× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

Help: locked out from SSH access as root while trying to disable root access as SSH

chopin70
Virtuoso
Virtuoso
‎2020-11-08 01:56 PM
‎2020-11-08 01:56 PM

Help: locked out from SSH access as root while trying to disable root access as SSH

Hi,

 

I wanted to disable SSH root login and only enable it for the admin user

I had admin user properly setup and with SSH shell enabled. I tested and admin user was able to escalate to root by su

 

I tried to edit the /etc/ssh/sshd_config file, but the changes were reverted each time the SSH service was toggled on/off

I tried to modify the /etc/default/config/etc/ssh/sshd_config but the changes do not apply to the /etc/sshd_config

So it seems the config is regenerated from elesewhere when the SSH service is toggled on/off in GUI

 

I sadly followed an old guide here and edited the /etc/passwd file

https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/SSH-Deactivate-root-account-and-use...

I changed the :/bin/bash for root user to :/bin/false

 

As expected, root can no longer access the shell through SSH. However, admin account cannot escalate to root using su now. The password is accepted, but it doesn't escalate to root. Well, that was expected, but I thought it was a Netgear custom thing. I guess it was fixed in later OS as the guide is dated 2011

 

Please any one help me reset the access as it is now lost. I will try OS reinstall, but I really want to avoid a hard reset 😞

 

Also, is this guide uptodate for fixing my issue? (last post of this thread)

https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/SSH-Configuration-reset-on-reboot/m...

 

Thank you

Model: RN524X|ReadyNAS 524X – Premium Performance Data Storage - 4-Bay
Message 1 of 5
0 Kudos
Reply

Accepted Solutions
StephenB
Guru Guru
Guru
‎2020-11-08 04:08 PM
‎2020-11-08 04:08 PM

Re: Help: locked out from SSH access as root while trying to disable root access as SSH

@chopin70 wrote:
In tech support i have ssh root access ? I did not find info on how to proceed once in tech mode

Thank you again

You connect with telnet (not ssh). The user name is root, the password is infr8ntdebug.

 

Once logged in, you enter 

# rnutil chroot

to start raid, and chroot.  

 

Note the data volume isn't mounted (there are some additional steps needed to do that).   But this should let you undo the change to the passwd file.

 

 

 

 

 

View solution in original post

Message 4 of 5
Reply

All Replies
StephenB
Guru Guru
Guru
‎2020-11-08 02:19 PM
‎2020-11-08 02:19 PM

Re: Help: locked out from SSH access as root while trying to disable root access as SSH

@chopin70 wrote:

 

I wanted to disable SSH root login and only enable it for the admin user

 

Most things you'd want to change would require root access anyway (and you can mess things up badly if you forget to sudo).  Personally I wouldn't have done this.  

 

@chopin70 wrote:

... the guide is dated 2011

OS-6 NAS came out in 2013, so that guide would have been either for NV+ (4.1.x firmware) or Ultra/Pro (4.2.x firmware).  No idea on how it would apply to OS-6.

 

@chopin70 wrote:

 

Please any one help me reset the access as it is now lost. I will try OS reinstall, but I really want to avoid a hard reset 😞

 

If the OS reinstall doesn't restore access, you can boot up in tech support mode, and undo your change to the passwd file.

Message 2 of 5
Reply
chopin70
Virtuoso
Virtuoso
‎2020-11-08 02:39 PM
‎2020-11-08 02:39 PM

Re: Help: locked out from SSH access as root while trying to disable root access as SSH

In tech support i have ssh root access ? I did not find info on how to proceed once in tech mode

Thank you again
Message 3 of 5
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2020-11-08 04:08 PM
‎2020-11-08 04:08 PM

Re: Help: locked out from SSH access as root while trying to disable root access as SSH

@chopin70 wrote:
In tech support i have ssh root access ? I did not find info on how to proceed once in tech mode

Thank you again

You connect with telnet (not ssh). The user name is root, the password is infr8ntdebug.

 

Once logged in, you enter 

# rnutil chroot

to start raid, and chroot.  

 

Note the data volume isn't mounted (there are some additional steps needed to do that).   But this should let you undo the change to the passwd file.

 

 

 

 

 

Message 4 of 5
Reply
chopin70
Virtuoso
Virtuoso
‎2020-11-09 12:45 AM
‎2020-11-09 12:45 AM

Re: Help: locked out from SSH access as root while trying to disable root access as SSH

Thank you again, you saved me

I could telnet and revert the changes. Even DHCP was enabled so I did not have to make a direct PC connection as I thought

 

By the way, I tested the trick in last post from https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/SSH-Configuration-reset-on-reboot/m...

 

It properly works. It is wired because I was creating a /etc/ssh/sshd_config.bak file that was deleted whenever the SSH service was restarted from GUI. I thought all the /etc/ssh folder was recreated dynamically. However, a sshd_config.custom file, like proposed, was preserved

 

That way, the changes can effectively be done in sshd_cong.custom which is the proper was to start the service with custom settings

 

Since I am migrating the ReadyNAS to just a backup server, I just don't need the root SSH access all the time and I am used to never login as root on other systems. I just need to SSH for rsync jobs started from a remote system and for the occasional maintenance. For such tasks, changing the default port and disabling root user login is recommended.

 

Hope this can help others looking to customize the SSH access.

 

Warning to others: just do it at your own risk and if you understand the changes you do + ensure the telnet access can let you access the files you change

Message 5 of 5
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 4 replies
  • ‎2020-11-08 01:56 PM
  • 1432 views
  • 2 kudos
  • 2 in conversation
Announcements