Help for setting SSH server menu

The NAS has a SSH server (Dropbear 2014.63) running and can be accessed with a SSH client (programs like Putty and WINSCP) .
 

The standard port used by this server is 22 but you can change it.

 

Caution : Do not use ports that are already in use or will be used by other services like:
21, 22, 139, 443, 445, 80, 2121, 3689, 8000, 8022, 8001, 8002, 8080, 9000, 9100, 9091 and 49152 but there are more...
SSH server will not be able to start if its port is used by another service


If you have little knowledge of the SSH (Secure Shell), you will find information in http://www.eng.cam.ac.uk/help/jpmg/ssh/ssh-detail.html

 

I. SSH server access of the NAS

You can choose two modes of identification with the SSH server of the NAS:

·         SSH access by password

·         SSH access with RSA key

 

The first mode is the default mode. Because it is less secure, it must be used only in LAN and port 22 should not be forwarded to the router table of the Internet Box (ISP box). This mode is enough to make standard actions by the administrator.

 

The second mode is used if you have a remote access to the NAS or you execute advanced actions (tunneling, rsync for backup, etc.) where an exchange of keys is required or best.

 

Note: SSH access to the NAS is only possible with 'root' login.

I.1 Identification by password authentication

The username to be used is "root" (without quotes)
The default password for this user is "giveit2me" (without the quotes)

In this menu you can change the password by:

1.     Entering the new password in the first field

2.     Confirm it in the second field

3.     Entering the old (current) password in the third field

4.     Clicking the accept button.

 

A message will be given if the change was successful or not.
Remember passwords are case sensitive !

 

Note:
From version fvdw-sl-9-0 the root password is reset to the default one when upgrading or re-installing the firmware, this is done to have a possibility to restore the default password without the need to disassemble the hard disk form the casing.

So if you change the SSH access password you better write it down somewhere on a safe place, don't say I didn't tell you !!

I.2 Identification by RSA authentication

SSH server access is possible only through an exchange of public keys.

So, additional controls are displayed to allow the administrator to manage key clients :
- Controls to add public keys
Note : when a remote host uses an authorized key then it gets by default a full access on the files system and all data saved on the NAS. Since version 15.0, an option is available to restrict a key for connecting to the rsync server. If you check this option, a remote HOST using this key, won't be able to get any access to the NAS except for backups according with the rsync server configuration.
Important : If you use several time the same public key with different restrictions, the SSH server will use always the first key to set its permissions when a remote HOST with this public key will try to connect to the NAS !
- An additional menu to display the keys and delete keys obsolete.

Client Access from a computer:
1.     Generate a private key with the PuTTYgen tool, for example, save it, and display the associated public key.
2.     Paste this key in the textarea (with no changes)
3.     Click on the button "add this key"

You must then configure the "putty" to use the key private key stored previously (more information in putty manual)
Note: If you have protected your key with a passphrase, it will be asked for login.

For easy management of keys, the field "Comment key" often includes the indication "user@ip" where in our case, user is always equal to root and ip is the IP address of the client or hostname. This field is always placed at the end of the RSA public key: ssh-rsa encodagekey user@ip
Important : If you use an old Puttygen version (before 0.61), the generated public key is not built in the same way:
         "ssh-rsa encodagekey= user@ip"

 Then, It is necessary to keep this format when you import the key. If you delete the "=" then any login with these key will fail!

 

Important : If you change SSH access mode or SSH port, the environment variable "RSYNC_RSH" (see help for backup menu) is updated only after opening again a shell terminal but after rebooting, for the scripts that are not executed from a shell terminal(eg : cronjobs)

 

II. SSH access (NAS) to a remote SSH server

The identification by the RSA key exchange is often the method chosen by a server administrator.

If you want your NAS can connect to it, it is necessary that you send before the public key of the NAS to the administrator.

 

In this part of the menu, you can:

·         Display the public key of the NAS (and copy it to be sent: select all text and make no change !!!)

·         Generate a new key pair (public and private)(1)

 

Note: Client ssh with Dropbear is dbclient (not the command ssh such as OpenSSH)

 

III. Web Console

Since version 16.1, the firmware supports a web console to get a pseudo shell access over the http(s) protocol (see projet webconsole)

For safety rules, you can enable/disable this feature with the option "Enable Web Console (only root login with password)"

As Web console supports only login credentials with password if you use the mode "SSH access with RSA key", the related fields to change the root password are also available in this case.


(1) When the key pair of the NAS is changed, a message is displayed for acceptance to the first client access. After installing version 8.1, you will get this message.