QNAP NAS Community Forum

Posted: **Fri Sep 12, 2014 7:17 pm**

As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1. As maybe some of you also want to have the newest shiny openssh I wrote the following script.

I tested it on my TS-870 Pro and it works flawlessly but I cannot guarantee that it will work on any QNAP NAS.
You can execute the script in any directory. Just make sure the directory can hold ~200MB (i.e. don't execute it for example in /tmp) or execute the lines manually one by one.

Code: Select all

#!/bin/sh
## install Optware QPKG and required packages
ipkg install gcc make perl sed gawk tar gzip bzip2 zlib mktemp
export PATH=/opt/bin:/opt/sbin:$PATH

## grab the source
wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.1i.tar.gz # < heartbleed free
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
wget --no-check-certificate https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-1.1.8.tar.bz2

## make temporary dir for dependencies (libpam headers and openssl)
## openssl will be compiled statically so you can remove this directory afterwards
DEPDIR=`pwd`/dist
mkdir -p $DEPDIR/usr/include

## we need only the PAM headers, we use QNAP's libpam.so
tar xjf Linux-PAM-1.1.8.tar.bz2
ln -s libpam.so.0 /lib/libpam.so
cp -r Linux-PAM-1.1.8/libpam/include/security/ $DEPDIR/usr/include || exit

## install openssl to DEPDIR
tar xzf openssl-1.0.1i.tar.gz
pushd openssl-1.0.1i
./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib zlib linux-elf "-Wa,--noexecstack" || exit
make depend || exit
make || exit
make INSTALL_PREFIX=$DEPDIR MANDIR=/usr/share/man MANSUFFIX=ssl install || exit
popd

## build openssh
tar xzf openssh-6.6p1.tar.gz
pushd openssh-6.6p1
./configure --prefix=/usr --sbindir=/usr/sbin --libexecdir=/usr/libexec --sysconfdir=/etc/ssh\
    --with-ssl-engine --with-pam --with-md5-passwords --with-pid-dir=/var/run\
    --with-ldflags=-L$DEPDIR/usr/lib --with-cflags=-I$DEPDIR/usr/include || exit
make || exit
popd

## optionally install whole ssh to some dir
#mkdir "$HOME/myssh"
#make DESTDIR="$HOME/myssh" install
## or just copy sshd binary
cp openssh-6.6p1/sshd ~

## optionally cleanup
#rm -fr Linux-PAM-1.1.8* openssh-6.6p1* openssl-1.0.1i* $DEPDIR

Now you should have a fresh and shiny new sshd in you home folder.
This executable does not depend on any other libraries which are not already available in the OS.
The only dependency that is different, openssl 1.0.1i (heartbleed free), is build statically into openssh. So you can remove all generated directories, even the DEPDIR.

You can execute sshd right away or install it permanently using a corresponding script executed via autorun.sh.
I use the following script

Code: Select all

#!/bin/sh

# stop QNAP sshd
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# bring our sshd in place
cp -f /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /share/CACHEDEV1_DATA/sshd /usr/sbin/sshd

# our sshd needs this directory for priviledge separation
mkdir /var/empty

# replace sftp-server by internal-sftp in login.sh
sed -i 's|/usr/libexec/sftp-server|Subsystem.*internal-sftp|g;
/Subsystem/s|\/usr\/libexec\/sftp-server|internal-sftp|g;
s|/\/usr\/libexec\/sftp-server/d|/Subsystem.*internal-sftp/d|g
' /etc/init.d/login.sh > /dev/null

# start the sshd
SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
/sbin/daemon_mgr sshd start "/usr/sbin/sshd -f /etc/ssh/sshd_config -p $SSH_PORT"

Have fun with it

Posted: **Wed Jun 10, 2015 12:33 am**

Awesome writeup.. Gonna try this on mine.. I don't have SSH exposed to internet but I don't wanna be logging in as admin 'just because' of limitation in QNAP's own SSH implementation..

Assumption is that this will not survive a firmware upgrade and I will need to keep this handy.. That correct?

Posted: **Wed Jun 10, 2015 12:42 am**

buergi wrote:As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1.

Wouldn't it have been less work to simply install the QNAPware/Entware version that already exists?

Code: Select all

opkg list | grep -i OpenSSH 
openssh-client - 6.8p1-1 - OpenSSH client.
openssh-client-utils - 6.8p1-1 - OpenSSH client utilities.
openssh-keygen - 6.8p1-1 - OpenSSH keygen.
openssh-moduli - 6.8p1-1 - OpenSSH server moduli file.
openssh-server - 6.8p1-1 - OpenSSH server.
openssh-sftp-client - 6.8p1-1 - OpenSSH SFTP client.
openssh-sftp-server - 6.8p1-1 - OpenSSH SFTP server.

Check out zyxmon's QNAPware/Entware package instead; See message thread: [QPKG] Qnapware 1600+ packages arm/x86. A port of Entware.. If you install this QPKG you will get access to over 1800 packages, including a newer OpenSSH than you created.

Posted: **Wed Jun 10, 2015 1:37 am**

buergi wrote:As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1.

pwilson wrote:Wouldn't it have been less work to simply install the QNAPware/Entware version that already exists?

Thanks Patrick.. I am now better informed!

Same question applies.. Will this survive a FW upgrade?

Posted: **Wed Jun 10, 2015 3:03 am**

brentster wrote:
buergi wrote:As QNAPs sshd is crippled to only allow the admin to login and Optware's sshd is already very old I thought it would be time to build my own openssh daemon using the newest openssh 6.6p1.

pwilson wrote:Wouldn't it have been less work to simply install the QNAPware/Entware version that already exists?
Thanks Patrick.. I am now better informed!

Same question applies.. Will this survive a FW upgrade?

It should survive a FW upgrade.

I also am concerned that your method overwrites the QNAP one. I most definitely do not recommend doing that. In fact I recommend that you run "both" SSHd daemons (QNAP's and Entware's). See my previous post: Installing OpenSSH as default SSHd Server (but keeping QNAP's SSHD version active as well), and adapt those instructions to work with Entware rather than Optware.

Please read the entire thread, as there are security concerns if you use OpenSSH instead of QNAP's crippled version.

QNAP NAS Community Forum

[HOWTO] How to build openssh

[HOWTO] How to build openssh

Re: [HOWTO] How to build openssh

Re: [HOWTO] How to build openssh

Re: [HOWTO] How to build openssh

Re: [HOWTO] How to build openssh