I developed the following Bash script as workaround for the issue that file ~/.ssh/authorized_keys gets lost each time the WD M圜loud is restarted.
#Entware replace dropbear ssh password
Later, once you’re sure it’s working, you can add the following line to disable password authorization: To make it take effect restart dropbear on the NAS: You can tell the dropbear server which port to use by editing nf at this path on the NAS: Other ports may work, but 28 is unassigned by IANA, and less likely to be problematic. On the client side, you can set up a config for the NAS host that automatically connects via port 28, so you don’t have to remember to tell the client to use port 28 each time you connect. Once you have dropbear working, you can disable the built-in ssh server. Then if they’re both working, you can ssh into one or the other by targeting port 22 one time and another time target port 28 to test dropbear. When you’re setting it up, you might want to have the built-in ssh server running on port 22 and set up dropbear to run on another port, say port 28. Save the file, then reboot the NAS to use the alias. Put in whatever alias command you want, for example: # nano /shares/Volume_1/Nas_Prog/entware/profile There can be a lot of typing to navigate the storage folders, so an alias can help. It uses ecdsa, rsa, or ed25519 host keys. This will survive a reboot and even a firmware update. To restart dropbear after changing the conf file, use this command: I still ssh to the built in user account sshd, even after switching off the built in ssh server. This will disallow password based logins. I copied the keys I wanted authorized from another ssh server computer to:Īnd I made sure I could ssh in after using the web interface to switch off the built in ssh server.
#Entware replace dropbear ssh install
My goal was to restrict it to accepting certificate only connections and make it survive a reboot.Īfter using the link above to install entware for OS 5, I used opkg to install dropbear, a lightweight ssh server. So, I’d be stuck with password authentication still being acceptable after a reboot, which is a security hole. Although entware now gives you a persistent /home folder which will preserve its authorized_keys file between reboots, the built in ssh server configuration is in /etc/ssh, which will be lost after a reboot. I chose to do things a bit differently for my EX2 Ultra.