Hi AS5404T Securing SSH access

[ravenstar68]

Hi Everyone

Whilst I know most of the configuration is done via ADM, I still like to enable SSH and secure it where possible.
Doing a little hunting I found where the sshd_conf file was locater.

I also noted that if you enable 2FA on your account, this is also used when using password logon via SSH
So here's what I did.
Note: Where appropriate information has been obfuscated.

1. In ADM -> Access Control -> Users I set a password on the admin account, but left it inactive.
2. In ADM -> Services ->.I turned on SSH and changed the port number.
3. Ran the command ssh myaccount@myserverip -p my port
4. Ran ssh-keygen to generate a public / private key pair
5. Ran cat mykey.pub >> ~/.ssh/authorized_keys
6. Copied mykey to a file on the client computers .ssh directory
7. Added a file called config to the .ssh directory on the client computer containing the folowing

host ravennas
hostname myserverip
user myaccount
port mysshport
identityfile ~/.ssh/mykey

(Note: The path works fine for both Linux based and Windows Machines as the Windows ssh client translates the unix path into a Windows one when it runs.

8 I used exit to quit the ssh session and then ran the command ssh ravennas to check the following.
a) That it connected to the server
b That it signed me on using the private key successfully

That done it was time to lock down SSHD
9. ssh into the box and run the following command sudo vi /usr/etc/ssh/sshd_config
10 Changed the following lines
ChallengeResponseAuthentication yes
to
ChallengeResponseAuthentication no

#PasswordAuthentication yes
to
PasswordAuthentication no

While I tried changing PermitRootLogin to no - this was repeatedly changed back to yes. However the other changes persisted.

11 Went back into ADM -> Services and disabled and reenabled the SSH service to bring the changes online
12 Logged into the ASUSTOR using the saved configuration - ssh ravennas
13 Tested password logon by temporarily commenting out the identityfile in the config this produced the following error.
myaccount@myserver: Permission denied (publickey)

Once I had that I removed the # from the IdentityFile line.

IMPORTANT - Back up your private SSH key somewhere secure. If you lose it you will struggle to SSH into the NAS.

I hope this helps people who want to be able to use SSH if needed.

[father.mande]

Hi,

Thanks for the information (detail and tests)

for my own, to don't be dependent of Asustor constraints, I use openssh provide in Entware APKG
... it's possible to have a full control on server and server type
... with Entware it's also possible to used an alternate password and group env. ... even a little complex but interesting in some case ...
Entware propose (I suppress some specific responses):

Code: Select all

# opkg list | grep ssh
autossh - 1.4g-5 - Autossh client
cryptsetup-ssh - 2.7.4-1 - Experimental SSH token support for cryptsetup
...
openssh-client - 9.9_p1-1 - OpenSSH client.
openssh-client-utils - 9.9_p1-1 - OpenSSH client utilities.
openssh-keygen - 9.9_p1-1 - OpenSSH keygen.
openssh-moduli - 9.9_p1-1 - OpenSSH server moduli file.
openssh-server - 9.9_p1-1 - OpenSSH server.
openssh-server-pam - 9.9_p1-1 - OpenSSH server (with PAM support).
openssh-sftp-client - 9.9_p1-1 - OpenSSH SFTP client.
openssh-sftp-server - 9.9_p1-1 - OpenSSH SFTP server.
...
erlang-ssh - 5.2.1 - Erlang/OTP is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. . This Erlang/OTP package provides an implementation of the Secure Shell protocol, with SSH & SFTP support.
gnupg2 - 2.2.39-1 - GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).
...
php8-pecl-ssh2 - 1.4.1-1 - Bindings for the libssh2 library
reptyr - 0.10.0-1 - reptyr is a utility for taking an existing running program and attaching it to a new terminal. Started a long-running process over ssh, but have to leave and don't want to interrupt it? Just start a screen, use reptyr to grab it, and then kill the ssh session and head on home.
rrsync - 3.3.0-2 - rrsync is a script which wraps around rsync to restrict its permission to a particular subdirectory via ~/.ssh/authorized_keys and/or to read-only or write-only mode
sshfs - 3.7.2-3 - Mount remote system over sftp.

When I want smallest ... dropbear is also provide ...

Code: Select all

# opkg list | grep dropbear
dropbear - 2024.86-1 - A small SSH2 server/client designed for small memory environments.
dropbearconvert - 2024.86-1 - Utility for converting SSH keys

SO ALL your advise are the best ... but Asustor special is not need ... (and this resolve some problems ... like at 12:30 crontab start a shell (for ntp ???) but killing running ssh connection in some cases).

Last ssh server in Asustor change in ADM 5.0 and must add support (keys in place of password, etc.)

Thanks again for your work.
Philippe.