Add SSH on a Lacie Edmini V2

In a previous post, I explained how to make automatic backup on a server using SSH. I was suggesting that the server was somewhere on the Internet so we didn't have to deal with any SSH installation. However, sometimes some data are to sensible to be stocked somewhere on the Internet so a good idea is to have your own little server running SSH. In addition, once data are backuped on your local server you can decide (automatically) which one of them can be send on a distant server.

I have a Lacie Edmini V2 (ethernet gigabit disk). It is a nice little network harddrive coming with a Linux OS. It already has a Http and Ftp server but unfortunately, no SSH or rsync. Therefore, before being able to use the backup scripts we have to install these two services. Fortunately for us, some good work has already be done by some people. But unfortunately, I'm not as good with Linux as these guys are so everything they said was not always really clear. That is mainly the reason why I will try to create a guide that will be a little bit more explicit. I still assume however that you have some basic Linux knowledge.

Our starting points are the following 3 sources:

• edmini V2 as a Home Server
• LaCie Ethernet Disk mini
• Turning a Lacie Ethernet Disk Mini into Your Server

Have a look at them before we start our work and if you don't understand everything, don't worry... I didn't either. Under is the list of things we are going to do to add SSH support to your Lacie Edmini.

1. Open your drive and void the warranty (and don't blame me or anyone else if sonething is going wrong. As usual you are doing this at your own risk!)
2. Install the drive in another computer or in a USB case
3. Backup the system partitions
4. Copy the packages we will need to install
5. Install the shell backdoor
6. Create new user to use the packages we will install
7. Put the disk back in place
8. Start Telnet
9. Install SSH
10. Configure SSH
11. Remove backdoor and telnet script

Alright, now that you know what we are going to do, let's do it.

Open drive (void warranty) and install it on another computer

There is no more to explain than Jim already did in here. Have I mentionned already that you need a computer with a Linux running to do the next steps? Well if you don't have any Linux installed, you can always do it with a live CD (have a look at Knoppix or Ubuntu).

Backup the system partitions

As I was not really comfortable to do a backup using the command line tool dd and I didn't want to use too much space on backup, I went for a more interactive backup tool: partimage. There is not much to say here, just start the software and backup the system partitions, which are given by the 3 sources above, i-e partitions 7, 8 and 9. I recommand that you backup these partitions on another hard drive (the one of your computer for instance). In case anything goes wrong you will still have the possibility to restore the system.

Copy useful packages

Juergen Hench found that many packages compiled for other NAS drive where working on the Lacie Edmini (the list of compiled packages is available here). So copy on the partition 2 of your drive (the data partition (share/)) the following packages :

• bzip2
• openssh
• openssl
• popt
• rsync
• tcp-wrappers
• zlib

You may also have to download telnet here :

http://downloads.nas-central.org/Uploads/LSPro/Binaries/utelnetd

Install the shell backdoor

The three sources explain to create a file (we will call it webshell) containing the following:

#!/bin/sh 
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING

and to put it in the partition 7 under the /www/cgi-bin/admin/ directory. Change the permission of the file to make it executable:

chmod +x /www/cgi-bin/admin/webshell

While you're at it, change the permission of the telnet daemon that you have downloaded earlier to make it executable as well:

chmod +x /home/share/utelnetd

Create new user

While I was following the steps given by the tutorials I base my work on, I always got a problem when they create the root user that will be able to use SSH or Telnet. Unfortunately for me, each time I was using the webshell to add a user, I screwed things up but I don't really know how or why. That's the reason why I decided to create the new user we would need later while the drive is still connected to the computer.

Look for the passwd file (find / -name passwd). The one we are interested in is located under a "etc" directory. But you will probably find 2 of them. So the one we are interested in is not in partition 7 (but I can't remember if it is in partition 8 or 9). It means that the path to it is something like .../snaps/00/etc/passwd. Once identified, open it with your favorite editor. If you have created other users than the admin default one then you should see them in the file. It shows that you are in the right file. So basically we will add two lines: one for a root user and one for the ssh user that is required to start openssh.

new_root:x:0:0:Linux User,,,:/home:/bin/sh
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

Once done, we have to edit the "shadow" file located in the same directory as the passwd file and add a line for the new_root user. The "shadow" file contains the encrypted password of all users. You can copy the encrypted password of your admin account for instance or left the field blank for the moment. I copied the other values from the others lines.

new_root:encrypted_pass:12488:0:99999:7:::

Put the disk back in place and start telnet

Once your drive is reassembled and restarted, we will be able to start the Telnet daemon. To do so, just connect to your drive with your webbrowser

http://LACIE_IP_ADDRESS/cgi-bin/admin/webshell?/home/share/utelnetd

Of course, I suppose here that you have put the packages downloaded previously on the share folder of the data partition. If you have put it elsewhere, just specify the correct path. Once telnet is started, you should be able to connect to your drive through it. Open a console (or command prompt) and try

telnet new_root@LACIE_IP_ADDRESS

If you don't have specified a password yet you should be connected right away and it is the moment to add one

passwd new_root

Install SSH

With this telnet access we can install SSH. So with the packages that you have downloaded previously just do

tar -xvjf PACKAGE.bz2 -C /

I think I haven't forgot any packages so the service should be able to start. However if you try a /sbin/sshd it will complain about missing keys. So to correct it and allow ssh to start when the harddrive starts we will create an init script. It is based on what you have read here but modified a bit to create the keys automatically if they do not exist. So here is the file called "sshd" that you have to put under /etc/rc.d/init.d/ and / or .under .../snaps/00/etc/rc.d/init.d/

#!/bin/sh
# Begin $rc_base/init.d/
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
# changed a bit by Juergen Hench to run sshd, made from httpd
# changed a bit by Jimmy B. to create the ssh keys if they do not exist already
. /etc/sysconfig/rc
. $rc_functions
. /etc/packageversion
case "$1" in
    start)
        echo "Starting OpenSSH sshd..."
        # Start OpenSSH server 
        if [ ! -r /etc/ssh/ssh_host_rsa_key ]; then
            /usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_rsa_key -N ''
        fi
        if [ ! -r /etc/ssh/ssh_host_dsa_key ]; then
            /usr/bin/ssh-keygen -b 1024 -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
        fi
        /usr/sbin/sshd
        evaluate_retval
        ;; 
    stop)
        echo "Stopping sshd..."
        killproc sshd
        ;;
    restart)
        $0 stop
        sleep 1
        $0 start
        ;; 
    status)
        statusproc sshd
        ;;
    *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
    ;;
esac
# End $rc_base/init.d/

Don't forget to make it executable chmod +x /etc/rc.d/init.d/sshd

While we're at it we can create already the symlinks to start automatically [Edit 2008-05-05] An error has been corrected below following a comment [/Edit]:

ln -s  ../../init.d/sshd /etc/rc.d/rc3.d/S20sshd 
ln -s ../../init.d/sshd /etc/rc.d/rc6.d/K09sshd 

Alright, we are almost done. Try to start SSHd just by doing /etc/rc.d/init.d/sshd start. It shouldn't complain anymore about missing keys, but if you try to connect using ssh and the new_root account, you may still have some problem (at least I did). I identified the problem to be coming from the PAM security module. So there is one more thing to modify. We will modify the file /etc/pam.d/sshd (taken from Suse SUSE LINUX Enterprise Server – Installation and Administration - Chapter 20. PAM — Pluggable Authentication Modules / 20.2. The PAM Configuration of sshd and modified a bit).

#%PAM-1.0
auth required   pam_unix.so # set_secrpc
auth required   pam_nologin.so
auth required   pam_env.so
account required        pam_unix.so
account required        pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix.so    use_first_pass use_authtok
session required        pam_unix.so    none     # trace or debug
session required        pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname

Just create a file (pam_sshd) containing the content above and put it on your drive (in the data partition for instance). Then using you're telnet session or the webshell, just move it properly:

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak 
cp /home/share/pam_sshd /etc/pam.d/sshd 
/etc/rc.d/init.d/sshd restart 

Try to login again... it should work!

Remove webshell and telnet

Once ssh is working properly, you can remove the webshell backdoor and the telnet script.

That's all I have done for the moment on this disk. I hope I have been clear enough. More can be done with this box as you have seen in the other articles I base my work on. I haven't tried yet to use the backup method explained in another post but I will eventually. If you have any problem, you can try to post a comment and I'll help in the limit of my time and my knowledge.

Follow up

I have written another post to allow the automatic login with SSH through the use of private / public key. It is available here.