when changing admin password, clear SSH logins too

OneCD · April 5, 2026, 10:45pm

Hi QNAP folks.

QTS 5.2.9.3410

I recently reset the admin account password on my QNAP NAS via CLI. After restarting the NAS, I was required by the QTS UI to enter the Cloud Key as the password, then was made to select a new admin password. So-far, so-good.

I then noticed the admin SSH authorized_keys and RSA / ECDSA / ED25519 key files were not cleared, and my current SSH session (logged-in with a key file) wasn’t dropped by QTS. Imagine if I were a hacker in an SSH session: I still had access to the NAS even though the admin password had been changed via the UI. And I was able to login again via SSH at-will, as the key files had not been regenerated.

I suggest the above should occur automatically when the admin password is changed, as a security precaution.

Thank you.

SteveKo · April 7, 2026, 9:58am

Thanks for the suggestion! We’ll have our internal team verify this and handle it accordingly.

SteveKo · April 8, 2026, 10:00am

Could you let us know which CLI command you used to change the account password? We’ll look into it further and handle it accordingly. Thanks!

OneCD · April 8, 2026, 10:02am

I don’t recall, but that’s not the issue.

Changing the admin password should regenerate the key files and drop any current SSH connections.

Also, I didn’t change the password at CLI, I reset it by messing around with the utils in /sbin/