[HOW-TO] Install Optware/OpenSSH as default SSHd Server

Discussion on setting up QNAP NAS products.
Post Reply
filovirus
Getting the hang of things
Posts: 76
Joined: Wed Oct 06, 2010 10:55 pm

Re: OpenSSH/QNAP SSH Public Key Authentication Fails

Post by filovirus »

I am going to need to right now. Permissions are changing very often and driving me nuts. Where do you place you scripts where the permissions are not changed by the QNAP and they do not get deleted? /share/homes/admin/.ssh is not going to work. I keep losing the + x and have to reapply it
TS-870 Pro EOL - JBOD/NAS Backup Remote
TS-873 QTS 5.0.0.2055 (5/13/2022) Seagate 6tb x 8 in RAID10
User avatar
pwilson
Guru
Posts: 22533
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: OpenSSH/QNAP SSH Public Key Authentication Fails

Post by pwilson »

filovirus wrote:I am going to need to right now. Permissions are changing very often and driving me nuts. Where do you place you scripts where the permissions are not changed by the QNAP and they do not get deleted? /share/homes/admin/.ssh is not going to work. I keep losing the + x and have to reapply it
Create your own "custom" folder in /share/CACHEDEV1_DATA, and place your "custom" scripts etc there. You can then get your "autorun.sh" file to run it from there.

Code: Select all

mkdir -p /share/CACHEDEV1_DATA/custom
rm -f /share/CACHEDEV1_DATA/custom/fix-OpenSSH-perms.sh
touch /share/CACHEDEV1_DATA/custom/fix-OpenSSH-perms.sh
chmod 755 /share/CACHEDEV1_DATA/custom/fix-OpenSSH-perms.sh
cat <<EOF >>/share/CACHEDEV1_DATA/custom/fix-OpenSSH-perms.sh
#!/bin/sh 
#
# Fix Permissions on the $HOME directory for "admin",  so that OpenSSH Authorized Keys work.  
#
chmod 700 /share/homes/admin
chmod 700 /share/homes/admin/.ssh
chmod 600 /share/homes/admin/.ssh/*
chmod 644 /share/homes/admin/.ssh/*.pub
#EOF

EOF
#done 

Now you can simply add the following to your "autorun.sh" file:

Code: Select all

/bin/sh /share/CACHEDEV1_DATA/custom/fix-OpenSSH-perms.sh
Similarly you can add a Crontab entry for this same command to run as often as you desire.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.
User avatar
pwilson
Guru
Posts: 22533
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by pwilson »

Jman420 wrote:I've been working on getting a full OpenSSH replacement for the QNAP SSH for a few years now and I've had moderate success. I've worked around the 'lock out' issue that schumaku & pwilson have mentioned by avoiding replacing the default QNAP sshd and instead starting the Optware OpenSSH manually. Since I never actually replace the default QNAP sshd file I am able to restart the QNAP SSH by going to the Admin Web UI and disabling and then re-enabling the SSH server from there. Here is the script I use; this script gets called at start up (I use the qpkg.conf method for my startup scripts):

Code: Select all

#!/bin/sh

  QPKG_NAME="OpenSSH"
  QNAP_SSH="/usr/sbin/sshd"
  OPEN_SSH="/opt/sbin/sshd"
  SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
  OPEN_SSH_SETTINGS="/share/AppShells/AppData/OpenSSH/sshd_config"
  QNAP_SSH_SETTINGS="/etc/ssh/sshd_config"

  _exit()
  {
    echo -e "Error: $*"
    echo
    exit 1
  }
  
  case "$1" in
    start)
      echo "Stopping QNAP SSH Server"
      /sbin/daemon_mgr sshd stop "$QNAP_SSH -f $QNAP_SSH_SETTINGS -p $SSH_PORT"
      # kill `ps aux | grep sshd | grep -v grep | awk '{print $1}'`
      killall sshd

      echo "Starting OpenSSH"
      /sbin/daemon_mgr sshd start "$OPEN_SSH -f $OPEN_SSH_SETTINGS -p $SSH_PORT"
      ;;

    stop)
      echo "Stopping OpenSSH"
      /sbin/daemon_mgr sshd stop "$OPEN_SSH -f $OPEN_SSH_SETTINGS -p $SSH_PORT"
      # kill `ps aux | grep sshd | grep -v grep | awk '{print $1}'`
      killall sshd

      echo "Starting QNAP SSH Server"
      /sbin/daemon_mgr sshd start "$QNAP_SSH -f $QNAP_SSH_SETTINGS -p $SSH_PORT"
      ;;

    restart)
      echo "Restarting OpenSSH Server..."
      $0 stop
      $0 start
      echo "Done!"
      ;;
    
    *)
      echo "Usage: $0 {start|stop|restart}"
      exit 1
  esac
  
  exit 0
Still one issue that concerns me though, the Optware OpenSSH login attempts don't appear in the QNAP System Logs, in fact Optware OpenSSH doesn't seem to log anything anywhere. I have found where I believe that QNAP stores its system logs (/mnt/HDA_ROOT/.logs). They seem to be SQLite files. I'm hoping that I can inject the Optware OpenSSH logs into the QNAP System Logs in some way. Going to keep digging and changing OpenSSH settings around logging to try to get it to log to somewhere.
Why are you doing all this nonsense? OpenSSH already has a "startup" script, you simply need to enable it. You do NOT need to create a pseudo-QPKG for this at all. You are making this way more complicated than it needs to be. :roll:

Simply follow the Running /opt/etc/init.d/* on startup section of QNAPedia article: Install Optware IPKG, so that the pre-existing script: /opt/etc/init.d/S40sshd runs when Optware loads at Startup.

As for "logging" simply modify your /opt/etc/openssh/sshd_config to enable any logging you require. Google is your friend, when it comes to customizing your sshd_config file to your specifications.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.
Jman420
Getting the hang of things
Posts: 59
Joined: Sat Sep 19, 2009 12:32 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by Jman420 »

pwilson wrote: Why are you doing all this nonsense? OpenSSH already has a "startup" script, you simply need to enable it. You do NOT need to create a pseudo-QPKG for this at all. You are making this way more complicated than it needs to be. :roll:

Simply follow the Running /opt/etc/init.d/* on startup section of QNAPedia article: Install Optware IPKG, so that the pre-existing script: /opt/etc/init.d/S40sshd runs when Optware loads at Startup.

As for "logging" simply modify your /opt/etc/openssh/sshd_config to enable any logging you require. Google is your friend, when it comes to customizing your sshd_config file to your specifications.
When I had originally written the script the QPKG Manager picked up the entries that I had added to qpkg.conf and I could enable/disable the functionality individually from the Web UI, but that was before QTS 4.0 and the App Manager. I also like the control it gives me since the script not only handles startup, but also stopping OpenSSH and re-enabling the default sshd. For a simpler setup the init.d method is sufficient and probably ideal, but I wanted more control. I'm also holding out some hope that I will find a way to manually add entries to the App Manager so I can control these scripts from the Web UI again.

Still researching the sshd_config logging stuff. I thought that by default OpenSSH logged login attempts to /var/log/auth.log or possibly /opt/var/log/auth.log for Optware, but it seems neither of those files exist. Need to dig more into the sshd_config logging settings.
User avatar
pwilson
Guru
Posts: 22533
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by pwilson »

Jman420 wrote:
pwilson wrote: Why are you doing all this nonsense? OpenSSH already has a "startup" script, you simply need to enable it. You do NOT need to create a pseudo-QPKG for this at all. You are making this way more complicated than it needs to be. :roll:

Simply follow the Running /opt/etc/init.d/* on startup section of QNAPedia article: Install Optware IPKG, so that the pre-existing script: /opt/etc/init.d/S40sshd runs when Optware loads at Startup.

As for "logging" simply modify your /opt/etc/openssh/sshd_config to enable any logging you require. Google is your friend, when it comes to customizing your sshd_config file to your specifications.
When I had originally written the script the QPKG Manager picked up the entries that I had added to qpkg.conf and I could enable/disable the functionality individually from the Web UI, but that was before QTS 4.0 and the App Manager. I also like the control it gives me since the script not only handles startup, but also stopping OpenSSH and re-enabling the default sshd. For a simpler setup the init.d method is sufficient and probably ideal, but I wanted more control. I'm also holding out some hope that I will find a way to manually add entries to the App Manager so I can control these scripts from the Web UI again.

Still researching the sshd_config logging stuff. I thought that by default OpenSSH logged login attempts to /var/log/auth.log or possibly /opt/var/log/auth.log for Optware, but it seems neither of those files exist. Need to dig more into the sshd_config logging settings.
Creating "home brew" solutions makes it impossible for people to help you.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.
filovirus
Getting the hang of things
Posts: 76
Joined: Wed Oct 06, 2010 10:55 pm

Re: OpenSSH/QNAP SSH Public Key Authentication Fails

Post by filovirus »

I have some things I need help working through :cry:

1. /share/CE_CACHEDEV1_DATA is encrypted. When I reboot, /share/CE_CACHEDEV1_DATA /.qpkg/autorun/autorun.sh cannot be read, at least until I mount the volume.

2. /opt/sbin/sshd did not restart on reboot. I had to manually start with the command /opt/sbin/sshd 2>/dev/null. I am able to login without a pw from the OSX Box without a pw afterward. Again, I suspect the encryption could be to blame for not loading optware on reboot.

3. I added /share/CE_CACHEDEV1_DATA /.qpkg/autorun/autorun.sh to /etc/config/crontab per http://wiki.qnap.com/wiki/Add_items_to_ ... tart.C2.A0 I do not know how to check if it is running the autorun.sh script.

Here is my openssl_perm.sh permissions and script.

Code: Select all

/share/CE_CACHEDEV1_DATA/jpvscripts: ls -l
drwxrwxrwx    2 admin    administ      4096 Oct  7 12:51 @Recycle/
-rwx--x--x    1 admin    administ       248 Oct  7 14:03 openssh_perm.sh*
-rwx--x--x    1 admin    administ        45 Oct  7 12:53 ssh_check.sh*

#!/bin/sh
#
# Fix Permissions on the $HOME directory for "admin",  so that OpenSSH Authorized Keys work.
#
chmod 700 /share/homes/admin
chmod 700 /share/homes/admin/.ssh
chmod 600 /share/homes/admin/.ssh/*
chmod 644 /share/homes/admin/.ssh/*.pub

Here is autorun.sh permissions and script

Code: Select all

/share/CE_CACHEDEV1_DATA/.qpkg/autorun: ls -l
-rwxr-xr-x    1 admin    administ       439 Oct  7 13:32 autorun.sh*

#!/bin/sh

/bin/sh /share/CACHEDEV1_DATA/jpvscripts/openssh_perm.sh

And finally the crontab file

Code: Select all

# m h dom m dow cmd
0 2 * * * /sbin/qfstrim
0 4 * * * /sbin/hwclock -s
0 3 * * * /sbin/vs_refresh
0 3 * * * /sbin/clean_reset_pwd
0-59/15 * * * * /etc/init.d/nss2_dusg.sh
30 7 * * * /sbin/clean_upload_file
0 3 * * * /bin/rm -rf /mnt/HDA_ROOT/twonkymedia/twonkymedia.db/cache/*
10 15 * * * /usr/bin/power_clean -c 2>/dev/null
0 3 * * * /etc/init.d/ImRd.sh bgThGen
0-59/10 * * * * /etc/init.d/storage_usage.sh
30 3 * * * /sbin/notice_log_tool -v -R
0 3 * * 0 /etc/init.d/idmap.sh dump
* * * * * /bin/sh /share/CACHEDEV1_DATA/jpvscripts/openssh_perm.sh
49 13 * * * /usr/bin/qcloud_cli -c
4 3 * * 3 /etc/init.d/backup_conf.sh
30 7 * * * /usr/local/sbin/version_cleaner -t 0 > /dev/null 2>/dev/null
3 * * * * /sbin/qddns_check 2>/dev/null
Crontab changes were loaded and cron restarted per the wiki.
TS-870 Pro EOL - JBOD/NAS Backup Remote
TS-873 QTS 5.0.0.2055 (5/13/2022) Seagate 6tb x 8 in RAID10
User avatar
pwilson
Guru
Posts: 22533
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: OpenSSH/QNAP SSH Public Key Authentication Fails

Post by pwilson »

filovirus wrote:I have some things I need help working through :cry:

1. /share/CE_CACHEDEV1_DATA is encrypted. When I reboot, /share/CE_CACHEDEV1_DATA /.qpkg/autorun/autorun.sh cannot be read, at least until I mount the volume.

2. /opt/sbin/sshd did not restart on reboot. I had to manually start with the command /opt/sbin/sshd 2>/dev/null. I am able to login without a pw from the OSX Box without a pw afterward. Again, I suspect the encryption could be to blame for not loading optware on reboot.

3. I added /share/CE_CACHEDEV1_DATA /.qpkg/autorun/autorun.sh to /etc/config/crontab per http://wiki.qnap.com/wiki/Add_items_to_ ... tart.C2.A0 I do not know how to check if it is running the autorun.sh script.

Here is my openssl_perm.sh permissions and script.

Code: Select all

/share/CE_CACHEDEV1_DATA/jpvscripts: ls -l
drwxrwxrwx    2 admin    administ      4096 Oct  7 12:51 @Recycle/
-rwx--x--x    1 admin    administ       248 Oct  7 14:03 openssh_perm.sh*
-rwx--x--x    1 admin    administ        45 Oct  7 12:53 ssh_check.sh*

#!/bin/sh
#
# Fix Permissions on the $HOME directory for "admin",  so that OpenSSH Authorized Keys work.
#
chmod 700 /share/homes/admin
chmod 700 /share/homes/admin/.ssh
chmod 600 /share/homes/admin/.ssh/*
chmod 644 /share/homes/admin/.ssh/*.pub

Here is autorun.sh permissions and script

Code: Select all

/share/CE_CACHEDEV1_DATA/.qpkg/autorun: ls -l
-rwxr-xr-x    1 admin    administ       439 Oct  7 13:32 autorun.sh*

#!/bin/sh

/bin/sh /share/CACHEDEV1_DATA/jpvscripts/openssh_perm.sh

And finally the crontab file

Code: Select all

# m h dom m dow cmd
0 2 * * * /sbin/qfstrim
0 4 * * * /sbin/hwclock -s
0 3 * * * /sbin/vs_refresh
0 3 * * * /sbin/clean_reset_pwd
0-59/15 * * * * /etc/init.d/nss2_dusg.sh
30 7 * * * /sbin/clean_upload_file
0 3 * * * /bin/rm -rf /mnt/HDA_ROOT/twonkymedia/twonkymedia.db/cache/*
10 15 * * * /usr/bin/power_clean -c 2>/dev/null
0 3 * * * /etc/init.d/ImRd.sh bgThGen
0-59/10 * * * * /etc/init.d/storage_usage.sh
30 3 * * * /sbin/notice_log_tool -v -R
0 3 * * 0 /etc/init.d/idmap.sh dump
* * * * * /bin/sh /share/CACHEDEV1_DATA/jpvscripts/openssh_perm.sh
49 13 * * * /usr/bin/qcloud_cli -c
4 3 * * 3 /etc/init.d/backup_conf.sh
30 7 * * * /usr/local/sbin/version_cleaner -t 0 > /dev/null 2>/dev/null
3 * * * * /sbin/qddns_check 2>/dev/null
Looking good. I can not help with Encrypted drives. I have no experience with QNAP's LUKS Drive Encryption, and I have no desire to learn about it. While I may well create an encrypted "secondary" storage volume on a UX-500P Expansion chassis later, I would never encrypt my boot partition, due to headaches such as this.

Sorry, but I doubt I can help further with this particular issue.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.
filovirus
Getting the hang of things
Posts: 76
Joined: Wed Oct 06, 2010 10:55 pm

Re: OpenSSH/QNAP SSH Public Key Authentication Fails

Post by filovirus »

ok, thank you very much.
TS-870 Pro EOL - JBOD/NAS Backup Remote
TS-873 QTS 5.0.0.2055 (5/13/2022) Seagate 6tb x 8 in RAID10
Jingo
Starting out
Posts: 36
Joined: Fri Feb 14, 2014 1:54 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by Jingo »

pwilson wrote:
Jingo wrote:Nice setup, I recently set up something similar to this on my 212.

Just wanted to point out that setting the shell to /bin/false on firmware 4.0.5 actually results in a valid shell, since /bin/false is a link back to the main busybox executable.

I guess for some reason the sshd looksat the symlink and uses the actual file, so it doesn't actually get called as false, resulting in a shell.
I have no idea what is happening on your TS-212, but it still works here as expected under Firmware 4.1.0 Build 20140504 on my TS-470 Pro. (I do however thank-you for the observation, as I must confess that I have not been testing this here after every Firmware Upgrade).

You might want to try installing "coreutils" under Optware to see if /opt/bin/false works. (Both work here).

Code: Select all

admin@NASTY2:~# ls -lF $(which false)
lrwxrwxrwx 1 admin administrators 15 2014-01-01 12:51 /opt/bin/false -> coreutils-false*

I only just saw your reply, so I apologize for the late reply.

I'm away from home at the moment, but based on my experience setting the shell to /bin/false is a security concern. It resulted in a valid shell, which is not the expected behavior.

I'm home on Friday and will test again with both the Qnap SSH and OpenSSH to see if I can reproduce this behavior.

After doing a cursory search it does seem that there were, at least at one point essentially two versions of 'false' that shipped with busybox, that would act differently depending on how it was called which could explain our differing experiences.
Jingo
Starting out
Posts: 36
Joined: Fri Feb 14, 2014 1:54 am

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by Jingo »

Jingo wrote:
pwilson wrote:
Jingo wrote:Nice setup, I recently set up something similar to this on my 212.

Just wanted to point out that setting the shell to /bin/false on firmware 4.0.5 actually results in a valid shell, since /bin/false is a link back to the main busybox executable.

I guess for some reason the sshd looksat the symlink and uses the actual file, so it doesn't actually get called as false, resulting in a shell.
I have no idea what is happening on your TS-212, but it still works here as expected under Firmware 4.1.0 Build 20140504 on my TS-470 Pro. (I do however thank-you for the observation, as I must confess that I have not been testing this here after every Firmware Upgrade).

You might want to try installing "coreutils" under Optware to see if /opt/bin/false works. (Both work here).

Code: Select all

admin@NASTY2:~# ls -lF $(which false)
lrwxrwxrwx 1 admin administrators 15 2014-01-01 12:51 /opt/bin/false -> coreutils-false*
Well I can't reproduce it. While I was following the procedure to move the Qnap SSH to a different port as a backup and have OpenSSH as my main, did experience /bin/false resulting in a valid shell. I did something to fix it, and only wish I had documented those steps.

In any case I would advise people to actually verify no shell is granted after logging in after setting a users shell to /bin/false.
filovirus
Getting the hang of things
Posts: 76
Joined: Wed Oct 06, 2010 10:55 pm

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by filovirus »

Hi Patrick,

If we run both Optware and QNAP SSH on separate ports, this means there are two ssh_config files for each, correct? i.e./etc/config/ and /opt/etc/config/

Does this mean I need to manage two separate sets of keys to use key authentication for each ssh? Is it possible to scale it down have both look at a single location with only one key pair?

Thanks,
Jerold
TS-870 Pro EOL - JBOD/NAS Backup Remote
TS-873 QTS 5.0.0.2055 (5/13/2022) Seagate 6tb x 8 in RAID10
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by schumaku »

filovirus wrote:If we run both Optware and QNAP SSH on separate ports, this means there are two ssh_config files for each, correct? i.e./etc/config/ and /opt/etc/config/
The reason for keeping both ssh is to avoid touching the QNAP standard sshd - where code and configuration can be forced changed with any boot or firmware update again.
filovirus
Getting the hang of things
Posts: 76
Joined: Wed Oct 06, 2010 10:55 pm

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by filovirus »

Are you recommending maintaining two sets of key pairs (one for each) and just export both public keys as needed? I absolutely do want to maintain both openssh and qnap in the event the openssh doesn't start/gets overwritten on reboot/firmware update. Having two sets of keys just seems to confuse me a bit and I was hoping to use the same set of key files for both ssh services.
TS-870 Pro EOL - JBOD/NAS Backup Remote
TS-873 QTS 5.0.0.2055 (5/13/2022) Seagate 6tb x 8 in RAID10
filovirus
Getting the hang of things
Posts: 76
Joined: Wed Oct 06, 2010 10:55 pm

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by filovirus »

Are you recommending maintaining two sets of key pairs (one for each) and just export both public keys as needed? I absolutely do want to maintain both openssh and qnap in the event the openssh doesn't start/gets overwritten on reboot/firmware update. Having two sets of keys just seems to confuse me a bit and I was hoping to use the same set of key files for both ssh services.
TS-870 Pro EOL - JBOD/NAS Backup Remote
TS-873 QTS 5.0.0.2055 (5/13/2022) Seagate 6tb x 8 in RAID10
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server

Post by schumaku »

Keep the standard QNAP sshd on it's QNAP configuration for password auth for admin only untouched. If anything goes mad - you still have this back door.
Post Reply

Return to “Turbo Station Installation & Setup”