NAS540: problem with the sshd after a firmware update

kempiude
kempiude Posts: 6  Freshman Member
edited February 2019 in Personal Cloud Storage
Dear Community & forum Moderators,

Recently I've updated firmware (NAS540) from V5.21 AATB.0 (May 26 2017) to the version V5.21 AATB.1 (Jun 21 2018) and since then i have a problem with sshd.
In particular i cannot login via ssh (with password and key auth.) to the NAS server using additional user accounts which were created via web page (Control Panel -> Users).

To allow the login with password and key auth. i’m using a simple script which:
1. Creates a directories for additional users in the /home directory, e.g.
$ mkdir -p /home/git/.ssh
2. Copies authorized_keys files to .ssh directories (for key authentication),
3. Copies prepared shadow file to the /etc/shadow directory (for password auth),
4. Copies a config file sshd_config to the /etc/ssh/ directory
$ cp /i-data/sysvol/.ssh/sshd_config /etc/ssh/
5. Starts a SSH daemon:
$ /sbin/sshd -f /etc/ssh/sshd_config

This script is executed from the /opt/etc/init.d directory ( Entware-ng ).
In other words nothing special or sophisticated, but it does not work with the *newer* firmware.

In the release notes for the firmware V5.21 AATB.1 i found information about a “bug fix”:
“Modify default folder setting.”
Can someone explain me in details what it means?
What has been changed in the firmware?

At the moment i downgrade the firmware to the older version V5.21(ABAG.0)C0 and everything works as expected. I can login to the nas with password and to all user accounts.

Any suggestions or hints are much appreciated.

thanks!
MaKe

#NAS_Feb_2019

Accepted Solution

  • Mijzelf
    Mijzelf Posts: 1,601  Guru Member
    Accepted Answer
    1. I get the following error message: "Privilege separation user sshd does not exist"

    It is possible that your system is automagically upgraded from Entware-ng to Entware. If that is the case you can see that in /opt/etc/opkg.conf, it gets it updates from http://bin.entware.net/armv7sf-k2.6.

    Entware has a 'Standard' and an 'Alternative' install. You can read about that here. On my automagically upgraded system I don't have the /opt/etc/passwd etc files, nor symlinks. I guess that's a bug in the upgrade script. Maybe you should add the symlinks (or files), as sshd probably needs them.


All Replies

  • eozrocwd
    eozrocwd Posts: 58  Ally Member
    I can only use admin to login ssh, are your steps to change ssh login account?
    is it configuration conflict after you upgrade the firmware?
  • Mijzelf
    Mijzelf Posts: 1,601  Guru Member
    Have you looked at the verbose output on clientside?
    ssh -vv [email protected] 
    And, as work-around, does the sshd of Entware-ng do the job?
  • kempiude
    kempiude Posts: 6  Freshman Member
    edited February 2019
    @eozrocwd
    > I can only use admin to login ssh, are your steps to change ssh login account?
    you can use adduser command to add a new user (with password) to the system and then login via ssh with this newly created user,
    but the problem is that after restart of the NAS server /etc/shadow file ist replaced.
    Therefore i created a script which copies a prepared shadow file to the /etc/ directory.
    >is it configuration conflict after you upgrade the firmware?
    Zyxel changed something...that's why i asked about a bugfix: “Modify default folder setting.”

    @Mijzelf
    >Have you looked at the verbose output on clientside?
    >ssh -vv [email protected]
    To be honest not really, my mistake i simply downgrade the firmware instead of conduct more tests.
    I will do it, i going to install even newer firmware V5.21(AATB.2).

    >And, as work-around, does the sshd of Entware-ng do the job?
    Well today i installed openssh-server and it's not as trivial as i expected ;)
    ======================================================================
    1. I get the following error message: "Privilege separation user sshd does not exist"
    $ /opt/sbin/sshd -f /opt/etc/ssh/sshd_config -d -d -d<br>debug2: load_server_config: filename /opt/etc/ssh/sshd_config<br>debug2: load_server_config: done config len = 310<br>debug2: parse_server_config: config /opt/etc/ssh/sshd_config len 310<br>debug3: /opt/etc/ssh/sshd_config:18 setting HostKey /opt/etc/ssh/ssh_host_rsa_key<br>debug3: /opt/etc/ssh/sshd_config:19 setting HostKey /opt/etc/ssh/ssh_host_ecdsa_key<br>debug3: /opt/etc/ssh/sshd_config:20 setting HostKey /opt/etc/ssh/ssh_host_ed25519_key<br>debug3: /opt/etc/ssh/sshd_config:41 setting AuthorizedKeysFile .ssh/authorized_keys<br>debug3: /opt/etc/ssh/sshd_config:111 setting Subsystem sftp&nbsp;&nbsp;&nbsp; /opt/lib/sftp-server<br>debug1: sshd version OpenSSH_7.9, OpenSSL 1.0.2p&nbsp; 14 Aug 2018<br><b>Privilege separation user sshd does not exist</b>

    ======================================================================
    2. This is strange as i have a sshd user with a correct configuration:
    $ cat /etc/passwd | grep sshd<br>sshd:x:74:74:<b>Privilege-separated SSH</b>:/var/empty/sshd:/sbin/nologin

    ======================================================================
    3. Next i changed a configuration of sshd_config
    (added a line: "UsePrivilegeSeparation no") but this setting is deprecated:
    $ /opt/sbin/sshd -f /opt/etc/ssh/sshd_config <br>/opt/etc/ssh/sshd_config line 94: <b>Deprecated option UsePrivilegeSeparation</b><br>Privilege separation user sshd does not exist

    ======================================================================

    Thanks for the both replies!





  • Mijzelf
    Mijzelf Posts: 1,601  Guru Member
    In the release notes for the firmware V5.21 AATB.1 i found information about a “bug fix”:
    “Modify default folder setting.”
    Can someone explain me in details what it means?
    What has been changed in the firmware?
    That's an intriguing question. I downloaded both firmwares, extracted them, and run a diff on both initramfs and extra rootfs. I think the "Modify default folder setting." refers to removing some files from /etc/zyxel/conf/, which is the mountpoint of the flash partition containing the configuration, and so hidden anyway.

    I don't see a reason why the behavior of sshd is changed.

    BTW, I see a lot more changes than the release notes cover. A lot are in pyc files. I picked a random one, uncompyled them, and saw the python code is identical. So I think most pyc files are effectively unchanged.
  • kempiude
    kempiude Posts: 6  Freshman Member
    Great answer, you are right it automagically :smiley: get updates from http://bin.entware.net/armv7sf-k2.6/ instead from http://pkg.entware.net/binaries/armv7/
    I've added missing symlinks and now (entware) sshd works as expected with firmware V5.21(AATB.0).
    Later i will give a feedback about update to the newest firmware V5.21(AATB.2).

    Does it make sense to upgrade entware to version for armv7 kernel >= 3.2.x.
    The V5.21(AATB.2) version based on 3.2.x.
    $ uname -r<br><div>3.2.54</div>










  • kempiude
    kempiude Posts: 6  Freshman Member
    I updated the firmware of the nas540 from V5.21(AATB.0) to the latest version V5.21(AATB.2)
    and both sshd (zyxel configured on a port 8888) and entware (standard 22) works fine for all users.

    Many thanks for your help!


  • Mijzelf
    Mijzelf Posts: 1,601  Guru Member
    Does it make sense to upgrade entware to version for armv7 kernel >= 3.2.x.

    Maybe. Based on my investigations to get Entware running on the Armv5 NSA line, I think the difference is kernel support for cmpxch64, which is important for lockfree multithreaded programming, and the (lack of) some stubs in libc, which backports some functionality which isn't supported in the old kernel.

    Yet I don't think you'll feel the difference, and I don't know if you can mix up the libraries. Have you found any upgrade instructions?

  • kempiude
    kempiude Posts: 6  Freshman Member
    Have you found any upgrade instructions?
    no i have not found anything interesting but if I find something interesting, then I will post it.


Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!