plugout.net

I would like the option to be able to login to the box with a password or secure key. I mostly use secure key for logging automatically from a trusted box (or where a password is difficult to use, such as from a line in /etc/fstab).

However, I would also like to be able to use XBMC Windows SFTP sources which i cannot seem to get working with a key and it requires a password.

The option in the either interface is for either/or but not both. How can i fix this?

Hi firwareslut,

Indeed, it's a wanted behaviour.

I disabled SSH access with password when rsa-key is available because in this case I assumed that you want to get access from a remote host and then you open the SSH port.
As access with password is not a safe method I disabled it.

So we will keep this behaviour in the firmware but you can change it with cron by using a small shell script:

Code: Select all

#!/bin/sh
killall dropbear
dropbear -p sshport -r /rw_fs/etc/dropbear/dropbear_rsa_host_key

where sshport is by default 22 or your custom port.

Note : This method will work only if you use the option access with rsa key

Right, so select the option in the firmware to login with password and run that script to enable the key method as well...is that correct?

Not really, you must :

select the option in the firmware to login with rsa key and run that script to enable the password method as well ;)

Thanks that worked just fine :)

Is it possible in the future release to have this as a start up option configured from the web interface? The only small problem with it is that i have to schedule it with cron which means it will disconnect any active connection at the time. Although i can set it up daily at 4am , that shouldnt be a big inconvenience. :)

Found a better way.

No need to kill all dropbear processes before...Just start a new dropbear process using another port...

So in cron, use this command : dropbear -p 222 -r /rw_fs/etc/dropbear/dropbear_rsa_host_key (if you don't use this port)

I would open this option because the port 22 like the ports 21 and 80 is regularly sniffed by hackers.

So I do not want to see the following case: enable key but still allow pwd mode, keep the well-known default password and open port 22 ... a large backdoor opened

Well security is also the responsibility of the user. I have Debian servers that I can login with password and SSH key. They don't insist I use one or the other and restrict the usefulness of the server. I mean, this firmware is for power users anyway , right? It's not like someone who knows nothign about what they are doing can install this firmware.

Killing the dropbear process is very flaky at the moment....it's not always restarting anyway. I run the dropbear on port 22 but the actual port from my router is different as it forwards to port 22 on the NAS from another port.

Can i somehow add this to the startup? I don't really like this bad hack. If i don't kill the process and schedule it once a day i'm gonna end up with multiple processes. I know using this method i'm gonna find that more times than not im not gonna be able to login.

Did you read well this :

No need to kill all dropbear processes before...Just start a new dropbear process using another port...
So in cron, use this command : dropbear -p 222 -r /rw_fs/etc/dropbear/dropbear_rsa_host_key (if you don't use this port)

So no need to kill the dropbear daemon and start only another one using another port

Can i somehow add this to the startup? I don't really like this bad hack. If i don't kill the process and schedule it once a day i'm gonna end up with multiple processes. I know using this method i'm gonna find that more times than not im not gonna be able to login.

:disapprove If you try to start another dropbear daemon with the same options, no one more is started.
You can add this line at this end of the rcS file (be carefull to keep its linux format and its permissions :755)

I mean, this firmware is for power users anyway , right

I don't think so by reading some posts

Ok, so it won't try to spawn another instance of dropbear if that port is already in use by a previous dropbear instance?

It's right.
note : dropbear will fail to start a new instance if the port is used by another service (or by itself in another instance).