Posts Tagged ‘password’

Create samba user shares in TonidoPlug (NAS)

TonidoPlug can act as NAS device.

When an external USB harddisk is connected to TonidoPlug, it automatically mounts the USB HDD and makes it available for other computers on the network.  So for example, to connect to this share from windows, open an explorer window and type \\<TonidoPlug IP>\MediaDisk and you get full access to the USB HDD.

Since TonidoPlug is not configured to provide user based access to samba shares by default here is a guide to create user based access .
By doing this setup, users can access their home directories by authenticating themselves with their login and password. They cannot view or access other user shares without knowing their login credentials.

By default when an user is created in the Linux OS, it is not available as a samba user automatically. This usually is done as a separate step. In our setup we also try to automate this process.

Setup

1. Install libpam-smbpass package. This package provides necessary tools to synchronize linux OS user/passwords with samba repository.

# apt-get install libpam-smbpass

2. Open /etc/samba/smb.conf with a text editor and make the following changes.

3. By default TonidoPlug allows full access to everybody. Disable this default behavior. Look for the following lines and comment them.

# What naming service and in what order should we use to resolve host names
# to IP addresses

;   name resolve order = lmhosts host wins bcast
;   force user = root
;   force group = root

;   guest ok = yes
;   browseable = yes
;   public = yes
;   writable = yes

The above lines shows the commented configuration lines.

4. By default TonidoPlug allows share level access. Change this to user level access.
Look for line “security = share” and change it as follows

# “security = user” is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.

security = user

5. Enable automatic synchronization of user and password information from linux OS to samba.

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes

6. We need to users to access their home directories when they login with userid and password. Samba configuration should be enabled to expose user home directories.

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares.  This will share each
# user’s home directory as \server\username
[homes]
comment = Home Directories
browseable = yes

# By default, the home directories are exported read-only. Change the
# next parameter to ‘no’ if you want to be able to write to them.
read only = no

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \server\username shares can be connected to by anyone
# with access to the samba server.  Un-comment the following parameter
# to make sure that only “username” can connect to \server\username
# This might need tweaking when using external authentication schemes
valid users = %S

7. Save the smb.conf file and restart samba daemon.

# /etc/init.d/samba restart


Share Test

For testing, we will create a user on the TonidoPlug and try to access the user’s home directory as a samba share.

1. Create a user on TonidoPlug. You can do this by doing SSH to TonidoPlug as root user.

# useradd -m -k /etc/skel demouser

2. Set a password for the demouser.

# passwd demouser

3. Important: Open another SSH session to TonidoPlug and login as the new user. This is only trigger I could find to synchronize the OS user details with samba.
You can close the SSH session as soon as login is successful.

4. For the other SSH session (as root user) verify if the new linux user is synchronized with samba.

# pdbedit -w -L
nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:
root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0708DD6BC4B608A64FC970497CC6F7AD:[U          ]:LCT-4A09E411:
demouser:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:A827E65ED0E8EA4B14721624A19DE519:[U          ]:LCT-4A9E8E33:

You should see ‘demouser’ as an entry in the output.

5. Now from the windows machine, open an explorer window and type the \\<Tonido_Plug_IP>\demouser. It should prompt for username and password. Enter ‘demouser’ and its password. Once you click ‘Ok’ it should show the demouser’s home directory with full access only to his home directory.

SSH without password using Putty

SSH Protocol

SSH (Secure Shell) is a network protocol that provides secure access to a computer (mostly Unix based).  When you want to connect to a remote Unix server, SSH is one way of accessing the server. SSH is very powerful by combining both security of the data transmitted over network and accessibility to the remote system. SSH protocol works between two computers by a client-server architecture. When a client computer connects to the server, the server requires the client to authenticate itself. There are different ways a client can authenticate itself to the server. A typical authentication mode will be to enter a password when logging into a remote system. In this howto we can explore another mode of authentication in which server doesn’t require a password to be entered by the user. This mode will be very useful if you are connecting to a remote system frequently and dont want to enter the password everytime.

Before we see the steps, just to give a background on the components involved:

SSH SERVER

When you need to connect to a remote computer via SSH, that computer should have a SSH server running on it. All Unix based distributions ( Linux, Mac OSX etc.,) includes a ssh server. For Windows based systems Cygwin can be used as an SSH server.

SSH CLIENT

Assuming your remote computer has an SSH server running on it, to connect to that computer you would need a SSH client on the local computer. On Unix based systems, SSH clients are available as command line utilities. For Windows based systems, putty is an excellent client. Check here for more information about putty.

CONFIGURATION

  1. We start the configuration at the client windows computer. Download the latest version of Putty.exe and Puttygen.exe from here. Using the Puttygen tool we have to generate an authentication key. This key will serve as a substitute for the password that will be entered during login.
  2. Start puttygen.exe by double clicking on the executable. The following window opens up.

    puttygen window

    Puttygen Window

  3. Leave the default ‘SSH-2 RSA’ selection and click on the ‘Generate’ button. The following window opens. Move mouse randomly over the empty space below the progress bar to create some randomness in the generated key.

    RSA key generation by Puttygen

    RSA key generation by Puttygen

  4. Don’t enter any key phrase. Click on ‘Save private Key’ button. Click ‘Yes’ on the window asking for confirmation for saving the key without a password.

    Key generated successfully

    Key generated successfully

  5. Save the key file to a safe location (Let us assume you will be saving it as C:\Personal\SSHKey\Laptop.ppk).
  6. Now you can close the Puttygen window.
  7. Open the Laptop.ppk file in a notepad. Copy the four lines under ‘Public-Lines’ section to windows clipboard.

    Copy Public Key Section

    Copy Public Key Section

  8. Now open putty and connect to the remote system using the user id you want to use for future no password connections. (Let us assume you will connect to the remote machine using user name ‘ubu’. This time when you login, you have to provide the password at the prompt. Future logins won’t require this password.
  9. Under the logged in user’s  home directory there will be .ssh directory, under that create a new  file called authorized_keys using a text editor such as vi. (In our case the file will be created under /home/ubu/.ssh/authorized_keys).
  10. Type the word ” ssh-rsa ” (including  spaces on both ends of the word) and paste the 4 lines copied from step 7. Remove the carriage return at end of each line, merging four lines into one single line. Be careful not to delete any characters while doing that.  Final output should like the following window.

    Add generated key to remote system

    Add generated key to remote system

  11. Save the file and quit the text editor. Assign rw permissions only for the owner. $ chmod 600 ~/.ssh/authorized_keys.

    Set file permissions

    Set file permissions

  12. Now we have configured SSH server, its time to test our setup.
  13. On the local system, open Putty, enter the ip address details of the remote system.
  14. Now from the left navigation, select Connection -> Data. Enter ‘ubu’ as ‘Auto-login username’ on the right panel.

    Enter User name on Putty

    Enter User name on Putty

  15. Again from the left navigation menu, scroll down and select Connection -> SSH -> Auth. Enter the path of the saved private key file ( In our case C:\Personal\SSHKey\Laptop.ppk ). Leave other defaults as such and press open button.

    Specify key file location

    Specify key file location

  16. Now the putty connects to the remote SSH server and there won’t be any password prompt here after :-).

    No Password Connection

    No Password Connection

Caution
SSH is a powerful tool and relies on password as a security. We just bypassed that security for sake of convenience. If a hacker get holds of the private key we generated, it allows a free access to your systems. So use this technique with care.