RN102 v6.1.8 - cant access SSH

How do you try to ssh in ? Did you try to erase your stored SSH keys, I'm not sure if Netgear regenerated them because of heartbleed or if they just patched, if it were that you shouldn't get the password prompt though.
Did you contact Netgear, they should be able to restore this via tech mode.

If you have backups, you could always try an os reinstall (factory default will erase everything, with os reinstall you should be fine but it will reset admin password and network settings, but a backup and a quick search in the user manual are advised anyway).

Hi,

This happen many days after I upgraded ssl stuff. I cant delete my stored ssh keys, as I cant log in!

I am afraid that partition / ran out of diskpace, or, by any reason has been mounted on read only mode.

But, I find no way to browse files, etc.

Thanks for your reply,

Felipe

Well, I was reluctant to try netgear support, but unfortunately, as I expected, they were useless :(

Try to download your log and then delete them (to have a trace of past things in case this doesn't solve the problem), this should free up space on /. You could also try to remove some installed apps.
Anyway, do a full backup before attempting anything while you still have access to your files. It would be reckless not to (raid is not backup).
If you already rebooted since you noticed the problem, you can try again with the newly available space to see if the partition is mounted otherwise.

For SSH keys I wasn't saying on the NAS. I know OS X stores them in ~/.ssh/known_hosts (or something approaching) for example.

As for browsing files, you shouldn't be able to find any if Netgear did its job. It would be really alarming otherwise.

For Netgear support can you summarize what's been tried and said ?

Hi,

I managed to get inside the box via serial console, thanks to this page: http://natisbad.org/NAS2/

I found that something changed my user shell from /bon/bash to /bin/false. Oddly this happened to both my readynases.
I still havent found what changed the user account shell, seems like some upgrade did it. The second readynas doesnt have any port natted to outside.

As I had "PermitRootLogin No" on sshd config, I got locked outside. Luckily, serial console was there.

Thanks,

Felipe

xeltros wrote:

Try to download your log and then delete them (to have a trace of past things in case this doesn't solve the problem), this should free up space on /. You could also try to remove some installed apps. Anyway, do a full backup before attempting anything while you still have access to your files. It would be reckless not to (raid is not backup). If you already rebooted since you noticed the problem, you can try again with the newly available space to see if the partition is mounted otherwise. For SSH keys I wasn't saying on the NAS. I know OS X stores them in ~/.ssh/known_hosts (or something approaching) for example. As for browsing files, you shouldn't be able to find any if Netgear did its job. It would be really alarming otherwise. For Netgear support can you summarize what's been tried and said ?

Xeltros,

Sorry for the delay. Netgear folks tried to be helpful. I enabled SSH and the guy could access the box (even without natting the port on my router). I asked if he could run `df` and check if my disks where full, but he said he could not run any command on the system.

Cheers,
Felipe

Having a shell set to /bin/false is a way to say "sorry guy you don't have the right to login".
Permit root login is required to SSH with the root account. If not enabled you will have to fall back to another authorized ssh account then issuing the "su" command without a login name behind it to go to root mode. That's a security thing to avoid brute force on root account and if "sudo" is not enabled you would have to get passed two password to get root powers which enhances security.
How did they SSH in, did you activate tech support mode (or the SSH section in support in the settings) ?

Yes Netgear "basic tech" are not authorized to use SSH, you would want to escalate for someone to be able to issue commands, but I'm not sure they would do that for a problem that could have been caused by SSH... But if they got in, you may be able to get in too, except if they used some backdoor account.

xeltros wrote:

Having a shell set to /bin/false is a way to say "sorry guy you don't have the right to login". Permit root login is required to SSH with the root account. If not enabled you will have to fall back to another authorized ssh account then issuing the "su" command without a login name behind it to go to root mode. That's a security thing to avoid brute force on root account and if "sudo" is not enabled you would have to get passed two password to get root powers which enhances security. How did they SSH in, did you activate tech support mode (or the SSH section in support in the settings) ? Yes Netgear "basic tech" are not authorized to use SSH, you would want to escalate for someone to be able to issue commands, but I'm not sure they would do that for a problem that could have been caused by SSH... But if they got in, you may be able to get in too, except if they used some backdoor account.

Regarding /bin/false, yes, you are right. But something changed it, my user account default shell was bash.
I disabled root login for ssh for the very reason you mentioned.

I dont know how they SSHd into the box. I enabled the tech mode thing, I open no NAT port and the guy got in. Seems like they have something that works inside-out.

When I plugged the serial console, I managed to login as root and change my shell back from /bin/false to bash.

cheers,

Felipe

When requested by support, you can place your unit in tech support mode or enable remote access for support via the Dashboard. A secure connection is made to a NETGEAR server. An authorised NETGEAR Technical Support representative can then login to the NAS to troubleshoot the problem. Depending on the issue a fee may be involved but if there is going to be a charge you would be advised of this.

Yep that's why I asked, normal SSH doesn't emit anything but their support special things can contact a server (as mentioned by mdgm), thus creating a connection that can be used to get in (once outbound nat is created, inbound is allowed since it's seen as a reply by your router).
If you got in via console as root, you should be able to get into your NAS via SSH quite soon. check SSH config, users shells, restart the service, check the firewall if needed. I think if all that is fine, you should get SSH back.
If not, I tend to check my backups and factory reset, those NAS are too scripted to my taste and sometimes it's cleaner to reset than to follow the trail to some hidden config file modified by a script that is itself hidden deep into the system. Not an heroic way to go, but works 100% of the time. Of course, I tend to avoid having a problem in the first place so...

PS : for your user, did you use it in the NAS interface for anything ? If so, the NAS may have rewritten it to use it as an FTP/CIFS/AFP user while you updated your settings. If you changed your user password in the interface, same thing. As far as I know, all users created via the web interface have a shell set to /bin/false to prevent them from using SSH or do nasty things and the scripts used by Netgear mays rewrite entirely each thing instead of modifying the existing. That would explain your problem. I know for example that my modified config of apache is erased at each update. Maybe users are checked in the same way and standardized if they are not compliant with what the script expects.