[HOW-TO] Install Optware/OpenSSH as default SSHd Server

[pwilson]

It's not limited to admin logins only...

It also respects the $HOME directory GECOS field in the /etc/passwd file unlike QNAP's one.

[Marc.O]

What does the System Log tell you?

Code: Select all

grep ssh /var/log/messages

It is empty...
ls -lah /var/log/messages
-rw-r--r-- 1 admin administ 0 Dec 28 16:58 /var/log/messages

[Marc.O]

Caveat: My autostart method could use some work. I didn't bother to build a proper start/stop script for this, (as I always want SSH running anyway), but OpenSSH should really be setup properly with a openssh.sh start/stop script probably started from /opt/etc/init.d if you following the instructions from the Running /opt/etc/init.d/* on startup section of the QNAPedia article: Install Optware IPKG. If any community members desire this, please post a reply to this message asking me to do so. (I skipped it at this time, simply because I haven't bothered for my own use yet.

I got it working by following the link in your original post.
http://wiki.qnap.com/wiki/Install_Optwa ... on_startup
http://forum.qnap.com/viewtopic.php?f=85&t=18977
Had to change "/etc/init.d/Optware-ipkg.sh start" to "/share/MD0_DATA/.qpkg/Optware/Optware-ipkg.sh".

Thank you for your time.

[pwilson]

Caveat: My autostart method could use some work. I didn't bother to build a proper start/stop script for this, (as I always want SSH running anyway), but OpenSSH should really be setup properly with a openssh.sh start/stop script probably started from /opt/etc/init.d if you following the instructions from the Running /opt/etc/init.d/* on startup section of the QNAPedia article: Install Optware IPKG. If any community members desire this, please post a reply to this message asking me to do so. (I skipped it at this time, simply because I haven't bothered for my own use yet.

I got it working by following the link in your original post.
http://wiki.qnap.com/wiki/Install_Optwa ... on_startup
http://forum.qnap.com/viewtopic.php?f=85&t=18977
Had to change "/etc/init.d/Optware-ipkg.sh start" to "/share/MD0_DATA/.qpkg/Optware/Optware-ipkg.sh".

Thank you for your time.

Great job. Sorry my instructions weren't as complete as they could have been. I'm glad you figured it out.

[cac]

Hi, Mr. Wilson,

Thanks for your clear HOW-TO! It helps me to install OpenSSH on my TS-459 Pro II running on firmware 4.0.3.
However, I have some related questions. Could you give me some help? I will appreciate your any suggestion!

Here are my questions:
1.
On my MacBook Pro (OS X 10.9), after I login via NAS-embedded ssh (port 8022) and OpenSSH, I saw known_hosts (under /Users/MyName/.ssh) has recorded 2 ssh-rsa which are
10.0.1.3 ssh-rsa ... and
[10.0.1.3]:8022 ssh-rsa ...

The content of "10.0.1.3 ssh-rsa" is the same as /opt/etc/openssh/ssh_host_rsa_key.pub on TS-459. It is reasonable.
But the content of "[10.0.1.3]:8022 ssh-rsa" is NOT the same as /etc/config/ssh/ssh_host_rsa_key.pub.
I don't know WHY?

2.
I copied id_rsa.pub from my MacBook Pro and save it to /opt/etc/openssh/authorized_keys (brand new file) on TS-459.
But when I login, I type "ssh admin@10.0.1.3", it still ask me the password.

However, use the same way, I copied id_rsa.pub from my MacBook Pro and save it to /etc/config/ssh/authorized_keys (brand new file) on TS-459.
I can login without password: "ssh -p 8022 admin@10.0.1.3".

Is there any step I miss in OpenSSH? I suppose that I could login via OpenSSH without password after I add public key of my MacBook Pro to TS-459.

Thank you!

[pwilson]

Hi, Mr. Wilson,

Thanks for your clear HOW-TO! It helps me to install OpenSSH on my TS-459 Pro II running on firmware 4.0.3.
However, I have some related questions. Could you give me some help? I will appreciate your any suggestion!

Here are my questions:
1.
On my MacBook Pro (OS X 10.9), after I login via NAS-embedded ssh (port 8022) and OpenSSH, I saw known_hosts (under /Users/MyName/.ssh) has recorded 2 ssh-rsa which are
10.0.1.3 ssh-rsa ... and
[10.0.1.3]:8022 ssh-rsa ...

The content of "10.0.1.3 ssh-rsa" is the same as /opt/etc/openssh/ssh_host_rsa_key.pub on TS-459. It is reasonable.
But the content of "[10.0.1.3]:8022 ssh-rsa" is NOT the same as /etc/config/ssh/ssh_host_rsa_key.pub.
I don't know WHY?

2.
I copied id_rsa.pub from my MacBook Pro and save it to /opt/etc/openssh/authorized_keys (brand new file) on TS-459.
But when I login, I type "ssh admin@10.0.1.3", it still ask me the password.

However, use the same way, I copied id_rsa.pub from my MacBook Pro and save it to /etc/config/ssh/authorized_keys (brand new file) on TS-459.
I can login without password: "ssh -p 8022 admin@10.0.1.3".

Is there any step I miss in OpenSSH? I suppose that I could login via OpenSSH without password after I add public key of my MacBook Pro to TS-459.

Thank you!

To work with "authorized keys" rather than passwords, simply review QNAPedia article: How To Set Up Authorized Keys. (You've already know to put the keys in your $HOME/.ssh folder).

Your $HOME folder it determined by the /etc/passwd file:

Code: Select all

cat /etc/passwd | grep admin
admin:x:0:0:administrator,,,:/share/homes/admin:/bin/sh

The fields of the passwd file are ":" delimited, and the 6th field is the $HOME for each user. In this example, you can see that "admin's $HOME" directory is "/share/homes/admin". (This field defaults to "/root" in the QNAP world, (which is part of the RAMDisk ), so I manually created this folder, and set permissions accordingly, and then modified this field in the /etc/passwd file; simply logoff and then back on again to test this (you don't need to reboot the NAS for this change)).

If you mess this up, (locking yourself out in the process), simply use the QNAP SSHd, as it will login you in using "/root" as your $HOME directory, regardless of the setting in the /etc/passwd file.

Good luck!

[jollster101]

Hi Patrick / Schumaku

Quick question if I may. I have read the thread and your views on security with great interest as I was looking to enable remote SSH access for just me. I would ensure that before I opened any ports I would have the relevant public / private keys and passphrase in place to provide the extra layer of security.

On the first page of the topic Patrick you mention that you don't have port 22 open to the internet (I think I read that bit correctly). If that is the case then can I assume you don't ever look to SSH in to your NAS from "outside"?

I am just curious as I want to look at implementing the most secure method for remote access.......and this thread then gets me thinking about whether or not the built in functionality of FTP is secure in general. (

Your knowledgeable feedback would be welcomed.

Cheers

[pwilson]

Hi Patrick / Schumaku

Quick question if I may. I have read the thread and your views on security with great interest as I was looking to enable remote SSH access for just me. I would ensure that before I opened any ports I would have the relevant public / private keys and passphrase in place to provide the extra layer of security

With private keys in place SSH doesn't even prompt for login credentials at all. You get straight to the command prompt. As for Port 22. I do enable SSH on Port 22, for transparency, (so special instructions required to SSH between machines on my local network). It works as expected.

On the first page of the topic Patrick you mention that you don't have port 22 open to the internet (I think I read that bit correctly). If that is the case then can I assume you don't ever look to SSH in to your NAS from "outside"?

I do "not" however Port-Forward, WAN:22 to NAS:22 in my Router. To access my NAS via SSH remotely, my device has to use OpenVPN to connect to my NAS first. Once the VPN link is operational, I can SSH into my NAS by SSHing to 10.8.0.1 on Port 22/TCP. SSHing to my external IP address does not work. (By my design). Prevents "brute force" attacks on Port 22/TCP.

I am just curious as I want to look at implementing the most secure method for remote access.......and this thread then gets me thinking about whether or not the built in functionality of FTP is secure in general. (

If you desire "remote access" to your NAS, and are worried about securing your access. Simply setup the OpenVPN Server on the NAS. (See the VPN Service section of the QNAP Turbo NAS User Manual). Avoid PPTP, it is insecure! Implement OpenVPN on your client device, and enable the OpenVPN Service on the NAS. You can also implement OpenVPN on your Android devices using OpenVPN Connect.

You can similarly operate your FTP Server only on the VPN outside your network by simply not Port-Forwarding Port 21/TCP on your Router, but permitting FTP sessions to the VPN interface.

It is preferable to setup OpenVPN at the Router, if you have a compatible Router, but if you don't this is the next best thing. If implemented at the NAS, you will only have access to the NAS remotely via OpenVPN. If implemented at the Router, you will be able to access all devices on your local network. How you should do it really depends on what your goals are.

[jollster101]

Thanks for the detailed response, that gives some very good direction.

The goal is to have a secure setup for my overall network. I have numerous apps running on my NAS with default ports changed and there is always that nagging doubt in the back of my mind about the security of it. Nothing is unprotected in terms of passwords (which are complex as well) and usernames do not follow the standard defaults. However script kiddies aren't stupid and so I would like to ensure my data stays just that, mine.

I like your approach and so I will see if my Billion router can accommodate OpenVPN. If it can't then I will implement on the NAS itself which as you said is better than nothing.

[jollster101]

Hi Patrick

I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.

Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.

Thanks

[jollster101]

Hi Patrick

I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.

Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.

Thanks

[pwilson]

Hi Patrick

I have found out that my router doesn't support VPN natively at the router (although it will allow pass through) so if I want to ensure I have complete security I may need to look at replacing the router.

Given that you have your VPN configured at the router could you please advise what model you may have so I can look to compare apples with apples in terms of any replacement? I have seen some that offer various passthrough options and a couple that look as though they do PPTP VPN servers (however shying away from PPTP VPN servers based due to the security flaws with it). Given there are so many it would be good to have an initial starting point to base my search on.

Thanks

I have 4 Routers. All are from different manufacturers. I simply upgraded the Firmware on all of them from the Firmware provided by the manufacturer, to DD-WRT 3rd Party Firmware. I have simply configured 3 of the 4 Routers as Wireless Access Ponts (aka WAPs). Between my main Router, and the 3 WAPs, I can access my network from all 4 of them. (DD-WRT Firmware supports OpenVPN).

My Laptop gets it's own WAP to access which no other device connects to. Giving me fast access from my Laptop. All our smartphones and the kids Laptops use the main router sharing the Wi-Fi signal. I use "DHCP Reservations" on the Main Router, so that all my devices always get the same IP address every time they connect to my network, regardless of which AP they actually connect to.

All my devices without exception are configured to use DHCP. (Even my WAP's connect to the main router via DHCP).

[jollster101]

Thanks.

[Jingo]

Nice setup, I recently set up something similar to this on my 212.

Just wanted to point out that setting the shell to /bin/false on firmware 4.0.5 actually results in a valid shell, since /bin/false is a link back to the main busybox executable.

I guess for some reason the sshd looksat the symlink and uses the actual file, so it doesn't actually get called as false, resulting in a shell.

[trudeo]

Thank you Patrick for the guide. It is extremely useful.

I am just wondering where the sshd_config lives for OpenSSH? I couldn't find that info. I'd like to disable password auth and force user to use keys.