QNAP NAS Community Forum

[mbalu]

Hi all,

Thanks for that post ! (It also works with my TS-459)

a little tip to not change the '/mnt/HDA_ROOT/.config/ssh/sshd_config' file each time you add a new user...
Just replace:

Code: Select all

...
AllowUsers admin
...

by

Code: Select all

...
# AllowUsers admin
AllowGroups administrators sshd
...

in '/mnt/HDA_ROOT/.config/ssh/sshd_config' file.

Then, you just need to add a group called 'sshd', and add it to users who are allowed to use SSH (you can do it from the QNAP administration interface).

Hoping that it will help someone...
BR/
Marc

[spamalope]

I had problems troubleshooting my configuration until I found instructions about how to run sshd in debug mode.

You can run a second sshd on a different port without stopping the current sshd, so testing doesn't require restarting processes.

Enable telnet and log into the nas with telnet.

Run this command '/usr/sbin/sshd -d -p 9876 -f /etc/ssh/sshd_config'

Make sure you specify the entire path to your sshd or sshd will complain and refuse to work. You can use the -f option to specify any config file. The -p option specifies the port number, -d turns on debug mode. You'll see a few pages of start-up information after you enter the command, and the terminal will stay in sshd until you hit 'ctrl-c' to cancel or you've connected and disconnected once.

On the client side, specify 9876 as the port number (-p from command line SSH). When you try to connect you'll see notices about what's happening in the telnet window.

[patbaker82]

Updated:
http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH

[father_mande]

Hi,

Just for your information ...

/tmp/.boot_done don't exist in TS-x09 Arm series .... but exist now (last firmware in TS-x10, TS-x19 series)

Philippe.

[moe]

Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
viewtopic.php?f=142&t=31645&start=0

[moe]

Use the one on this page, Wiki and the other one do cover the older TS-x09 systems.

The very best solution would be QNAP to remove this very unhappy "admin only" limitation as soon as possible, and update to the latest OpenSSH and OpenSSL code. Cannot be true customers have to replace such a key module.

-Kurt.

+1

[patbaker82]

Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
viewtopic.php?f=142&t=31645&start=0

Strange, I have this installed on a TS-509 and a TS-459 with firmware version @ 3.3.0 Build 0607T. Are you sure you're installing it correctly? I would telnet into the box, if you can, and get some additional information if you can.

[patbaker82]

Hi,

Just for your information ...

/tmp/.boot_done don't exist in TS-x09 Arm series .... but exist now (last firmware in TS-x10, TS-x19 series)

Philippe.

Good to know. Feel free to mod the script, otherwise I will do so when I get some free time.

[marsoupilami]

Yop

I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.

Here is the new script for my_install_openssh.sh:

Code: Select all

#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log

sleep 15 # let the system finish it's startup tasks
# if you don't wait here, sshd will produce
# zombie process and all will go wrong

/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# depending on the target, mounting of /opt can be late
# so waiting for availability of /opt/sbin/sshd
# with a deadlock in case of no sshd!
count=1
while [ ! -f /opt/sbin/sshd ]
do
  sleep 1
  let count="count+1"
  if [ "$count" -eq 30 ]
  then
    echo /opt/sbin/sshd not found after 30 seconds >> $LOG
    exit
  fi
done
echo /opt/sbin/sshd found after $count seconds >> $LOG

ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd
# get openSSH daemon in place
                           
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
rm -f /tmp/my_install_openssh.sh # cleanup the rubish


Now it's working fine with my TS219P

I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr

[patbaker82]

Yop

I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.

Here is the new script for my_install_openssh.sh:

Code: Select all

#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log

sleep 15 # let the system finish it's startup tasks
# if you don't wait here, sshd will produce
# zombie process and all will go wrong

/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# depending on the target, mounting of /opt can be late
# so waiting for availability of /opt/sbin/sshd
# with a deadlock in case of no sshd!
count=1
while [ ! -f /opt/sbin/sshd ]
do
  sleep 1
  let count="count+1"
  if [ "$count" -eq 30 ]
  then
    echo /opt/sbin/sshd not found after 30 seconds >> $LOG
    exit
  fi
done
echo /opt/sbin/sshd found after $count seconds >> $LOG

ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd
# get openSSH daemon in place
                           
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
rm -f /tmp/my_install_openssh.sh # cleanup the rubish


Now it's working fine with my TS219P

I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr

Either does the solution in the WIKI, at least it doesn't anymore. Not justifying one is better than the other, just clarifying a point.

[joschum]

I have installed openssh on a TS439-PRO. Authentication using a public/private keypair has worked for a long time but somehow it does not work anymore. The output of ssh -v is:

...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: <USERNAME>@amygdala
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/<USERNAME>/.ssh/id_rsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>

Any ideas how to resolve this issue?

The same key works for loggin into another linux machine without problem.

joschum

[Zophar]

...
3, open SSH is not part of default installation
...

Well I've found that on my QNAP (419P):
[~] # /mnt/ext/usr/bin/openssl version
OpenSSL 0.9.7a Feb 19 2003

My question is:
- Should I be able to use it (I have some issue with config file wich is easy to resolve)

I'm working on a .qpkg and I have to use openssl to generate a key and a certificate at install time. So I just want to ensure that openssl is or is not installed by default on QNAP systems (So i'm sure to use ipkg openssl as a dependency). Does someone has an answer?

[tmt]

I don't think you should depend on anything in /mnt/ext, that's a private area used by the QNAP utilities. My SS-439 doesn't have a /mnt/ext/usr directory at all, for instance.

As for openssl, no the full package is not available on the stock NAS, but the ssh-keygen binary is present in /usr/bin and used by the system. If all you need is to generate keys and certs, I think you can count on using it.

[micke]

I don't think you should depend on anything in /mnt/ext, that's a private area used by the QNAP utilities.

On the 419P (and maybe on most other ARM devices) /usr is a symlink to /mnt/ext/usr. The RAM disk is not big enough to be able to store the system, so parts of the system is stored on the HDD volume (mounted on /mnt/ext).

Still, it would make more sense to use a /usr path than /mnt/ext/usr, e.g. '/usr/bin/openssl version'.

/Mike

[falofolio]

Hi Petr

I managed to get your solution working on my TS-219P with Firmware v3.4.0 build 0212T. However, the only thing I needed to modify was the first 'sleep' command.

I had to set the 5 sec. to a much larger number (e.g. 240 sec) to get it working, because like marsoupilami wrote /opt dir (see code below) is mounted very late at start-up.

Code: Select all

 cp /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place

To be sure, I also set the second sleep command to 15 sec. instead of 5 sec. However, I am not sure if that is necessary.


Thanks!