Buffalo NAS-Central Forums

Welcome to the Linkstation Wiki community
It is currently Tue Sep 30, 2014 8:51 pm

All times are UTC [ DST ]




Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Sun Feb 07, 2010 8:18 pm 
Offline
Total Newbie

Joined: Sun Feb 07, 2010 7:41 pm
Posts: 2
Hi all,
after playing around for about one week with my new LinkStation DUO I finally succeeded to gain full control!
The best about that: no modified FW, no need to use acp_commander (it doesn't work anyway).

Well, I'm new to this forum and even kind of newbie to LinkStation hacking.
I got a lot of information from the forum - with limited use for the new LinkStation DUO - so I want to contribute with my knowledge so far.

My LinkStation DUO is running FW version 1.22, that is the latest version for this model available from the Buffalo support site.
I tried to gain full (root) access with acp_commander, but it did not work with my device; I assume that this security hole was closed.
I looked through all configuration options, realized that SSH service is active during normal operation, but was not able to login:
- login as root does not work due to not knowing the password
- login as other user was denied by simply closing the connection

The trick to get it work is based on the possibility to configure a web server on the device.
- Configure a share 'www'
- Configure a web server on port 81 using that share
It is possible to run PHP scripts with that web server.
It comes configure by default with an 'index.php' that shows the phpinfo()!

Next I installed the PHP Shell (-> google) and was able to look through the filesystem with a SHELL like interface.
Then I found that the file /etc/pam.d/sshd was installed world writable and voila! ... the device was mine!
Next I installed a simple PHP file manager that enabled me to edit files via the web browser.
I changed the file /etc/pam.d/sshd as follows:
- comment out all lines that begin with 'auth'
- add the line: auth required pam_permit.so

Now I was able to login as root with no password: ssh root@linkstation

But be careful: the file /etc/pam.d/sshd gets re-created each time the system starts up.
Best way to get permanent root access is to install your SSH public key in the 'authorized_keys' file.

# mkdir /root/.ssh
# chmod 700 /root/.ssh
... install your SSH public key in /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

:D Happy hacking!


Top
 Profile  
 
PostPosted: Sat Feb 13, 2010 8:26 pm 
Offline
Total Newbie

Joined: Sat Feb 13, 2010 8:16 pm
Posts: 1
Yeah! Worked nicely. Thanks a lot.

I'm wondering what I should do next and what things I must keep in mind so I won't break anything? Is there some ways to configure manually ftp-server and it's user rights?


Top
 Profile  
 
PostPosted: Wed Feb 17, 2010 10:43 pm 
Offline
Total Newbie

Joined: Sun Feb 07, 2010 7:41 pm
Posts: 2
Well, it depends on what exactly you want to do. What is your goal regarding the ftp service?

My ambition was to make the LS act as a RSYNC server.
This was not too complicated, because rsynd is already present and gets started.
I had to modify the configuration file /etc/rsyncd.conf, but this had to be done from
the startup scripts, because the file gets generated each time the LS starts up.

Next I'm going to install and configure the NFS server ...

This is the way I am working when making changes to the LS:
- keep an exact protocol of the changes done so far
- don't make too many changes in one step
- after applying a set of changes make sure that thing are not broken; if something is, undo the changes made so far


Top
 Profile  
 
PostPosted: Sun Aug 01, 2010 7:30 pm 
Offline
Newbie

Joined: Sun Aug 01, 2010 6:44 pm
Posts: 6
Thanks hds

Thanks for the guide, I am able to gain root access with firmware 1.33 too on LS-WXL/E-AP

Can you share a good PHP file manager script? I don't know, I just use the PHP to write the /etc/pam.d/sshd

Updated the wiki http://buffalo.nas-central.org/wiki/Category:LS-WXL


Top
 Profile  
 
PostPosted: Wed Aug 04, 2010 2:55 am 
Offline
Newbie

Joined: Sun Aug 01, 2010 6:44 pm
Posts: 6
Hi All,

I managed to install Lenny but it is still a long way to go, I missed Buffalo Web Admin.

How can I revert back? I did not make backup, may be, so if I putting a blank hard disk, would it work?

So right now, I need to figure out:
- how to partition, I did no see the storage with df
- Buffalo Web Admin like
- RAID 1 or JBOD if I put another disk, I am on 1 disk setup
- DLNA, iTunes, PHP webserver
- Windows Sharing with Samba?

Thanks, it would be great if anyone here can share the Lenny post setup experience, many thanks.


Top
 Profile  
 
PostPosted: Mon Aug 23, 2010 1:08 pm 
Offline
Total Newbie

Joined: Mon Aug 23, 2010 11:57 am
Posts: 1
hi hds and jugagagah,

I can't get either solution to work, I'm unable to install PHP Shell and the php script on the wiki will also nog work for me.
Can u please explain to me how to install PHP Shell on the linkstation without telnet or ssh access?
I have a linkstation duo LS-WXL with firmware 1.33 from buffalo.

you would help me so much if i got ssh access.


Top
 Profile  
 
PostPosted: Fri Oct 15, 2010 12:24 pm 
Offline
Total Newbie

Joined: Fri Oct 15, 2010 12:06 pm
Posts: 1
Has anyone managed to get this to work witn the 1.33 firmware?

After rebooting the device, the ssh-authentication does not work anymore. The only way to get again access is to use the php-scritp to alter the pam.d/ssh file.


Top
 Profile  
 
PostPosted: Sun Nov 28, 2010 11:00 pm 
Offline
Total Newbie

Joined: Sun Nov 28, 2010 10:53 pm
Posts: 1
I'm having trouble with the new 1.37 firmware and ssh login. I can create /etc/pam.d/sshd, I checked it's there and has what Wiki says. But when I try ssh login, the host terminates connection without asking password. However, something definitely happened: sftp goes for non-root users without asking passwords! Any suggestions? I would not want to start a major hacking project, I simply wanted to add public key authentication for standard users that I really need. But unfortunately PHP scripts cannot write to /home/.ssh/ ... damn it. The box came with 1.34, I should have though this before upgrading. I won't downgrade anymore.


Top
 Profile  
 
PostPosted: Tue Dec 21, 2010 3:46 pm 
Offline
Total Newbie

Joined: Tue Dec 21, 2010 3:42 pm
Posts: 1
Same problem here with 1.37
After the pam.d/sshd change root ssh just disconnects without password prompt and user sftp works without a password.
Prolly gonna try to downgrade and see if it helps, mine came with 1.24 firmware.


Top
 Profile  
 
PostPosted: Sun Jan 09, 2011 11:40 pm 
Offline
Total Newbie

Joined: Mon Oct 11, 2010 2:18 am
Posts: 3
Hi, same here, connection gets "closed by remote" right after it logins. Any suggestions?

For those that lost the the password prompt for sftp, just reboot and you'll get it again.


Top
 Profile  
 
PostPosted: Mon Feb 07, 2011 3:01 pm 
Offline
Regular Member
User avatar

Joined: Mon Oct 08, 2007 6:34 am
Posts: 334
Does anyone know if this can be done with the 1.37 firmware? or must I downgrade for this to work?

Cheers,
Stonie.

_________________
KuroHG - UBoot 1.2, foonas-em & Debian Wheezy - 3.4 Kernel
Kurobox Pro - Dave's Lenny-armel
LS-WVL - opened
LS-XHL - Squeeze Bootstrap
LS-VL - Squeeze Bootstrap


Top
 Profile  
 
PostPosted: Mon Feb 07, 2011 3:28 pm 
Offline
Moderator

Joined: Fri Jun 29, 2007 10:39 am
Posts: 2592
It is still possible to use acp_commander for "one-shot" commands
as root.
Just use the "-c <here your commandline>" to do what you want to
do. But be aware that you cannot use any kind of user interaction
(that's the "one-shot").
example:
java -jar acp_commander.jar -t 192.168.100.1 -ip 192.168.100.1 -pw password -c "ls -l /etc/pam.d"

I wrote a small guide for the LS-VL to get ssh public key authentication
for root access (so no user/password stuff).
http://buffalo.nas-central.org/wiki/Open_Stock_Firmware_LS-VL

_________________
Please do not use private mail (PN/M) to ask questions. Use the proper forum instead. (me)

If there is no verified backup of a dataset, the dataset, by definition, is unimportant. (c't 2012)

RAID (no matter which level) never ever substitutes a backup. (me)


Top
 Profile  
 
PostPosted: Mon Feb 07, 2011 5:32 pm 
Offline
Regular Member
User avatar

Joined: Mon Oct 08, 2007 6:34 am
Posts: 334
Hi kenatonline,

I tried you guide for the LS-VL http://buffalo.nas-central.org/wiki/Open_Stock_Firmware_LS-VL on my WXL but no dice...
all the acp_commander commands completed successfully but I still get connection refused when trying to connect over ssh.
I have been poking around in there sshd does not appear to be running?

the output of start is:

Code:
stonie@410si ~/ls-wxl.openStockFirware $ java -jar acp_commander.jar -t 192.168.1.2 -ip 192.168.1.2 -pw password -c "/etc/init.d/sshd.sh start"
ACP_commander out of the nas-central.org (linkstationwiki.net) project.
Used to send ACP-commands to Buffalo linkstation(R) LS-PRO.

WARNING: This is experimental software that might brick your linkstation!


Using random connID value = 0F3D266AF56A
Using target:   RAID.DrivenLogic/192.168.1.2
Starting authentication procedure...
Sending Discover packet...
Found:  RAID (/192.168.1.2)     LS-WXL(KEITAI) (ID=00486)       mac: 00:24:A5:47:D5:11  Firmware=  1.370        Key=18FAF05C
Trying to authenticate EnOneCmd...      ACP_STATE_OK
Trying to authenticate with admin password...   ACP_STATE_OK
>/etc/init.d/sshd.sh start
load_info ItemValue = off
LoadConfFileStringEx:key=[ad_dns] not found in /etc/melco/info.
LoadConfFileOnOffEx:key=[info_visible] not found in /etc/melco/info.
LoadConfFileStringEx:key=[array2] not found in /etc/melco/diskinfo.
LoadConfFileStringEx:key=[usb_disk2] not found in /etc/melco/diskinfo.
file:/etc/sftponly_config
userinfo finished
groupname admin
groupname guest
groupname hdusers
file:/etc/pam.d/sshd

Changeing IP:   ACP_STATE_PASSWORD_ERROR
Please note, that the current support for the change of the IP is currently very rudimentary.
The IP has been set to the given, fixed IP, however DNS and gateway have not been set. Use the WebGUI to make appropriate settings.


Any pointers?

Cheers,
Stonie.

_________________
KuroHG - UBoot 1.2, foonas-em & Debian Wheezy - 3.4 Kernel
Kurobox Pro - Dave's Lenny-armel
LS-WVL - opened
LS-XHL - Squeeze Bootstrap
LS-VL - Squeeze Bootstrap


Top
 Profile  
 
PostPosted: Mon Feb 07, 2011 11:34 pm 
Offline
Moderator

Joined: Fri Jun 29, 2007 10:39 am
Posts: 2592
The output seems reasonable (I got something similar
when I first started sshd for "opening" via acp_commander).
Did you verified, that the sshd executable is available?
Did you put your public key into the authorized_keys file?
Did you used the private key for connection?

_________________
Please do not use private mail (PN/M) to ask questions. Use the proper forum instead. (me)

If there is no verified backup of a dataset, the dataset, by definition, is unimportant. (c't 2012)

RAID (no matter which level) never ever substitutes a backup. (me)


Top
 Profile  
 
PostPosted: Wed Feb 09, 2011 1:35 pm 
Offline
Regular Member
User avatar

Joined: Mon Oct 08, 2007 6:34 am
Posts: 334
hey thanks for the pointers! ;)

Quote:
Did you verified, that the sshd executable is available?

Yes its at:
Code:
/usr/local/sbin/sshd

Quote:
Did you put your public key into the authorized_keys file?

Yes and using the correct path for the WXL:
Code:
java -jar acp_commander.jar -t 192.168.1.2 -ip 192.168.1.2 -pw password -c "cp /mnt/array1/share/authorized_keys /root/.ssh/"

Quote:
Did you used the private key for connection?

I don't seem to be getting that far, the port is not open and sshd does not appear to be running?
Code:
# ssh 192.168.1.2
ssh: connect to host 192.168.1.2 port 22: Connection refused


I will keep hacking about with acp_commander... I also tried: /usr/local/sbin/sshd –f /etc/sshd_config (still didn't start)
can't find any logs either.... :?

_________________
KuroHG - UBoot 1.2, foonas-em & Debian Wheezy - 3.4 Kernel
Kurobox Pro - Dave's Lenny-armel
LS-WVL - opened
LS-XHL - Squeeze Bootstrap
LS-VL - Squeeze Bootstrap


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 33 posts ]  Go to page 1, 2, 3  Next

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:

Protected by Anti-Spam ACP
Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group