[HOWTO] How to build openssh

Discussion on setting up QNAP NAS products.
Post Reply
buergi
Starting out
Posts: 14
Joined: Sat Nov 21, 2009 3:49 am

[HOWTO] How to build openssh

Post by buergi » Fri Sep 12, 2014 7:17 pm

As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1. As maybe some of you also want to have the newest shiny openssh I wrote the following script.

I tested it on my TS-870 Pro and it works flawlessly but I cannot guarantee that it will work on any QNAP NAS.
You can execute the script in any directory. Just make sure the directory can hold ~200MB (i.e. don't execute it for example in /tmp) or execute the lines manually one by one.

Code: Select all

#!/bin/sh
## install Optware QPKG and required packages
ipkg install gcc make perl sed gawk tar gzip bzip2 zlib mktemp
export PATH=/opt/bin:/opt/sbin:$PATH

## grab the source
wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.1i.tar.gz # < heartbleed free
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
wget --no-check-certificate https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-1.1.8.tar.bz2

## make temporary dir for dependencies (libpam headers and openssl)
## openssl will be compiled statically so you can remove this directory afterwards
DEPDIR=`pwd`/dist
mkdir -p $DEPDIR/usr/include

## we need only the PAM headers, we use QNAP's libpam.so
tar xjf Linux-PAM-1.1.8.tar.bz2
ln -s libpam.so.0 /lib/libpam.so
cp -r Linux-PAM-1.1.8/libpam/include/security/ $DEPDIR/usr/include || exit

## install openssl to DEPDIR
tar xzf openssl-1.0.1i.tar.gz
pushd openssl-1.0.1i
./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib zlib linux-elf "-Wa,--noexecstack" || exit
make depend || exit
make || exit
make INSTALL_PREFIX=$DEPDIR MANDIR=/usr/share/man MANSUFFIX=ssl install || exit
popd

## build openssh
tar xzf openssh-6.6p1.tar.gz
pushd openssh-6.6p1
./configure --prefix=/usr --sbindir=/usr/sbin --libexecdir=/usr/libexec --sysconfdir=/etc/ssh\
    --with-ssl-engine --with-pam --with-md5-passwords --with-pid-dir=/var/run\
    --with-ldflags=-L$DEPDIR/usr/lib --with-cflags=-I$DEPDIR/usr/include || exit
make || exit
popd

## optionally install whole ssh to some dir
#mkdir "$HOME/myssh"
#make DESTDIR="$HOME/myssh" install
## or just copy sshd binary
cp openssh-6.6p1/sshd ~

## optionally cleanup
#rm -fr Linux-PAM-1.1.8* openssh-6.6p1* openssl-1.0.1i* $DEPDIR


Now you should have a fresh and shiny new sshd in you home folder.
This executable does not depend on any other libraries which are not already available in the OS.
The only dependency that is different, openssl 1.0.1i (heartbleed free), is build statically into openssh. So you can remove all generated directories, even the DEPDIR.

You can execute sshd right away or install it permanently using a corresponding script executed via autorun.sh.
I use the following script

Code: Select all

#!/bin/sh

# stop QNAP sshd
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# bring our sshd in place
cp -f /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /share/CACHEDEV1_DATA/sshd /usr/sbin/sshd

# our sshd needs this directory for priviledge separation
mkdir /var/empty

# replace sftp-server by internal-sftp in login.sh
sed -i 's|/usr/libexec/sftp-server|Subsystem.*internal-sftp|g;
/Subsystem/s|\/usr\/libexec\/sftp-server|internal-sftp|g;
s|/\/usr\/libexec\/sftp-server/d|/Subsystem.*internal-sftp/d|g
' /etc/init.d/login.sh > /dev/null

# start the sshd
SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
/sbin/daemon_mgr sshd start "/usr/sbin/sshd -f /etc/ssh/sshd_config -p $SSH_PORT"


Have fun with it

brentster
New here
Posts: 3
Joined: Mon Nov 24, 2014 2:21 pm

Re: [HOWTO] How to build openssh

Post by brentster » Wed Jun 10, 2015 12:33 am

Awesome writeup.. Gonna try this on mine.. I don't have SSH exposed to internet but I don't wanna be logging in as admin 'just because' of limitation in QNAP's own SSH implementation..

Assumption is that this will not survive a firmware upgrade and I will need to keep this handy.. That correct?

User avatar
pwilson
Guru
Posts: 22569
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: [HOWTO] How to build openssh

Post by pwilson » Wed Jun 10, 2015 12:42 am

buergi wrote:As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1.


Wouldn't it have been less work to simply install the QNAPware/Entware version that already exists?

Code: Select all

opkg list | grep -i OpenSSH 
openssh-client - 6.8p1-1 - OpenSSH client.
openssh-client-utils - 6.8p1-1 - OpenSSH client utilities.
openssh-keygen - 6.8p1-1 - OpenSSH keygen.
openssh-moduli - 6.8p1-1 - OpenSSH server moduli file.
openssh-server - 6.8p1-1 - OpenSSH server.
openssh-sftp-client - 6.8p1-1 - OpenSSH SFTP client.
openssh-sftp-server - 6.8p1-1 - OpenSSH SFTP server.


Check out zyxmon's QNAPware/Entware package instead; See message thread: [QPKG] Qnapware 1600+ packages arm/x86. A port of Entware.. If you install this QPKG you will get access to over 1800 packages, including a newer OpenSSH than you created.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

brentster
New here
Posts: 3
Joined: Mon Nov 24, 2014 2:21 pm

Re: [HOWTO] How to build openssh

Post by brentster » Wed Jun 10, 2015 1:37 am

buergi wrote:As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1.

pwilson wrote:Wouldn't it have been less work to simply install the QNAPware/Entware version that already exists?


Thanks Patrick.. I am now better informed!

Same question applies.. Will this survive a FW upgrade?

User avatar
pwilson
Guru
Posts: 22569
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: [HOWTO] How to build openssh

Post by pwilson » Wed Jun 10, 2015 3:03 am

brentster wrote:
buergi wrote:As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1.

pwilson wrote:Wouldn't it have been less work to simply install the QNAPware/Entware version that already exists?


Thanks Patrick.. I am now better informed!

Same question applies.. Will this survive a FW upgrade?


It should survive a FW upgrade.

I also am concerned that your method overwrites the QNAP one. I most definitely do not recommend doing that. In fact I recommend that you run "both" SSHd daemons (QNAP's and Entware's). See my previous post: Installing OpenSSH as default SSHd Server (but keeping QNAP's SSHD version active as well), and adapt those instructions to work with Entware rather than Optware.

Please read the entire thread, as there are security concerns if you use OpenSSH instead of QNAP's crippled version.

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

Post Reply

Return to “Turbo Station Installation & Setup”