It also respects the $HOME directory GECOS field in the /etc/passwd file unlike QNAP's one.schumaku wrote:It's not limited to admin logins only...
[HOW-TO] Install Optware/OpenSSH as default SSHd Server
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
-
- New here
- Posts: 5
- Joined: Sat Dec 28, 2013 10:29 pm
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
It is empty...pwilson wrote: What does the System Log tell you?Code: Select all
grep ssh /var/log/messages
ls -lah /var/log/messages
-rw-r--r-- 1 admin administ 0 Dec 28 16:58 /var/log/messages
-
- New here
- Posts: 5
- Joined: Sat Dec 28, 2013 10:29 pm
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
I got it working by following the link in your original post.pwilson wrote: Caveat: My autostart method could use some work. I didn't bother to build a proper start/stop script for this, (as I always want SSH running anyway), but OpenSSH should really be setup properly with a openssh.sh start/stop script probably started from /opt/etc/init.d if you following the instructions from the Running /opt/etc/init.d/* on startup section of the QNAPedia article: Install Optware IPKG. If any community members desire this, please post a reply to this message asking me to do so. (I skipped it at this time, simply because I haven't bothered for my own use yet.
http://wiki.qnap.com/wiki/Install_Optwa ... on_startup
http://forum.qnap.com/viewtopic.php?f=85&t=18977
Had to change "/etc/init.d/Optware-ipkg.sh start" to "/share/MD0_DATA/.qpkg/Optware/Optware-ipkg.sh".
Thank you for your time.
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Great job. Sorry my instructions weren't as complete as they could have been. I'm glad you figured it out.Marc.O wrote:I got it working by following the link in your original post.pwilson wrote: Caveat: My autostart method could use some work. I didn't bother to build a proper start/stop script for this, (as I always want SSH running anyway), but OpenSSH should really be setup properly with a openssh.sh start/stop script probably started from /opt/etc/init.d if you following the instructions from the Running /opt/etc/init.d/* on startup section of the QNAPedia article: Install Optware IPKG. If any community members desire this, please post a reply to this message asking me to do so. (I skipped it at this time, simply because I haven't bothered for my own use yet.
http://wiki.qnap.com/wiki/Install_Optwa ... on_startup
http://forum.qnap.com/viewtopic.php?f=85&t=18977
Had to change "/etc/init.d/Optware-ipkg.sh start" to "/share/MD0_DATA/.qpkg/Optware/Optware-ipkg.sh".
Thank you for your time.
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
-
- New here
- Posts: 3
- Joined: Sat Jan 21, 2012 3:19 am
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Hi, Mr. Wilson,
Thanks for your clear HOW-TO! It helps me to install OpenSSH on my TS-459 Pro II running on firmware 4.0.3.
However, I have some related questions. Could you give me some help? I will appreciate your any suggestion!
Here are my questions:
1.
On my MacBook Pro (OS X 10.9), after I login via NAS-embedded ssh (port 8022) and OpenSSH, I saw known_hosts (under /Users/MyName/.ssh) has recorded 2 ssh-rsa which are
10.0.1.3 ssh-rsa ... and
[10.0.1.3]:8022 ssh-rsa ...
The content of "10.0.1.3 ssh-rsa" is the same as /opt/etc/openssh/ssh_host_rsa_key.pub on TS-459. It is reasonable.
But the content of "[10.0.1.3]:8022 ssh-rsa" is NOT the same as /etc/config/ssh/ssh_host_rsa_key.pub.
I don't know WHY?
2.
I copied id_rsa.pub from my MacBook Pro and save it to /opt/etc/openssh/authorized_keys (brand new file) on TS-459.
But when I login, I type "ssh admin@10.0.1.3", it still ask me the password.
However, use the same way, I copied id_rsa.pub from my MacBook Pro and save it to /etc/config/ssh/authorized_keys (brand new file) on TS-459.
I can login without password: "ssh -p 8022 admin@10.0.1.3".
Is there any step I miss in OpenSSH? I suppose that I could login via OpenSSH without password after I add public key of my MacBook Pro to TS-459.
Thank you!
Thanks for your clear HOW-TO! It helps me to install OpenSSH on my TS-459 Pro II running on firmware 4.0.3.
However, I have some related questions. Could you give me some help? I will appreciate your any suggestion!
Here are my questions:
1.
On my MacBook Pro (OS X 10.9), after I login via NAS-embedded ssh (port 8022) and OpenSSH, I saw known_hosts (under /Users/MyName/.ssh) has recorded 2 ssh-rsa which are
10.0.1.3 ssh-rsa ... and
[10.0.1.3]:8022 ssh-rsa ...
The content of "10.0.1.3 ssh-rsa" is the same as /opt/etc/openssh/ssh_host_rsa_key.pub on TS-459. It is reasonable.
But the content of "[10.0.1.3]:8022 ssh-rsa" is NOT the same as /etc/config/ssh/ssh_host_rsa_key.pub.
I don't know WHY?
2.
I copied id_rsa.pub from my MacBook Pro and save it to /opt/etc/openssh/authorized_keys (brand new file) on TS-459.
But when I login, I type "ssh admin@10.0.1.3", it still ask me the password.
However, use the same way, I copied id_rsa.pub from my MacBook Pro and save it to /etc/config/ssh/authorized_keys (brand new file) on TS-459.
I can login without password: "ssh -p 8022 admin@10.0.1.3".
Is there any step I miss in OpenSSH? I suppose that I could login via OpenSSH without password after I add public key of my MacBook Pro to TS-459.
Thank you!
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
To work with "authorized keys" rather than passwords, simply review QNAPedia article: How To Set Up Authorized Keys. (You've already know to put the keys in your $HOME/.ssh folder).cac wrote:Hi, Mr. Wilson,
Thanks for your clear HOW-TO! It helps me to install OpenSSH on my TS-459 Pro II running on firmware 4.0.3.
However, I have some related questions. Could you give me some help? I will appreciate your any suggestion!
Here are my questions:
1.
On my MacBook Pro (OS X 10.9), after I login via NAS-embedded ssh (port 8022) and OpenSSH, I saw known_hosts (under /Users/MyName/.ssh) has recorded 2 ssh-rsa which are
10.0.1.3 ssh-rsa ... and
[10.0.1.3]:8022 ssh-rsa ...
The content of "10.0.1.3 ssh-rsa" is the same as /opt/etc/openssh/ssh_host_rsa_key.pub on TS-459. It is reasonable.
But the content of "[10.0.1.3]:8022 ssh-rsa" is NOT the same as /etc/config/ssh/ssh_host_rsa_key.pub.
I don't know WHY?
2.
I copied id_rsa.pub from my MacBook Pro and save it to /opt/etc/openssh/authorized_keys (brand new file) on TS-459.
But when I login, I type "ssh admin@10.0.1.3", it still ask me the password.
However, use the same way, I copied id_rsa.pub from my MacBook Pro and save it to /etc/config/ssh/authorized_keys (brand new file) on TS-459.
I can login without password: "ssh -p 8022 admin@10.0.1.3".
Is there any step I miss in OpenSSH? I suppose that I could login via OpenSSH without password after I add public key of my MacBook Pro to TS-459.
Thank you!
Your $HOME folder it determined by the /etc/passwd file:
Code: Select all
cat /etc/passwd | grep admin
admin:x:0:0:administrator,,,:/share/homes/admin:/bin/sh
The fields of the passwd file are ":" delimited, and the 6th field is the $HOME for each user. In this example, you can see that "admin's $HOME" directory is "/share/homes/admin". (This field defaults to "/root" in the QNAP world, (which is part of the RAMDisk ), so I manually created this folder, and set permissions accordingly, and then modified this field in the /etc/passwd file; simply logoff and then back on again to test this (you don't need to reboot the NAS for this change)).
If you mess this up, (locking yourself out in the process), simply use the QNAP SSHd, as it will login you in using "/root" as your $HOME directory, regardless of the setting in the /etc/passwd file.
Good luck!
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
-
- Starting out
- Posts: 34
- Joined: Mon Nov 02, 2009 12:30 pm
- Location: Australia
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Hi Patrick / Schumaku
Quick question if I may. I have read the thread and your views on security with great interest as I was looking to enable remote SSH access for just me. I would ensure that before I opened any ports I would have the relevant public / private keys and passphrase in place to provide the extra layer of security.
On the first page of the topic Patrick you mention that you don't have port 22 open to the internet (I think I read that bit correctly). If that is the case then can I assume you don't ever look to SSH in to your NAS from "outside"?
I am just curious as I want to look at implementing the most secure method for remote access.......and this thread then gets me thinking about whether or not the built in functionality of FTP is secure in general. (
Your knowledgeable feedback would be welcomed.
Cheers
Quick question if I may. I have read the thread and your views on security with great interest as I was looking to enable remote SSH access for just me. I would ensure that before I opened any ports I would have the relevant public / private keys and passphrase in place to provide the extra layer of security.
On the first page of the topic Patrick you mention that you don't have port 22 open to the internet (I think I read that bit correctly). If that is the case then can I assume you don't ever look to SSH in to your NAS from "outside"?
I am just curious as I want to look at implementing the most secure method for remote access.......and this thread then gets me thinking about whether or not the built in functionality of FTP is secure in general. (
Your knowledgeable feedback would be welcomed.
Cheers
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
With private keys in place SSH doesn't even prompt for login credentials at all. You get straight to the command prompt. As for Port 22. I do enable SSH on Port 22, for transparency, (so special instructions required to SSH between machines on my local network). It works as expected.jollster101 wrote:Hi Patrick / Schumaku
Quick question if I may. I have read the thread and your views on security with great interest as I was looking to enable remote SSH access for just me. I would ensure that before I opened any ports I would have the relevant public / private keys and passphrase in place to provide the extra layer of security
jollster101 wrote:On the first page of the topic Patrick you mention that you don't have port 22 open to the internet (I think I read that bit correctly). If that is the case then can I assume you don't ever look to SSH in to your NAS from "outside"?
I do "not" however Port-Forward, WAN:22 to NAS:22 in my Router. To access my NAS via SSH remotely, my device has to use OpenVPN to connect to my NAS first. Once the VPN link is operational, I can SSH into my NAS by SSHing to 10.8.0.1 on Port 22/TCP. SSHing to my external IP address does not work. (By my design). Prevents "brute force" attacks on Port 22/TCP.
If you desire "remote access" to your NAS, and are worried about securing your access. Simply setup the OpenVPN Server on the NAS. (See the VPN Service section of the QNAP Turbo NAS User Manual). Avoid PPTP, it is insecure! Implement OpenVPN on your client device, and enable the OpenVPN Service on the NAS. You can also implement OpenVPN on your Android devices using OpenVPN Connect.jollster101 wrote:I am just curious as I want to look at implementing the most secure method for remote access.......and this thread then gets me thinking about whether or not the built in functionality of FTP is secure in general. (
You can similarly operate your FTP Server only on the VPN outside your network by simply not Port-Forwarding Port 21/TCP on your Router, but permitting FTP sessions to the VPN interface.
It is preferable to setup OpenVPN at the Router, if you have a compatible Router, but if you don't this is the next best thing. If implemented at the NAS, you will only have access to the NAS remotely via OpenVPN. If implemented at the Router, you will be able to access all devices on your local network. How you should do it really depends on what your goals are.
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
-
- Starting out
- Posts: 34
- Joined: Mon Nov 02, 2009 12:30 pm
- Location: Australia
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Thanks for the detailed response, that gives some very good direction.
The goal is to have a secure setup for my overall network. I have numerous apps running on my NAS with default ports changed and there is always that nagging doubt in the back of my mind about the security of it. Nothing is unprotected in terms of passwords (which are complex as well) and usernames do not follow the standard defaults. However script kiddies aren't stupid and so I would like to ensure my data stays just that, mine.
I like your approach and so I will see if my Billion router can accommodate OpenVPN. If it can't then I will implement on the NAS itself which as you said is better than nothing.
The goal is to have a secure setup for my overall network. I have numerous apps running on my NAS with default ports changed and there is always that nagging doubt in the back of my mind about the security of it. Nothing is unprotected in terms of passwords (which are complex as well) and usernames do not follow the standard defaults. However script kiddies aren't stupid and so I would like to ensure my data stays just that, mine.
I like your approach and so I will see if my Billion router can accommodate OpenVPN. If it can't then I will implement on the NAS itself which as you said is better than nothing.
-
- Starting out
- Posts: 34
- Joined: Mon Nov 02, 2009 12:30 pm
- Location: Australia
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Hi Patrick
I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.
Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.
Thanks
I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.
Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.
Thanks
-
- Starting out
- Posts: 34
- Joined: Mon Nov 02, 2009 12:30 pm
- Location: Australia
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Hi Patrick
I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.
Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.
Thanks
I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.
Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.
Thanks
- pwilson
- Guru
- Posts: 22533
- Joined: Fri Mar 06, 2009 11:20 am
- Location: Victoria, BC, Canada (UTC-08:00)
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
I have 4 Routers. All are from different manufacturers. I simply upgraded the Firmware on all of them from the Firmware provided by the manufacturer, to DD-WRT 3rd Party Firmware. I have simply configured 3 of the 4 Routers as Wireless Access Ponts (aka WAPs). Between my main Router, and the 3 WAPs, I can access my network from all 4 of them. (DD-WRT Firmware supports OpenVPN).jollster101 wrote:Hi Patrick
I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.
Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.
Thanks
My Laptop gets it's own WAP to access which no other device connects to. Giving me fast access from my Laptop. All our smartphones and the kids Laptops use the main router sharing the Wi-Fi signal. I use "DHCP Reservations" on the Main Router, so that all my devices always get the same IP address every time they connect to my network, regardless of which AP they actually connect to.
All my devices without exception are configured to use DHCP. (Even my WAP's connect to the main router via DHCP).
Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs
Please review: When you're asking a question, please include the following.
-
- Starting out
- Posts: 34
- Joined: Mon Nov 02, 2009 12:30 pm
- Location: Australia
-
- Starting out
- Posts: 36
- Joined: Fri Feb 14, 2014 1:54 am
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Nice setup, I recently set up something similar to this on my 212.
Just wanted to point out that setting the shell to /bin/false on firmware 4.0.5 actually results in a valid shell, since /bin/false is a link back to the main busybox executable.
I guess for some reason the sshd looksat the symlink and uses the actual file, so it doesn't actually get called as false, resulting in a shell.
Just wanted to point out that setting the shell to /bin/false on firmware 4.0.5 actually results in a valid shell, since /bin/false is a link back to the main busybox executable.
I guess for some reason the sshd looksat the symlink and uses the actual file, so it doesn't actually get called as false, resulting in a shell.
-
- Starting out
- Posts: 15
- Joined: Sat May 17, 2014 5:33 am
Re: [HOW-TO] Install Optware/OpenSSH as default SSHd Server
Thank you Patrick for the guide. It is extremely useful.
I am just wondering where the sshd_config lives for OpenSSH? I couldn't find that info. I'd like to disable password auth and force user to use keys.
I am just wondering where the sshd_config lives for OpenSSH? I couldn't find that info. I'd like to disable password auth and force user to use keys.