd/

Code: Select all

-rw------- 1 root root 602 May 29 14:37 authorized_keys2
If your Distro won't mount the NFS Share, you can try installing nfs-common with Synaptics Package Manager.

I unmounted the NFS drive with:

Code: Select all

sudo umount /mnt/nas4free
Last things to do on the SSH Setup Screen are DISABLE Password Authentication, and then REBOOT NAS4Free,
and test both logins using the dsa keys. You should be able to login correctly...............

Then go back and DISABLE Root Login Directly, after your testing is complete. Open your Router ports as required
for your system......Then keep your eyes on all the Log files.........

Hopefully this will save you HOURS, because I've spent many..................

REF:
http://www.openssh.org/faq.html#3.14
http://www.freenaskb.info/kb/?View=entry&EntryID=257

Thanks.


Larry
Updated 07-11-2012

fritz
experienced User
experienced User
Posts: 81
Joined: 12 Dec 2012 16:40
Contact:
Status: Offline

Re: [HOWTO] - SSH & DSA Keys - Login NAS4Free - EMBEDDED

Post by fritz » 25 Feb 2013 13:38

Hi,
Copy your Private key from the Laptop to the NAS4Free SSH Setup Screen, and Paste the contents there.
I tried to understand your HOW TO, but I am now a bit confused.
My understanding was that you need to create a private/public key on the client, and then install the public key on he server (NAS4Free)
If I understand your HOW TO correctly, you are requesting to copy the private key in the SSH Setup screen of the server. This sound surprizing to me.

Did I understand something wrong?

Thanks for your help,

fritz
O/S: NAS4Free 9.2.0.1 - Shigawire (revision 972) (Embedded 64bit), installed on 2GB USB flash drive
https://github.com/fritz-hh

fritz
experienced User
experienced User
Posts: 81
Joined: 12 Dec 2012 16:40
Contact:
Status: Offline

Re: [HOWTO] - SSH & DSA Keys - Login NAS4Free - EMBEDDED

Post by fritz » 25 Feb 2013 14:39

Hi raulfg3,

My understanding is the following (confirmed by different web site. E.g.: http://the.earth.li/~sgtatham/putty/0.5 ... pter8.html )
You generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, PuTTY can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
Here another tutorial: (public key only is copied to the server)
http://www.garron.me/bits/ssh-key-keyge ... sword.html
http://www.cyberciti.biz/faq/ssh-passwo ... ntication/

I may be wrong... But as I need to configure it for remote replication, I need to understand it...

fritz

PS: If I am correct, I wonder what is the goal of the the "Private Key" field in the web interface (SSH section)?
O/S: NAS4Free 9.2.0.1 - Shigawire (revision 972) (Embedded 64bit), installed on 2GB USB flash drive
https://github.com/fritz-hh

IK_Pegasi
NewUser
NewUser
Posts: 1
Joined: 16 Nov 2017 12:16
Status: Offline

Re: [HOWTO] - SSH & DSA Keys - Login NAS4Free - EMBEDDED

Post by IK_Pegasi » 16 Nov 2017 12:38

fritz wrote:
25 Feb 2013 14:39
Hi raulfg3,

My understanding is the following (confirmed by different web site. E.g.: http://the.earth.li/~sgtatham/putty/0.5 ... pter8.html )
You generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, PuTTY can generate a signature using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.
Here another tutorial: (public key only is copied to the server)
http://www.garron.me/bits/ssh-key-keyge ... sword.html
http://www.cyberciti.biz/faq/ssh-passwo ... ntication/

I may be wrong... But as I need to configure it for remote replication, I need to understand it...

fritz

PS: If I am correct, I wonder what is the goal of the the "Private Key" field in the web interface (SSH section)?

The usage of the private key in the WebGUI is to identify the server. Its public key pair should match the entry in your client's known_hosts file.

Post Reply

Return to “[HowTo]”