Buffalo NAS-Central Forums

Welcome to the Linkstation Wiki community
It is currently Tue Oct 24, 2017 1:20 am

All times are UTC+01:00




Post new topic  Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Firmware 1.64 ssh access
PostPosted: Sat Jan 12, 2013 6:39 pm 
Offline
Total Newbie

Joined: Sat Jan 12, 2013 5:59 pm
Posts: 2
There is an additional "security feature" to refuse root for sshd service in the latest firmware (LS-WXL 1.64) - which I finally managed to bypass. And it is even quite easy! :up:

Using ACP Commander I executed the following commands:
Code:
java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "(echo password;echo password)|passwd"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/UsePAM yes/UsePAM no/g' /etc/sshd_config"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/sshd_config"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "/etc/init.d/sshd.sh restart"

This should give me a custom root password and my /etc/sshd_config should use PAM and allow root login after restart of sshd. But it didn't. /var/log/messages kept saying:
Code:
pam_listfile(sshd:auth): Refused user root for service sshd

I then found that /etc/init.d/sshd.sh restart was executing nas_configgen -c sftp. This script seems to return two additional files:
    /etc/pam.d/sshd and
    /etc/sftponly_config

The 2nd file may reject normal users from ssh login:
Code:
# config for sftp server

user admin
allowssh no
hidelist /
(...)

while /etc/pam.d/sshd is all about sshd authentication.
Code:
auth     required   pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth     required   pam_unix.so
account  required   pam_unix.so
session  required   pam_unix.so

The part "sense=deny file=/etc/ftpusers" simply says that all users listed in /etc/ftpusers are denied from ssh. And this file reads:
Code:
root
bin
deamon
sys
adm
sync
shutdown
halt
operator
nobody

Just remove the first line (root) and everything will be file. :twisted:


Top
   
PostPosted: Tue Feb 12, 2013 7:43 pm 
Offline
Total Newbie

Joined: Tue Feb 12, 2013 7:33 pm
Posts: 3
Having a little trouble with this, it appears that the ssh daemon is not running and I'm not sure why!

Code:
>/etc/init.d/sshd.sh restart
load_info ItemValue = off
LoadConfFileStringEx:key=[ad_dns] not found in /etc/melco/info.
LoadConfFileStringEx:key=[array2] not found in /etc/melco/diskinfo.
LoadConfFileStringEx:key=[usb_disk2] not found in /etc/melco/diskinfo.
file:/etc/sftponly_config
userinfo finished
groupname admin
groupname guest
groupname hdusers
file:/etc/pam.d/sshd


Code:
>ps w | grep ssh
24158 root       2252 S   sh -c ps w | grep ssh
24160 root       3420 S   grep ssh


Code:
>ls /etc/init.d | grep ssh
sshd.sh


Code:
>cat /etc/sshd_config
#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/b

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
HostKey /etc/apache/server.key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes

#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts f


Any ideas? :?


Top
   
PostPosted: Wed Feb 13, 2013 8:59 am 
Offline
Total Newbie

Joined: Wed Feb 13, 2013 8:30 am
Posts: 3
Hi gulbrillo,

How did you remove the line with denied users? Do you have telnet access? I can't etablish a telnet connection.
I'm able to etablish a ssh conenction but ofcourse do not have the root password.

Could you write a short guide on how you managed to etablish the ssh connection?


Top
   
PostPosted: Wed Feb 13, 2013 12:08 pm 
Offline
Total Newbie

Joined: Tue Feb 12, 2013 7:33 pm
Posts: 3
hanstad wrote:
Hi gulbrillo,

How did you remove the line with denied users? Do you have telnet access? I can't etablish a telnet connection.
I'm able to etablish a ssh conenction but ofcourse do not have the root password.

Could you write a short guide on how you managed to etablish the ssh connection?


As per his post, you need to run these commands with ACP Commander, which can be found on this site (search the main page):

Code:
java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "(echo password;echo password)|passwd"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/UsePAM yes/UsePAM no/g' /etc/sshd_config"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/sshd_config"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "/etc/init.d/sshd.sh restart"


Of course you'll need to change the IP to suite, and alter the password after the -pw to your current admin password.

As for removing the root line, my unix is a little scratchy but I think I used:

Code:
java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/root/#root/g' /etc/ftpusers"


Top
   
PostPosted: Wed Feb 13, 2013 5:20 pm 
Offline
Total Newbie

Joined: Tue Feb 12, 2013 7:33 pm
Posts: 3
For anybody interested, I "resolved" my problem by installing Shonk's 1.64 Mod 1.


Top
   
PostPosted: Wed Feb 13, 2013 8:35 pm 
Offline
Total Newbie

Joined: Wed Feb 13, 2013 8:30 am
Posts: 3
theoriginalterry wrote:
hanstad wrote:
Hi gulbrillo,

How did you remove the line with denied users? Do you have telnet access? I can't etablish a telnet connection.
I'm able to etablish a ssh conenction but ofcourse do not have the root password.

Could you write a short guide on how you managed to etablish the ssh connection?


As per his post, you need to run these commands with ACP Commander, which can be found on this site (search the main page):

Code:
java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "(echo password;echo password)|passwd"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/UsePAM yes/UsePAM no/g' /etc/sshd_config"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/sshd_config"

java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "/etc/init.d/sshd.sh restart"


Of course you'll need to change the IP to suite, and alter the password after the -pw to your current admin password.

As for removing the root line, my unix is a little scratchy but I think I used:

Code:
java -jar acp_commander.jar -t 192.168.1.8 -ip 192.168.1.8 -pw password -c "sed -i 's/root/#root/g' /etc/ftpusers"


Cool it worked out :)

But now when I enter the webpage I only have one page after login and that is called "Local Users > root". It requires me to write a username and user id, but the username textfield are locked. The user id is filled with the id of the root user (found in /etc/passwd)

What to do? Anybody?


Top
   
PostPosted: Wed Feb 13, 2013 8:41 pm 
Offline
Moderator

Joined: Mon Apr 26, 2010 10:24 am
Posts: 2689
Login as admin

admin = Administrator Webif
root = Administrator telnet


Top
   
PostPosted: Wed Feb 13, 2013 9:00 pm 
Offline
Total Newbie

Joined: Wed Feb 13, 2013 8:30 am
Posts: 3
oxygen8 wrote:
Login as admin

admin = Administrator Webif
root = Administrator telnet


OMG thanks - totally confused! :D


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 8 posts ] 

All times are UTC+01:00


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited