I was able to ssh into the LG N1A1. Turns out they had telnet enabled as of the latest update and it let me login as root.

This is what you get when you connect to 23 :

--------------------------------------------------------------------
  LG Electronics NAS (REV 10119)   NAS
--------------------------------------------------------------------

NAS login: root
Password:
Last login: Thu Jan  7 03:51:25 PST 2010 from 192.168.1.105 on pts/1
NAS:~#

NAS:~# cd /
NAS:/# ls -l
total 560
drwxr-xr-x   2 root root   4096 Jul  9  2012 bin
drwxr-xr-x   6 root root   4096 Jul  9  2012 boot
drwxr-xr-x  14 root root   3340 Jan  7 03:21 dev
drwxr-xr-x  80 root root   4096 Jan  7 03:51 etc
drwxrwxrwt   3 root root   4096 Jan  1 00:01 export
drwxr-xr-x   5 root root   4096 Jan  7 03:32 home
drwxr-xr-x  11 root root   4096 Nov 29  2011 lib
lrwxrwxrwx   1 root root     11 Jan  1 00:13 linuxrc -> bin/busybox
drwxr-xr-x   2 root root   4096 Mar 14  2011 media
drwxr-xr-x   7 root root   4096 Jul  9  2012 mnt
drwxr-xr-x   2 root root   4096 Mar 14  2011 opt
dr-xr-xr-x 106 root root      0 Dec 31  1969 proc
drwx------   2 root root   4096 Jan  7 03:51 root
drwxr-xr-x   2 root root   4096 Jul  9  2012 sbin
drwxr-xr-x   2 root root   4096 Jul 21  2010 selinux
drwxr-xr-x   3 root root   4096 May 19  2011 srv
drwxr-xr-x  12 root root      0 Dec 31  1999 sys
drwxrwxrwt   5 root root 507904 Jan  6 06:25 tmp
drwxr-xr-x  15 root root   4096 Jul  9  2012 usr
drwxr-xr-x  16 root root   4096 Jul  9  2012 var
NAS:/# uname -a
Linux NAS 2.6.36.2-lgnas #1 Wed Nov 30 10:16:40 KST 2011 armv5tel GNU/Linux
NAS:/#

At this point you can enable ssh login for the root user and perhaps update the config to run it on the standard port (22).

NAS:/etc/ssh# cp sshd_config sshd_config.old
NAS:/etc/ssh# sed -i 's/Port 2020/Port 22/g' sshd_config
NAS:/etc/ssh# sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' sshd_config
NAS:/etc/ssh# service ssh restart

Sort of. As of the 9595 firmware update at least, there's an ssh daemon listening at port 2020. I have logged in -- but all it does is return the Last login information and immediately log me back out. I haven't figured out how to actually get access to a shell. Indeed, I was searching for more information on this, myself, when I found this question.

P.S. That's the behavior when I log in with a regular user account I set up through the web interface. When I use the admin account, after logging in I get the curious error, "Could not chdir to home directory /mnt/disk/default/home/admin: No such file or directory" and then it kicks me out.

The 10119 firmware does not come with either telnet or ssh on. If you are sufficiently motivated, and willing to take a risk with your box, it is possible to get root on it.

Take a fresh download of the 10119 firmware, firmware-nt1-1_10119rfke.zip; it unzips to a .bin file. It's not actually a .bin file, the file extension is a lie; it's a .tar.gz, so go ahead and untar and ungzip it. In it, you'll find, among a variety of other files including the actual firmware.tar.gz, a preinst.sh and a postinst.sh. Those scripts are run, like their names suggest, before and after a firmware install. They are run as root. Anything you add to them will be run as root. I recommend putting the interesting stuff in postinst.sh, and have it run after the firmware install.

The crucial thing to know about rooting the N1A1 is that it has a daemon, platformd, which at boot time will revert certain config files to the factory standard. As it happens, platformd has very strong opinions about what's in /etc/ssh/sshd_config. So to get sshd running usefully on your N1A1, you're going to have to run your own sshd instance.

Just to get started, you can call sshd against the config file of your choice in postinst.sh. To do this, write up or find an sshd config file you like, and get it onto the N1A1; you can drop it in the web share directory if you want. The absolute path to the web share is /mnt/disk/volume1/myweb/. (User file shares are all under /mnt/disk/volume1/ too.) Once you have it there, you can add the line

/usr/sbin/sshd -f /mnt/disk/volume1/myweb/sshd_config 

to postinst.sh. You're going to need to do a couple other things in postinst.sh, too. Mine had a /etc/nologin file. I don't know if that's doing anything to thwart logins but to blow it away, add:

if [ -e '/etc/nologin' ]; then
rm -rf /etc/nologin
fi

You can't log into an account which doesn't have a home dir, and the homedirs of accounts created on the N1A1 are specified to be directories which don't exist (this may be intended as a security feature to keep out users). Likewise, you can't log in to an account the shell of which has been set to something bogus, and all the user accounts and the admin account have their shell set to IIRC "/bin/false". So also add to postinst.sh:

if [ ! -e '/home/admin' ]; then
mkdir /home/admin
fi
chown admin:admin /home/admin
usermod -d /home/admin/ admin
chsh -s /bin/bash admin

That's to make the "admin" account log-in-able. While you're in there, you might as well give yourself root:

echo root:yourfavoritetemporaryrootpassword | chpasswd

Okay, now you have that all in there, re-tar/gzip the firmware package back up, rename it to be a ".bin" (Why? Ask LG.) and then, fire up your N1A1's web interface, and do a firmware upgrade with your new hacked version of the firmware package.

You might want to do a backup of your files before trying any of this. Just sayin'.

If this worked, once it finishes going through the install-reboot process, you should now be able to ssh in with either your admin account or the root account.

But please note: if you reboot your N1A1, your sshd instance will not come up again automatically, and you will lose your shell access. So you might want to take this occasion to, first thing, set up a second sshd (with your own config file) while you're in there, so it does come up on boot like a regular sshd.