DSM-G600, DNS-3xx and NSA-220 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
IRC Channel #funplug on irc.freenode.org
#1 2008-01-24 15:13:19
- jayas
- Member
- Registered: 2008-01-24
- Posts: 151
DNS-323 telnet
Hello,
I want to be able to telnet to my DNS-323 (1.03 firmware) but using login. However I cannot seem to be able to logon as root because I get "login: no valid shadow password" message. I can logon as admin but admin does not appear to have root privileges.
Does anyone know enough to tell me what I am doing wrong? You can work out how I have setup my telnet so that I can telnet and unmount any disk, for example, to run fsck by looking at my fun_plug below.
Kind regards,
Jaya
----------
#!/bin/sh
# switch to disk environment
cd /mnt/HD_a2/telnet/
{
# script debug
set -x
# boot timestamp
date
# install files
cp utelnetd /sbin
cp busybox3 /sbin
# replace shell
mv -f /bin/sh /bin/sh.old
ln -s /sbin/busybox3 /bin/sh
# establish console
mknod /dev/ptyp0 c 2 0
chmod 0666 /dev/ptyp0
mknod /dev/ttyp0 c 3 0
chmod 0666 /dev/ttyp0
} >fun_plug.log 2>&1
# revert to host environment
cd /
# start telnet daemon
utelnetd -l /bin/login -d
----------
Last edited by jayas (2008-01-24 17:45:22)
H/W=B1 F/W=1.04; RAID1: SAMSUNG HD501LJ T166 (500GB, SATA 3.0Gb/s 16MB)
Offline
#2 2008-01-24 23:59:41
Re: DNS-323 telnet
jayas wrote:
utelnetd -l /bin/login -d
Try
Code:
utelnetd -l /bin/sh
You'll get a root shell. For login to work, you need to set a password for root, and make sure it's stored in /etc/shadow (restored from flash after reboot!)
Offline
#3 2008-01-25 01:32:57
- jayas
- Member
- Registered: 2008-01-24
- Posts: 151
Re: DNS-323 telnet
fonz wrote:
Try
Code:
utelnetd -l /bin/shYou'll get a root shell. For login to work, you need to set a password for root, and make sure it's stored in /etc/shadow (restored from flash after reboot!)
As I said before, login works for accounts other than root. Only root login fails.
I tried setting password for root, but this does not get updated in /etc/shadow. Somehow it looks like root password is not updated in /etc/shadow.
I worked out a way to add it manually to /etc/shadow file, but I am looking for a better solution.
Transcript below with encrypted passwords deleted.
Kind regards,
Jaya
Code:
# cat /etc/shadow admin:[deleted]:0:0:99999:7::: nobody:[deleted]:0:0:99999:7::: # passwd Changing password for root Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password: Bad password: too short. Warning: weak password (continuing). Re-enter new password: Password changed. # cat /etc/shadow admin:[deleted]:0:0:99999:7::: nobody:[deleted]:0:0:99999:7::: #
Last edited by jayas (2008-01-25 01:41:29)
H/W=B1 F/W=1.04; RAID1: SAMSUNG HD501LJ T166 (500GB, SATA 3.0Gb/s 16MB)
Offline
#4 2008-01-25 01:49:42
Re: DNS-323 telnet
jayas wrote:
I tried setting password for root, but this does not get updated in /etc/shadow.
You can try to add root manually: http://dns323.kood.org/forum/viewtopic. … 2993#p2993
Offline
#5 2008-01-25 06:12:44
- jayas
- Member
- Registered: 2008-01-24
- Posts: 151
Re: DNS-323 telnet
Hello,
Many thanks to Fonz, here is the complete solution to do what I wanted which will clone "admin" password at boot time as the "root" password, and only allow "root" to telnet to DNS-323 in way that allows the disks to be fully dismounted while in the telnet session.
Enjoy.
Jaya
fun_plug contents:
Code:
#!/bin/sh
# switch to disk environment
cd /mnt/HD_a2
# transcript log ...
logFile=$PWD/fun_plug.log
{
# boot timestamp
date
# execution trace
set -x
# install telnet
cp telnet/utelnetd /sbin
cp telnet/busybox3 /sbin
# replace shell
mv -f /bin/sh /bin/sh.old
ln -s /sbin/busybox3 /bin/sh
# establish console
mknod /dev/ptyp0 c 2 0
chmod 0666 /dev/ptyp0
mknod /dev/ttyp0 c 3 0
chmod 0666 /dev/ttyp0
} >$logFile 2>&1
# revert to host environment
cd /home/root
# restrict telnet users
cp /etc/passwd passwd
sed -e '2,$s|:/home/.*|:/:/bin/sync|' passwd >/etc/passwd
echo "/etc/passwd updated" >>$logFile
# clone admin password
sed -n -e 's|^admin:|root:|p' /etc/shadow >>/etc/shadow
echo "/etc/shadow updated" >>$logFile
# start telnet daemon
utelnetd -l /bin/login -d
echo "telnet daemon started" >>$logFileH/W=B1 F/W=1.04; RAID1: SAMSUNG HD501LJ T166 (500GB, SATA 3.0Gb/s 16MB)
Offline
#6 2008-01-25 12:56:44
- HaydnH
- Member
- Registered: 2007-09-28
- Posts: 187
Re: DNS-323 telnet
"and only allow "root" to telnet to DNS-323"
You do realise that telnet sends passwords in plain text - therefore anyone on your network will be able to see your root password using simple commands like snoop or tcpdump? If anyone other than you has access to the network I would suggest using ssh instead.
Offline
#7 2008-01-25 13:18:57
- jayas
- Member
- Registered: 2008-01-24
- Posts: 151
Re: DNS-323 telnet
HaydnH wrote:
"and only allow "root" to telnet to DNS-323"
You do realise that telnet sends passwords in plain text - therefore anyone on your network will be able to see your root password using simple commands like snoop or tcpdump? If anyone other than you has access to the network I would suggest using ssh instead.
My next step is to switch enable only https and ssh, and would appreciate pointers as to how well https works on this box and where I can get ssh.
Jaya
H/W=B1 F/W=1.04; RAID1: SAMSUNG HD501LJ T166 (500GB, SATA 3.0Gb/s 16MB)
Offline