Buffalo NAS-Central Forums

Hi all,
after playing around for about one week with my new LinkStation DUO I finally succeeded to gain full control!
The best about that: no modified FW, no need to use acp_commander (it doesn't work anyway).

Well, I'm new to this forum and even kind of newbie to LinkStation hacking.
I got a lot of information from the forum - with limited use for the new LinkStation DUO - so I want to contribute with my knowledge so far.

My LinkStation DUO is running FW version 1.22, that is the latest version for this model available from the Buffalo support site.
I tried to gain full (root) access with acp_commander, but it did not work with my device; I assume that this security hole was closed.
I looked through all configuration options, realized that SSH service is active during normal operation, but was not able to login:
- login as root does not work due to not knowing the password
- login as other user was denied by simply closing the connection

The trick to get it work is based on the possibility to configure a web server on the device.
- Configure a share 'www'
- Configure a web server on port 81 using that share
It is possible to run PHP scripts with that web server.
It comes configure by default with an 'index.php' that shows the phpinfo()!

Next I installed the PHP Shell (-> google) and was able to look through the filesystem with a SHELL like interface.
Then I found that the file /etc/pam.d/sshd was installed world writable and voila! ... the device was mine!
Next I installed a simple PHP file manager that enabled me to edit files via the web browser.
I changed the file /etc/pam.d/sshd as follows:
- comment out all lines that begin with 'auth'
- add the line: auth required pam_permit.so

Now I was able to login as root with no password: ssh root@linkstation

But be careful: the file /etc/pam.d/sshd gets re-created each time the system starts up.
Best way to get permanent root access is to install your SSH public key in the 'authorized_keys' file.

# mkdir /root/.ssh
# chmod 700 /root/.ssh
... install your SSH public key in /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys

Happy hacking!

Yeah! Worked nicely. Thanks a lot.

I'm wondering what I should do next and what things I must keep in mind so I won't break anything? Is there some ways to configure manually ftp-server and it's user rights?

Well, it depends on what exactly you want to do. What is your goal regarding the ftp service?

My ambition was to make the LS act as a RSYNC server.
This was not too complicated, because rsynd is already present and gets started.
I had to modify the configuration file /etc/rsyncd.conf, but this had to be done from
the startup scripts, because the file gets generated each time the LS starts up.

Next I'm going to install and configure the NFS server ...

This is the way I am working when making changes to the LS:
- keep an exact protocol of the changes done so far
- don't make too many changes in one step
- after applying a set of changes make sure that thing are not broken; if something is, undo the changes made so far

Thanks hds

Thanks for the guide, I am able to gain root access with firmware 1.33 too on LS-WXL/E-AP

Can you share a good PHP file manager script? I don't know, I just use the PHP to write the /etc/pam.d/sshd

Updated the wiki http://buffalo.nas-central.org/wiki/Category:LS-WXL

Hi All,

I managed to install Lenny but it is still a long way to go, I missed Buffalo Web Admin.

How can I revert back? I did not make backup, may be, so if I putting a blank hard disk, would it work?

So right now, I need to figure out:
- how to partition, I did no see the storage with df
- Buffalo Web Admin like
- RAID 1 or JBOD if I put another disk, I am on 1 disk setup
- DLNA, iTunes, PHP webserver
- Windows Sharing with Samba?

Thanks, it would be great if anyone here can share the Lenny post setup experience, many thanks.

hi hds and jugagagah,

I can't get either solution to work, I'm unable to install PHP Shell and the php script on the wiki will also nog work for me.
Can u please explain to me how to install PHP Shell on the linkstation without telnet or ssh access?
I have a linkstation duo LS-WXL with firmware 1.33 from buffalo.

you would help me so much if i got ssh access.

Has anyone managed to get this to work witn the 1.33 firmware?

After rebooting the device, the ssh-authentication does not work anymore. The only way to get again access is to use the php-scritp to alter the pam.d/ssh file.

I'm having trouble with the new 1.37 firmware and ssh login. I can create /etc/pam.d/sshd, I checked it's there and has what Wiki says. But when I try ssh login, the host terminates connection without asking password. However, something definitely happened: sftp goes for non-root users without asking passwords! Any suggestions? I would not want to start a major hacking project, I simply wanted to add public key authentication for standard users that I really need. But unfortunately PHP scripts cannot write to /home/.ssh/ ... damn it. The box came with 1.34, I should have though this before upgrading. I won't downgrade anymore.

Same problem here with 1.37
After the pam.d/sshd change root ssh just disconnects without password prompt and user sftp works without a password.
Prolly gonna try to downgrade and see if it helps, mine came with 1.24 firmware.

Hi, same here, connection gets "closed by remote" right after it logins. Any suggestions?

For those that lost the the password prompt for sftp, just reboot and you'll get it again.

Does anyone know if this can be done with the 1.37 firmware? or must I downgrade for this to work?

Cheers,
Stonie.

_________________
KuroHG - UBoot 1.2, foonas-em & Debian Wheezy - 3.4 Kernel
Kurobox Pro - Dave's Lenny-armel
LS-WVL - opened
LS-XHL - Squeeze Bootstrap
LS-VL - Squeeze Bootstrap

It is still possible to use acp_commander for "one-shot" commands
as root.
Just use the "-c <here your commandline>" to do what you want to
do. But be aware that you cannot use any kind of user interaction
(that's the "one-shot").
example:
java -jar acp_commander.jar -t 192.168.100.1 -ip 192.168.100.1 -pw password -c "ls -l /etc/pam.d"

I wrote a small guide for the LS-VL to get ssh public key authentication
for root access (so no user/password stuff).
http://buffalo.nas-central.org/wiki/Open_Stock_Firmware_LS-VL

_________________
Please do not use private mail (PN/M) to ask questions. Use the proper forum instead. (me)

If there is no verified backup of a dataset, the dataset, by definition, is unimportant. (c't 2012)

RAID (no matter which level) never ever substitutes a backup. (me)

Hi kenatonline,

I tried you guide for the LS-VL http://buffalo.nas-central.org/wiki/Open_Stock_Firmware_LS-VL on my WXL but no dice...
all the acp_commander commands completed successfully but I still get connection refused when trying to connect over ssh.
I have been poking around in there sshd does not appear to be running?

the output of start is:



Any pointers?

Cheers,
Stonie.

_________________
KuroHG - UBoot 1.2, foonas-em & Debian Wheezy - 3.4 Kernel
Kurobox Pro - Dave's Lenny-armel
LS-WVL - opened
LS-XHL - Squeeze Bootstrap
LS-VL - Squeeze Bootstrap

The output seems reasonable (I got something similar
when I first started sshd for "opening" via acp_commander).
Did you verified, that the sshd executable is available?
Did you put your public key into the authorized_keys file?
Did you used the private key for connection?

_________________
Please do not use private mail (PN/M) to ask questions. Use the proper forum instead. (me)

If there is no verified backup of a dataset, the dataset, by definition, is unimportant. (c't 2012)

RAID (no matter which level) never ever substitutes a backup. (me)

hey thanks for the pointers!


Yes its at:

Yes and using the correct path for the WXL:


I don't seem to be getting that far, the port is not open and sshd does not appear to be running?


I will keep hacking about with acp_commander... I also tried: /usr/local/sbin/sshd –f /etc/sshd_config (still didn't start)
can't find any logs either....

_________________
KuroHG - UBoot 1.2, foonas-em & Debian Wheezy - 3.4 Kernel
Kurobox Pro - Dave's Lenny-armel
LS-WVL - opened
LS-XHL - Squeeze Bootstrap
LS-VL - Squeeze Bootstrap