DISCLAIMER : Messing up the stuff below can and will prevent you using SSH to access your My Book Live Duo. It's your own fault, go buy a new one.


Ok, I've had a play. First up, cheat like **bleep** in case I break it:

ssh root@<MBLD-IP-address>
cd /shares/tmp
cp /etc/ssh/sshd_config ./sshd_config_bak
ln -s /etc/ssh/sshd_config

 
I can now use the shared drive "tmp" to edit and update the sshd_config file, without needing to ssh into the box. (Obviously this is a foolish thing to enable, which is why it's only on a temporary share.) I've also taken the precaution of backing up the current file.

Next, editing the sshd_config file. I'm using vi so that I can edit on the NAS itself, rather than trusting CR-LF conversions via the network share (and because the NAS doesn't have emacs installed - but that's a whole other flamewar). As suggested by Myron, found the line

AllowUsers root

 Changed it to

AllowUsers root pc-backup

 
(where pc-backup is the user ID I'll configured into my sftp client on the PC)

Finally enter the command

/etc/init.d/ssh restart

 I didn't log out from that ssh session in case I'd broken it all. Instead I opened a new ssh and tried to log in as pc-backup: ssh access working perfectly. Logged on, home directory is /shares, standard unix permissions are preventing me from access shares (and other files) to which I shouldn't have access.
Try to log in with sftp: Working perfectly.

Happy



So now that I've enabled SSH for non-root, I decided to disable it for root. If I need root access, I can just ssh in as pc-backup (or create another account) and sudo/su to get root. Technically this is no more secure than logging in directly as root, but I don't like leaving remote root login enabled anywhere. Before I disable root login though, I need to make sure I can use sudo as pc-backup.

So alt-tab back to the ssh session in which I'm still logged on as root, find and edit the file /etc/sudoers
After the line

root ALL=(ALL) NOPASSWD: ALL

 I added the line

pc-backup ALL=(ALL) ALL

Saved, exited, tested on my pc-backup ssh session before doing anything else. (This is unix, I know how badly it'll go wrong if I don't test everything every time I touch it)

Now back to /etc/ssh/sshd_config and the two lines

PermitRootLogin yes
AllowUsers root pc-backup

 become

PermitRootLogin no
AllowUsers pc-backup

 
Another quick test, and I'm no longer able to ssh in as root, but I can ssh (and sftp) in as pc-backup, and if I need to I can use sudo to perform actions as root.


Sensible next step that I haven't tried yet:
http://blog.zioup.org//2008/iptables_recent/

I need to learn more about iptables first..

Final step: clear the backup and the symbolic link from the 'tmp' share.

All done