[[linux:readynas:ssh]]
Trace: ssh

Table of Contents

SSH

After ssh'ing into my ReadyNAS I was looking to get rsync up and running, but having trouble connecting to my server. As this was being performed over ''ssh'' I started trouble shooting by first trying to ssh to the box from which I was connecting. Verbose output pointed to the problem being with permissions on /dev/tty 

$ ssh -v 192.168.1.107 
OpenSSH_4.3p2 Debian-5~bpo.1.netgear1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Connecting to 192.168.1.107 [192.168.1.107] port 22.
debug1: Connection established.
debug1: identity file /c/home/neil/.ssh/identity type -1
debug1: identity file /c/home/neil/.ssh/id_rsa type 1
debug1: identity file /c/home/neil/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-5~bpo.1.netgear1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: read_passphrase: can't open /dev/tty: Permission denied
Permission denied (publickey,keyboard-interactive).

And a quick search and scan of a few similar problems suggested that it was down to permissions on the /dev/tty file so I added myself to the tty group (to which the file belonged) and changed the permissions. To add yourself to the tty group you need to edit the /etc/group file as root and add your username to the end of the line that defines tty. Then modify the permissions on /dev/tty as root… 

ReadyNAS:~/ # chmod 0664 /dev/tty

Passwordless SSH

Its a bit of a pain having to enter passwords each and every time, and not overly secure having cron run with your ssh password stored. The way to get round this is to use ssh keys. The following is based on the Gentoo Keychain guide, although I've opted not to install keychain on the ReadyNAS because doing so wanted to uninstall openssh which didn't sound like a sensible thing to do.

Public key generation

Start by generating an ssh key for your user on the ReadyNAS… 

user@ReadyNAS:~/ $ ssh-keygen

…this will take a little while (after all the processor on the ReadyNAS Duo isn't that powerful), and you'll be asked to enter a password for an RSA key. Then do exactly the same on the server from which you wish to ssh to your ReadyNAS from… 

user@server:~/ $ ssh-keygen

…this should be a bit quicker as your desktop/laptop/server will likely have more processing power and RAM than the poor old ReadyNAS.

Swapping keys

Once the key has been generated on both machines you need to copy them to each other add it to the list of authorizedkeys. First copy the key from the ReadyNAS to your computer (substitute serveruser and server appropriately)… 

user@ReadyNAS:~/ $ scp  ~/.ssh/id_rsa.pub server_user@server:~/.ssh/myhost.pub
user@ReadyNAS:~/ $ ssh server_user@server "cat ~/.ssh/myhost.pub >> ~/.ssh/authorized_keys"

…then copy the key you generated on your server to the ReadyNAS… 

user@server:~/ $ scp  ~/.ssh/id_rsa.pub @readynas:~/.ssh/myhost.pub
user@server:~/ $ ssh server_user@server "cat ~/.ssh/myhost.pub >> ~/.ssh/authorized_keys"

Testing keys

You should now be able to ssh between your server and the ReadyNAS without having to enter your password for each machine. Instead you are prompted for your RSA key password, which is not the same thing (even if you used the same password). Whats the point of that, I've substituted one password request for another? I hear you asking, well this becomes useful because you can use ssh-agent (which is part of the openssh software package) to 'hold' your password keys which you enter once when you log-in so that you don't have to enter your password each time you ssh to the ReadyNAS.

ssh-agent

The 'trick' to getting this working is to ensure that ssh-agent starts up, by default this should happen automatically when X starts, check with ps -A and if it is running the simplest thing would be to reboot and you should be able to ssh to the ReadyNAS without being prompted for a password.

If you are asked for your password then its possible that either ssh-agent isn't starting, or its not using your key, in which case add the following to your ~/.bash_profile

ssh-agent
ssh-add ~/.ssh/id_rsa

…and you should now be able to ssh to the ReadyNAS without being prompted for passwords.

Keychain

Finally on your desktop/server (not the ReadyNAS) you should install Keychain which will hold your password keys between logins. If you're using Gentoo simply emerge it, along with ssh-askpass-fullscreen which will prompt you for your RSA/DSA password keys when logging in through a GUI

# emerge -av keychain ssh-askpass-fullscreen

…and then add the following lines to your ~/.bash_profile so that it is enabled at each terminal session started… 

/usr/bin/keychain --agents ssh ~/.ssh/id_rsa
. ~/.keychain/$HOSTNAME-sh
. ~/.keychain/$HOSTNAME-sh-gpg

You're now ready to progress to setting up rsync.

readynas linux ssh howto

linux/readynas/ssh.txt · Last modified: 2021/03/20 19:21 by 127.0.0.1
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0