Following the article where I explain how to install a SSH server on the Lacie Edmini, I will explain how to allow authentication through the use of private / public key so that you can use the method explained in another article to backup your files on your local server.
During the installation of the SSH server,
we didn’t touch anything in the SSH configuration files. The result was
that you could login with the root user you created during the process.
The first thing I want to do is to allow a normal user to use ssh. Doing
so is easy. Just open the /etc/passwd file and modify the line with
the user you want to allow so that it finishes by /bin/bash or
/bin/sh depending on the shell you prefer. Finally, a user allowed to
connect with ssh will have a line look like:
normalUser:x:503:100:Linux User,,,:/home/normalUserDirectory:/bin/bash
The other difference is the home directory that I modified to
/home/userNameDirectory instead of just /home. This step is
necessary to create a directory on which the user has full rights and
therefore can add and modify everything he wants. With your root user
ssh access, do
1
2
3
4
5
mkdir /home/normalUserDirectory #create user directory
chown 503 /home/normalUserDirectory #change owner so that it is the same as in /etc/passwd
chgrp 100 /home/normalUserDirectory #change group so that it is the same as in /etc/passwd
chgrp 100 /home # change group so that it is the same as your user
chmod 750 /home
Changing the permission of the home directory is required by ssh so that
the user will be allowed to connect using his private key. You then need
to create a .ssh directory under /home/normalUserDirectory
1
mkdir /home/normalUserDirectory/.ssh
and change the permissions as we just did before.
1
2
3
chown 503 /home/normalUserDirectory/.ssh
chgrp 100 /home/normalUserDirectory/.ssh
chmod 700 /home/normalUserDirectory/.ssh
In your computer (Linux, Windows with Cygwin, Window with Putty), generate the keys that we will need for authentication. In a previous post, I used a dsa key:
1
ssh-keygen -b 1024 -f identity -P '' -t dsa
but you could use as well a rsa key:
1
ssh-keygen -b 2048 -f identity -P '' -t rsa
There are different ways to do it but what’s important is that you
verify that the identity.pub that is generated and contains the public
key has everything on one line. Verify that the user name at the end of
the line is the same that the one you want to allow on the server (i.e.
normalUser). Once you have ensure that the file is correct, you can
transfer it to the server in the .ssh directory that we have created
earlier:
1
scp identity.pub new_root_user@Lacie_IP_address:/home/normalUserDirectory/.ssh/authorized_keys
And then don’t forget to change owner and group of the authorized_keys file and permissions
1
2
3
chown 503 /home/normalUserDirectory/.ssh/authorized_keys
chgrp 100 /home/normalUserDirectory/.ssh/authorized_keys
chmod 644 /home/normalUserDirectory/.ssh/authorized_keys #you can specify 400 as well
For an alternative transfer method, look at the previous post reference above but one more time don’t forget to set the correct owner and group.
Everything is in place to use the identification with private / public
key on the server. The last thing to do is to verify your
/etc/ssh/sshd_config file so that it looks like the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
# Allow authentication through private / public key
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
All commented lines are in fact the default value that SSHd is using. I haven’t modify it at all so it is the default file contained in the SSH package that you have downloaded from my previous post explaining how to install SSH on the Lacie Edmini.
That’s it! SSH is running and allows you to login automatically in the home directory of your normal user with:
1
ssh -i identity -l userNormal LACIE_IP_ADDRESS
Of course you should specify the correct path to the private key (identity). I have noticed that I could have some problem when the public and private keys where in the same directory so since you don’t really need the public key anymore you can move it to another folder.
The normal users can now realizes their backup easily in their own directory.
For the time being, comments are managed by Disqus, a third-party library. I will eventually replace it with another solution, but the timeline is unclear. Considering the amount of data being loaded, if you would like to view comments or post a comment, click on the button below. For more information about why you see this button, take a look at the following article.