First off, this is based on a portion of number3's Tutorial to setup 2 mbwe with rsync over the internet
Assumptions:
You have a basic setup already accomplished that includes changing the default "admin" password.
Changing this password is potentially very important as this may be an easy way to compromise your drives.
More on this later.
This does not require any Optware packages at this time.
Create Keys:
On each drive we need to create the key.
cd ~
mkdir .ssh
cd .ssh
ssh-keygen -b 4096 -N '' -t rsa -f id_rsa
Due to a "feature" in the white light drive firmware with permissions you also must run the following 3 commands on each drive in order for ssh via key to work:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Copy Keys to "remote" system:
Now we put it into the authorized_keys file on the remote drive.
cat ~/.ssh/id_rsa.pub | ssh root@<ip-or name of other drive> 'cat >> .ssh/authorized_keys'
Security Discussion
Now because we have an easily predicable root password for SSH it is potentially very desired to disable password authentication.
Security considerations are potentially very important, and if the drive contains business information it is strongly suggested you discuss these with a security professional.
An in depth discussion of the legal issues/security concerns are beyond the scope of this tutorial but some considerations are:
If the drive is internet accessible this is almost definitely NOT an acceptable risk to leave passwords enabled.
If the drive is only accessed behind a firewall it is possibly an acceptable risk to leave passwords enabled.
If there is a separate (read: not using the mbwe) vpn used to access the drive when not on location it is possibly an acceptable risk to leave passwords enabled.
If the network the drive is on has unencrypted wireless on it then it likely NOT an acceptable risk to leave passwords enabled.
If the network the drive is on has WPA2 based encrypted wireless on it then it is possibly an acceptable risk to leave passwords enabled.
If your think you need to disable ssh passwords read on, if not stop here you are done.
Of course the reverse side of this issue is potentially true that you can accidentally lock yourself out of your device, or that you compromise the security of your device.
Setup Telnet as a backup
First off Telnet is ALWAYS unencrypted including the password used for it which means anything you do with it can be seen by others and therefore it is important to understand there is security issues with using it.
Since we are planning to disable the SSH userid/password logon later on, we want to make sure we have a second way into the box. So logon to your hacked mybook using PuTTY. From now on I will assume that you will sudo to root every time you logon, or you directly logon to the root account.
So you are in? Then go and edit inetd.conf to enable the Telnet daemon.
# vi /etc/inetd.conf
Find the line that reads as:
#telnet stream tcp nowait root /usr/sbin/telnetd telnetd
Now remove the # in the front of telnet:
telnet stream tcp nowait root /usr/sbin/telnetd telnetd
Save your changes, now you have a working telnet daemon. You should NEVER forward to port 23 from the internet router and do not put the mybook box in a DMZ configuration of your network router.
Hardening the SSH configuration
So now our next step is to harden the SSH configuration, we do this to by editing the configuration file ((/etc/ssh_config}}.
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
Host *
ForwardAgent no
ForwardX11 no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication no
HostbasedAuthentication yes
BatchMode no
CheckHostIP no
AddressFamily any
ConnectTimeout 0
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
Port 22
Protocol 2
Cipher 3des
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
EscapeChar ~
Lets now configure the SSH configuration file in such a way that it will no longer accept a password. It should ONLY work with the rsa keyfile we created. These are the options that are used to set it up.
- PasswordAuthenication set to no, so passwords are no longer used.
- HostbasedAuthentication set to yes, so the RSA key will now be used to logon to the other computer.
- StrictHostKeyChecking set to no, this way ssh will not complain when the hostname changes
- CheckHostIP set to no, this way ssh will not complain when an up address has changed of one of the known hosts.
- Protocol set to 2, this means that you can only use ssh version 2 protocol. No fallback allowed.
For more information check out the ssh_config manual.
After you changed this, you will need to reboot. The only way to login after this point is to use Telnet if you enabled it…. or by adding an extra rsa key to the authorized_keys file in the home directory. In case you use a Windows box and you use PuTTY, then you start using Pageant. This is the PuTTY agent, that keeps your keys for logging into mybooks.