[HOW-TO] Install Optware/OpenSSH as default SSHd Server

Discussion on setting up QNAP NAS products.
Post Reply
lyhnet
Starting out
Posts: 13
Joined: Thu Oct 27, 2016 3:34 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by lyhnet »

pwilson wrote:Installing OpenSSH as default SSHd Server
(but keeping QNAP's SSHD version active as well)

Code: Select all

#Start OpenSSH
/opt/sbin/sshd 
Test your Configuration: At this point you should restart your NAS to ensure that OpenSSH does in fact startup when the NAS starts. (It should work, but again, if this fails) please reply to this message with information about the failure). Once your NAS has restarted attempt another SSH login to your NAS (login as "admin").


Patrick.
Hi Patrick,

I get a connection refused error on port 22. If i run

Code: Select all

/opt/sbin/sshd 
then it returns:
Privilege separation user sshd does not exist

I have installed ssh-client and ssh-server from Entware

Code: Select all

opkg install sshopen-client
opkg install sshopen-server
On TS-453A with QTS 4.2.1

Any ideas what might be wrong?
User avatar
OneCD
Guru
Posts: 12010
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by OneCD »

Hi lyhnet, and welcome to the forum! :D

Sadly, Patrick is no longer active on this forum, so maybe another community member can help.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
lyhnet
Starting out
Posts: 13
Joined: Thu Oct 27, 2016 3:34 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by lyhnet »

OneCD wrote:Hi lyhnet, and welcome to the forum! :D

Sadly, Patrick is no longer active on this forum, so maybe another community member can help.

Thanks for updating and welcoming. I see that he has been very active over the last many years, too bad. Lets hope another friendly user can help...?
manicpixie
New here
Posts: 7
Joined: Wed May 11, 2016 12:12 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by manicpixie »

d3763 wrote:Is there an updated tutorial for how to do this with Entware-ng and OpenSSH-server?
Hi, I'm looking for this too.

We bought a new QNAP and we are trying to install OpenSSH server as we had it on our old QNAP (in this old QNAP it was installed following this https://wiki.qnap.com/wiki/How_To_Repla ... th_OpenSSH instructions).

Hope someone can help!

Update: I just found this article: https://wiki.qnap.com/mediawiki/index.p ... re_OpenSSH
Does it works for Entware-ng?

Thanks in advance.
Model: TS-1263U-RP
Firmware: 4.2.2 Build 20161102
xcountry02
First post
Posts: 1
Joined: Fri Jan 27, 2012 7:20 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by xcountry02 »

I have updated my DDNS, also I have enabled ssh and ftp on the server. I can ftp to my server, but when I try to ssh to the server I get the following error.

ssh: connect to host [host] port 22: Connection refused
Kiekse
New here
Posts: 3
Joined: Wed Jul 24, 2013 2:31 pm

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by Kiekse »

lyhnet wrote:
pwilson wrote:Installing OpenSSH as default SSHd Server
(but keeping QNAP's SSHD version active as well)

Code: Select all

#Start OpenSSH
/opt/sbin/sshd 
Test your Configuration: At this point you should restart your NAS to ensure that OpenSSH does in fact startup when the NAS starts. (It should work, but again, if this fails) please reply to this message with information about the failure). Once your NAS has restarted attempt another SSH login to your NAS (login as "admin").


Patrick.
Hi Patrick,

I get a connection refused error on port 22. If i run

Code: Select all

/opt/sbin/sshd 
then it returns:
Privilege separation user sshd does not exist

I have installed ssh-client and ssh-server from Entware

Code: Select all

opkg install sshopen-client
opkg install sshopen-server
On TS-453A with QTS 4.2.1

Any ideas what might be wrong?
I have the same problem. The Privilege separation user sshd does not exist pops up, if i execude /opt/sbin/sshd
In my /etc/passwd after every reboot there is a user [sshd] with the following entry: [sshd]:x:110:65534:SSHD Privilege Separation:/var/empty:/bin/sh
After a change of the username in /etc/passwd to sshd I'm able to start /opt/sbin/sshd.
After a reboot the username is changed automatically back to [sshd] and opensssh does not work.
Does everyone know which process adds the user? Maybe the script could changed a little bit.
Any ideas?

Best wishes,
Kiekse
rgrumann
First post
Posts: 1
Joined: Tue Jul 17, 2012 6:41 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by rgrumann »

Hi,
the user "[sshd]" seems to be a custom sshd user for the special build in sshd daemon of QNAP.
So installation of openssh from entware is build with the "normal" requirement for an existance of a user named "sshd" (without the brackets)

The [] brackets also hide this user from the QNAP Usermanagement in the NAS.

I used the approach to edit the /etc/passwd and /etc/shadow manually and added an user "sshd" with an custom user-id
After that it has started working with the custom openssh from entware.

My passwd file after that looks like this (the shadow file i have edited in a similar way)

Code: Select all

[sshd]:x:110:65534:SSHD Privilege Separation:/var/empty:/bin/sh
sshd:x:1001:65534:SSHD Privilege Separation:/opt/var/empty:/bin/false
Please use an different user-id for the new sshd service account. Every user needs an own dedicated user-id ....

btw:
The additional custom sshd user afterwards is shown in the normal user-managment
So you can also manually create the user "sshd" over the normal usermanagment. This will also work.
But this user will have higher priviledges.
So i really would propose to edit afterwards the passwd/shadow files and set the same group-id, restricted home dir and /bin/false as login shell (no shell at all) ....
louiscar
Easy as a breeze
Posts: 265
Joined: Mon Aug 10, 2015 4:32 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by louiscar »

I have just been fighting with sshd recently and wonder if anyone has a clue as to what might be going on. Possibly this happened after the last firmware update but when I found that I Openssh had not started. This problem I have never encountered and I never had to start sshd manually ever. Now every reboot has this failing to start.

I can start it manually of course and now I am trying to put his into my autorun.sh script but with little success but what is grabbing my attention now is that when I enter a session I don't have any environmental variables set at all. These are all defined in /etc/config/profile I think and of course I have dupes in my homes/ admin folder along with .bashrc .. all of these are being completely ignored so now I'm having to load that manually as well.

A clue is that the same thing is true of the Qnap ssh and so what with the no start situation (I looked at Patrick's original thead and he seems to suggest using autoruns but really I never had to do that.

Any suggestions or a script to use for init.d would be appreciated if someone has done one of those.

and of course any idea what can cause ssh / sshd to not load the profile / .bashrc.
All these things used to work fine so I'm a bit at a loss right now.
Model : TS-453 Pro
Firmware : 5.0.0.1828
4x WD RED 3TB - Raid 5
pwingren
First post
Posts: 1
Joined: Fri May 13, 2016 4:09 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by pwingren »

rgrumann wrote: Sat Feb 15, 2020 5:23 am Hi,
the user "[sshd]" seems to be a custom sshd user for the special build in sshd daemon of QNAP.
So installation of openssh from entware is build with the "normal" requirement for an existance of a user named "sshd" (without the brackets)

The [] brackets also hide this user from the QNAP Usermanagement in the NAS.

I used the approach to edit the /etc/passwd and /etc/shadow manually and added an user "sshd" with an custom user-id
After that it has started working with the custom openssh from entware.

My passwd file after that looks like this (the shadow file i have edited in a similar way)

Code: Select all

[sshd]:x:110:65534:SSHD Privilege Separation:/var/empty:/bin/sh
sshd:x:1001:65534:SSHD Privilege Separation:/opt/var/empty:/bin/false
Please use an different user-id for the new sshd service account. Every user needs an own dedicated user-id ....

btw:
The additional custom sshd user afterwards is shown in the normal user-managment
So you can also manually create the user "sshd" over the normal usermanagment. This will also work.
But this user will have higher priviledges.
So i really would propose to edit afterwards the passwd/shadow files and set the same group-id, restricted home dir and /bin/false as login shell (no shell at all) ....
Thank you so much! This solved the puzzling problem.
Parlendir
New here
Posts: 6
Joined: Tue May 30, 2017 12:19 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by Parlendir »

rgrumann wrote: Sat Feb 15, 2020 5:23 am the user "[sshd]" seems to be a custom sshd user for the special build in sshd daemon of QNAP.
So installation of openssh from entware is build with the "normal" requirement for an existance of a user named "sshd" (without the brackets)

I used the approach to edit the /etc/passwd and /etc/shadow manually and added an user "sshd" with an custom user-id
After that it has started working with the custom openssh from entware.

My passwd file after that looks like this (the shadow file i have edited in a similar way)

Code: Select all

[sshd]:x:110:65534:SSHD Privilege Separation:/var/empty:/bin/sh
sshd:x:1001:65534:SSHD Privilege Separation:/opt/var/empty:/bin/false
Please use an different user-id for the new sshd service account. Every user needs an own dedicated user-id ....

btw:
The additional custom sshd user afterwards is shown in the normal user-managment
So you can also manually create the user "sshd" over the normal usermanagment. This will also work.
But this user will have higher priviledges.
So i really would propose to edit afterwards the passwd/shadow files and set the same group-id, restricted home dir and /bin/false as login shell (no shell at all) ....
Hello
Thank you very much for that explanation!
I must lack some knowledge because I can't get the openssh-server to work.

I summarize everything I did and then give you the error I encountered

Code: Select all

00. change qnap sshd default port from port 22 to port XXX
	# ssh -p XXX admin@qnap is working fine
01. Install Entware
02. opkg install openssh-server
03. /opt/sbin/sshd
	# throws an error : host keys are missing...
04. ssh-keygen -t rsa 
05. ssh-keygen -t ecdsa
06. ssh-keygen -t ed25519
07. nano /opt/etc/ssh/sshd_config
	# add the 3 previously generated keys instead of default keys name
	# add AllowUsers admin
08. nano /etc/passwd
	# to add a new user sshd
09. nano /etc/shadow
	# to add a new user sshd
10. /opt/sbin/sshd
	# no error thrown
11. ssh -p XXX admin@qnap 
	# still working
12. ssh admin@qnap
	# Permission denied : so openssh-server is running but refusing the connection
The sshd user has appeared in the usermanagement panel in the qnap gui.

So that's it, I don't know what more I can do to get openssh to accept the connection, I must have missed something, but I can't put my finger on it...
TS451 - 3*3To WD Red - Raid 5 - QTS 4.4.2.1310
tolis81
New here
Posts: 2
Joined: Wed Jun 29, 2016 8:25 pm

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by tolis81 »

2021 updated openSSH installation instructions
=========================================

Through UI change QNAP's default SSH port to another e.g 12121
Install entware-std

ssh to qnap using the new port

if you have previously attempted to install without success, do a like housekeeping:

Code: Select all

rm -rf /opt/etc/ssh
rm -rf /share/homes/admin/.ssh
install openssh server

Code: Select all

opkg update
opkg install openssh-server
Add an user "sshd" with a custom user-id :

Code: Select all

vi /etc/passwd
find

Code: Select all

[sshd]:x:110:65534:SSHD Privilege Separation:/var/empty:/bin/sh
and add below (make sure that you use a unique user-id):

Code: Select all

sshd:x:111:65534:SSHD Privilege Separation:/opt/var/empty:/bin/false
do the same for /etc/shadow file, so it looks like:

Code: Select all

vi /etc/shadow
[sshd]:!:18530:0:99999:7:::
sshd:!:18531:0:99999:7:::
create host keys:

Code: Select all

cd /opt/etc/ssh
ssh-keygen -A
check that the server is running

Code: Select all

/opt/sbin/sshd
if no errors come up then utilize autorun.sh to start the daemon automatically
check here for your model https://wiki.qnap.com/wiki/Running_Your ... at_Startup
and replace mount $(/sbin/hal_app --get_boot_pd port_id=0)6 /tmp/config with your model's specific mount option:

Code: Select all

vi /share/homes/admin/editautoconfig.sh
copy/paste the below content, save and exit vi

Code: Select all

#!/bin/sh

# script to ease autorun.sh edit
# check: https://wiki.qnap.com/wiki/Running_Your_Own_Application_at_Startup
mount $(/sbin/hal_app --get_boot_pd port_id=0)6 /tmp/config
touch /tmp/config/autorun.sh
chmod +x /tmp/config/autorun.sh
$EDITOR /tmp/config/autorun.sh
umount /tmp/config
make it executable

Code: Select all

chmod +x /share/homes/admin/editautoconfig.sh
run it (run it every time you need to add content to autorun.sh)

Code: Select all

cd /share/homes/admin/
./editautoconfig
add content below, save and exit the editor

Code: Select all

#!/bin/sh

# Start OpenSSH
/opt/sbin/sshd
create .ssh directory and authorized_keys file in user's home directory

Code: Select all

cd /share/homes/admin
mkdir .ssh
touch .ssh/authorized_keys
create public/private keys and add public to authorized_keys using e.g PuTTYgen
meaning that when created the files, copy public key, go back to terminal and:

Code: Select all

echo <public-key-contents> > /share/homes/admin/.ssh/authorized_keys
set correct permissions:

Code: Select all

chmod 0711 /share/homes/admin/
chmod 0700 .ssh/
chmod 0600 .ssh/authorized_keys
now try to connect to the server using e.g putty and using the key you created
if everything is ok, then no password is needed and you will be logged in using the key

now enable only public key authentication

Code: Select all

vi /opt/etc/ssh/sshd_config
check that the following apply:

Code: Select all

PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication no
after each change to /opt/etc/ssh/sshd_config restart the server
killall -HUP sshd
try to login again to the server

done

p.s if you need to add keys for another user, go to user's home folder, create the .ssh directory and authorized_keys file, make keys and add public key to authorized_key.
if this is done using admin account then change ownership of .ssh/ directory to specified user by chown -R /share/homes/<user>/.ssh
finally set permissions as above




ssh to server
tolis81
New here
Posts: 2
Joined: Wed Jun 29, 2016 8:25 pm

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by tolis81 »

continuing....
after successfully connected with publick key only, disable QNaps' ssh server from gui and restart.
User avatar
Qmann
Easy as a breeze
Posts: 302
Joined: Mon Jun 08, 2020 8:09 am
Location: USA

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by Qmann »

Great howto, thanks for that! The only thing I would modernize is the autorun scripting. Look for it here:

viewtopic.php?f=45&t=130345
Last edited by Qmann on Sun Jan 16, 2022 9:32 am, edited 1 time in total.
Model: TVS-872XT 64GB (Crucial 64GB Kit CT2K32G4SFD8266)
2 x 1TB XPG 1TB NVMe (ASX8200PNP-1TT-C) [RAID-1]
5 x 16TB EXOS [RAID-5]
Borg Backup running to an offisite pi, AND to the local TS-569L
Model: TS-569L Borg server for backups
6 x 8TB Ironwolf [RAID-5]
Qotom-Q355G4 Fanless Mini Micro PC running pSense in front of everything
haproxy for anything inside the LAN
Post Reply

Return to “Turbo Station Installation & Setup”