linux - How to add a user to DSM 5.x without initial password and force setting password at first login (ssh)
2014-07
I want to add users to my Synology DS214 with DSM 5.0. I'd like to let the password be set by the user at the first login with ssh. How to do this? How can I enforce a certain complexity of the password (length, signs contained)?
I've found SSH with no password (passwordless) on Synology DSM 5 as other (non-root) user so far, but I'm not looking for a solution without password - I don't care what the user does after setting the password.
For backing up my server, I would like to remotely access it via SSH. To minimize all risks, it want to user a user who only has read access, but to all files, just like root. However, he shouldn't have any write rights.
Any ideas on how to achieve that?
Might I suggest another method to solve your problem that's less maintenance intensive.
You can create ssh keys which have limited access to specific programs. I dislike granting root unrestricted access, but sometimes you need to enable certain commands to be run via remote. With ssh keys you can have your backup program run via ssh command.
Check out the 'AUTHORIZED_KEYS FILE FORMAT' section in your sshd man page (I'm assuming you're using OpenSSH).
You could achieve that with ACLs. You'd still need a script running as root that changes the permissions of every file. See the man pages for ACL, setfacl and getfacl if you're interested.
There is a somewhat another way of creating this without using ACL's. But you need to practice caution here. Firstly, create a group, for example, called roroot (readonly root). Then apply that group id to all directories. Make the permissions for the group bits to be r-- or 400 octal, then you can create a user account just like an ordinary user, for example, rorootusr, with the next id set to whatever it is on your system, make it a member of a group roroot only, do not make it to be part of wheel,bin,etc, depending on what your groups are on your installation. The next bit is going to be kludgy. Open the /etc/passwd file using vim/nano/emacs/joe/ whatever editor rocks your boat, and look for the id you have just created, ie. rorootusr, the passwd file will look like this
root:x:0:0::/root:/bin/sh
Reading from left to right separated by colons you have user name, password (encrypted + shadowed), user id, group id, comment, home directory and shell. From the above example given
rorootusr:x:512:450:Root User RO:/home/rorootusr:/bin/bash
It is the 3rd field (512) that you change it to 0. 450 would be the group id for roroot. Save the edit session and you're done. Now rorootusr will have root access but is solely a member of the group roroot and has readonly access to the system.
Hope this helps, Best regards, Tom.