====== SSH ======

After ssh'ing into my ReadyNAS I was looking to get [[rsync]] up and running, but having trouble connecting to my server.  As this was being performed over [[wp>ssh|''ssh'']] I started trouble shooting by first trying to ''ssh'' to the box from which I was connecting.  Verbose output pointed to the problem being with permissions on ''/dev/tty''

<code bash>
$ ssh -v 192.168.1.107 
OpenSSH_4.3p2 Debian-5~bpo.1.netgear1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Connecting to 192.168.1.107 [192.168.1.107] port 22.
debug1: Connection established.
debug1: identity file /c/home/neil/.ssh/identity type -1
debug1: identity file /c/home/neil/.ssh/id_rsa type 1
debug1: identity file /c/home/neil/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-5~bpo.1.netgear1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: read_passphrase: can't open /dev/tty: Permission denied
Permission denied (publickey,keyboard-interactive).
</code>

And a quick search and scan of a few similar problems suggested that it was down to permissions on the ''/dev/tty'' file so I added myself to the ''tty'' group (to which the file belonged) and changed the permissions.  To add yourself to the ''tty'' group you need to edit the ''/etc/group'' file as ''root'' and add your username to the end of the line that defines ''tty''.  Then modify the permissions on ''/dev/tty'' as root...

<code bash>
ReadyNAS:~/ # chmod 0664 /dev/tty
</code>

===== Passwordless SSH =====

Its a bit of a pain having to enter passwords each and every time, and not overly secure having ''cron'' run with your ''ssh'' password stored.  The way to get round this is to use ''ssh'' keys.  The following is based on the [[http://www.gentoo.org/doc/en/keychain-guide.xml|Gentoo Keychain guide]], although I've opted not to install ''keychain'' on the ReadyNAS because doing so wanted to uninstall ''openssh'' which didn't sound like a sensible thing to do.

==== Public key generation ====

Start by generating an ''ssh'' key for your user on the ReadyNAS...

<code bash>
user@ReadyNAS:~/ $ ssh-keygen
</code>

...this will take a little while (after all the processor on the ReadyNAS Duo isn't that powerful), and you'll be asked to enter a password for an RSA key.  Then do exactly the same on the server from which you wish to ''ssh'' to your ReadyNAS from...

<code bash>
user@server:~/ $ ssh-keygen
</code>

...this should be a bit quicker as your desktop/laptop/server will likely have more processing power and RAM than the poor old ReadyNAS.



==== Swapping keys ====


Once the key has been generated on both machines you need to copy them to each other add it to the list of ''authorized_keys''. First copy the key from the ReadyNAS to your computer (substitute ''server_user'' and ''server'' appropriately)...

<code bash>
user@ReadyNAS:~/ $ scp  ~/.ssh/id_rsa.pub server_user@server:~/.ssh/myhost.pub
user@ReadyNAS:~/ $ ssh server_user@server "cat ~/.ssh/myhost.pub >> ~/.ssh/authorized_keys"
</code>

...then copy the key you generated on your server to the ReadyNAS...

<code bash>
user@server:~/ $ scp  ~/.ssh/id_rsa.pub @readynas:~/.ssh/myhost.pub
user@server:~/ $ ssh server_user@server "cat ~/.ssh/myhost.pub >> ~/.ssh/authorized_keys"
</code>

==== Testing keys ====

You should now be able to ''ssh'' between your server and the ReadyNAS without having to enter your password for each machine.  Instead you are prompted for your RSA key password, which is //not// the same thing (even if you used the same password).  Whats the point of that, I've substituted one password request for another? I hear you asking, well this becomes useful because you can use ''ssh-agent'' (which is part of the openssh software package) to 'hold' your password keys which you enter once when you log-in so that you don't have to enter your password each time you ''ssh'' to the ReadyNAS.

==== ssh-agent ====

The 'trick' to getting this working is to ensure that ''ssh-agent'' starts up, by default this should happen automatically when X starts, check with ''ps -A'' and if it is running the simplest thing would be to reboot and you should be able to ssh to the ReadyNAS without being prompted for a password.

If you are asked for your password then its possible that either ''ssh-agent'' isn't starting, or its not using your key, in which case add the following to your ''~/.bash_profile''...

<code bash>
ssh-agent
ssh-add ~/.ssh/id_rsa
</code>

...and you should now be able to ''ssh'' to the ReadyNAS without being prompted for passwords.

==== Keychain ====

Finally on your desktop/server (//not// the ReadyNAS) you should install [[http://www.funtoo.org/en/security/keychain/intro/|Keychain]] which will hold your password keys between logins.  If you're using [[http://www.gentoo.org/|Gentoo]] simply emerge it, along with ''ssh-askpass-fullscreen'' which will prompt you for your RSA/DSA password keys when logging in through a GUI...

<code bash>
# emerge -av keychain ssh-askpass-fullscreen
</code>

...and then add the following lines to your ''~/.bash_profile'' so that it is enabled at each terminal session started...

<code bash>
/usr/bin/keychain --agents ssh ~/.ssh/id_rsa
. ~/.keychain/$HOSTNAME-sh
. ~/.keychain/$HOSTNAME-sh-gpg
</code>

You're now ready to progress to setting up [[readynas:rsync|rsync]].

===== Links =====

  * [[http://www.gentoo.org/doc/en/keychain-guide.xml|Gentoo Keychain Guide]]
  * [[http://www.funtoo.org/en/security/keychain/intro/|Keychain]]


{{tag> readynas linux ssh howto}}