Translate

Sunday, August 31, 2014

Gain SSH access to the Buffalo LinkStation 421e

So it turns out after I setup my LinkStation it seems guest access to Samba and AFP doesn't seem to work. The only way for me to solve this is to get sshd turned on. It just so happens that there is a tool called acp_commander that allows to send shell commands to the LinkStation (originally for firmware purposes I'm sure). Besides being a huge security hole, it serves its purpose.

Things to note:

  • I am using 1.31-0.92 firmware
  • telnets does not exist on this firmware version, so we can't use that for access.
  • I could unzip the firmware (the zip password exists online) and repackage the firmware, but I just didn't want to go through that process.
  • The commands I'm explaining are for the GUI version of ACPCommander, not the command line java version. Strings would have to be escaped differently for the command line.
Steps:
  • Obtain the UI version of ACP Commander from here.
  • The administrator password in the GUI should be the 'admin' password you have setup with the LinkStation. I believe it is just 'password' by default.
  • Run these commands with ACP Commander:
    • chmod 0755 /etc/init.d/sshd.sh
    • (echo newrootpass;echo newrootpass)|passwd
      • Make sure to keep the parenthesis and replace 'newrootpass' with a password of your choosing. This will be the root password for the LinkStation.
    • sed -i 's/#Port 22/Port 22/g' /etc/sshd_config
    • sed -i 's/#Protocol 2/Protocol 2/g' /etc/sshd_config
    • sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/sshd_config
    • sed -i 's/#StrictModes yes/StrictModes yes/g' /etc/sshd_config
    • sed -i 's/\/usr\/lib\/sftp-server/\/usr\/local\/libexec\/sftp-server/g' /etc/sshd_config
    • sed -i 's/"${SUPPORT_SFTP}" = "0"/"${SUPPORT_SFTP}" = "1"/g' /etc/init.d/sshd.sh
      • Currently the init.d script for sshd seems to be experimental and SFTP support is not exposed by the current firmware, therefore the init.d script exits if SFTP is not turned on. This allows the 'exiting' of the script to be bypassed.
    • reboot
      • Obviously the LinkStation will reboot after this last command.
  • After the reboot finishes, you should be able to SSH into your LinkStation.

12 comments:

  1. Hi, I am setting up my buffalo 421e and have some security questions. Will you pls tell me?
    How you gonna access the device from internet? Only through SSH? You have not enabled web access?
    2. Did you configure TV access? I have smart TV (Google TV) no clue how to stream media files? Buffalo support is clue less.
    Appriciate any help here. Thanks.

    ReplyDelete
  2. This worked perfectly thanks. Note however, that I didn't do: "sed -i 's/\/usr\/lib\/sftp-server/\/usr\/local\/libexec\/sftp-server/g' /etc/sshd_config" as it looked to me like the /usr/lib/sftp-server existed, but the /usr/local/libexec/sftp-server did not.

    ReplyDelete
  3. This worked on the 441e also on the 1.70-1.06 software. Unfortunately, rebooting and logging back in to the web interface undid these changes and actively killed sshd. Will have to find the code that's doing that to prevent it.

    ReplyDelete
  4. Beware! After I followed this procedure to enable SSH on a LS421DE the device started making (or receiving not sure) SSH connections to chinese addresses such as 148.4.161.222.adsl-pool.jlccptt.net.cn.

    ReplyDelete
    Replies
    1. Hi Luis. Following these steps, there is no way at all this could possibly happen unless a couple things are true:
      1) There is a keylogger on the machine you used to connect via SSH to the Buffalo.
      2) You are not behind a Router/Firewall and are allowing open SSH connections to your Buffalo AND there is a default Username/Password that you didn't change.
      3) You installed other software from an untrusted source.

      Delete
  5. I followed these instruction but with no success. Without a shell the unit is proving to be almost, not completely, useless. I just purchased the unit and have a Buffalo LS441D (LS441DB13) with firmware version 1.81-0.03 (4x4TB Red hdds if that makes any difference). Any help would be appreciated.

    ReplyDelete
  6. I followed the instructions on firmware 1.81-0.03 on LS421 and it worked like a charm.

    Thanks

    ReplyDelete
  7. Thank you! This also worked for me on firmware 1.81-0.03 on a LS421DE.

    ReplyDelete
  8. Thank you! This also worked for me on firmware 1.81-0.03 on a LS421DE.

    ReplyDelete
  9. worked great on my LS220D THANKS!

    ReplyDelete
  10. As posted before it works ok even under 1.81 until you login again to the web interface.
    Cheers,
    fred

    ReplyDelete
  11. Actually, even without re-using the web interface, the ssh daemon may be stopped.
    The workaround is to start it manually via the following command :

    /etc/init.d/sshd.sh start

    This produces the following output :

    Authenticate EnOneCmd... OK
    Authenticate with admin pw... OK
    load_info ItemValue = off
    LoadConfFileStringEx:key=[ad_dns] not found in /etc/melco/info.
    file:/etc/sftponly_config
    userinfo finished
    groupname guest
    groupname admin
    groupname hdusers
    groupname family
    file:/etc/pam.d/sshd

    Cheers

    ReplyDelete

Codementor

Ryan Kuhn

★★★★★

Expertise