[HOWTO] openSSH installation cook book

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Petr
New here
Posts: 8
Joined: Thu Jul 09, 2009 5:40 am

[HOWTO] openSSH installation cook book

Post by Petr »

I have seen many posts on other dicussions about how to install openSSH on QNAP NAS - in my case model 439
None of them actually 100% worked well.
There are numerous problems to overcome.
  • 1, QNAP OS is basically running on RAM disk -> configuration files are not persistent.
    2, persistent configuration files are not readily available after the NAS is up
    3, open SSH is not part of default installation
Why you might want openSSH to be installed
  • security: -primary, and my only reason is - to be able to use other than admin user accessing the system
    flexibility: -you might want to use some ssh functionality such tunneling etc. - you need to be able to configure stuff
    this solution is persistent through firmware updates
Why DO NOT want openSSH to be installed
You don't get log entries for failed logins and they will not trigger IP ban. Make sure your password can't be guessed.
SSH login attempt will wake up the disc from hibernation as well with original ssh daemon.

How to install openSSH:
There are two scripts you will use:
  • my_install_openssh.sh
    autorun.sh

    depending on your NAS platform, execute one of mount commands below:
    # mount /dev/sdx6 /tmp/config # on Intel x86 based QNAP 439, 509, 639, ...
    # or
    # mount /dev/mtdblock5 /tmp/config # on other processor architecures

    create/edit scripts in following locations:
    • /tmp/config/my_install_openssh.sh
      /tmp/config/autorun.sh
      chmod +x /tmp/config/autorun.sh # give execution permission !
      sync; reboot # reboot the NAS
script code:
my_install_openssh.sh

#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log
SLEEP_COUNTER=0
SLEEP_MAX=480


# let the system finish it's startup tasks. If you don't wait here, sshd will produce
# zombie process and all will go wrong
while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do
sleep 1; let "SLEEP_COUNTER += 1"
done

/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

sleep 5 # sleep to let the sshd go gracefully down
`date` >>$LOG
echo "ps -ef|grep ssh|grep -v grep" >>$LOG
ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
ln -s /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place


# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
`date` >>$LOG
rm -f /tmp/my_install_openssh.sh # cleanup the rubish


if file /tmp/config/autorun.sh does not exist, you can use command
cat >/tmp/config/autorun.sh
or use your favourite editor to add two crucial lines below to the /tmp/config/autorun.sh

autorun.sh
#!/bin/sh
#
# my_install_openssh.sh has to be executed on background and defer its run after autorun.sh, because
# /opt/sbin is not available during execution of /tmp/config/autorun.sh on QNAP 439, Firmware 3.1.0 Build 0627T
# furthermore kill of sshd results into zombie process
#
F=my_install_openssh.sh; cp /tmp/config/"$F" /tmp/; chmod +x /tmp/"$F"
/tmp/my_install_openssh.sh &

How to rollback this solution
Depending on whether you created /tmp/config/autorun.sh or added lines there - remove the file or lines from it and reboot the NAS.
first aid
If you screw something up, remember, you can use telnet or restart daemon from web interface.
Last edited by Petr on Thu Nov 01, 2012 4:54 am, edited 2 times in total.
myamanari
First post
Posts: 1
Joined: Mon Oct 12, 2009 1:14 am

Re: [HOWTO] openSSH installation cook book

Post by myamanari »

On my TS-639 Pro, it works when the first sleep in my_install_openssh.sh is extended to 15 sec.
Thank you for your great script!
moe
New here
Posts: 7
Joined: Thu Nov 12, 2009 1:18 am

Re: [HOWTO] openSSH installation cook book

Post by moe »

It worked on a ts-239 pro, too.
Thanks for posting your scripts.
falofolio
Getting the hang of things
Posts: 65
Joined: Thu Jun 25, 2009 6:55 pm

Re: [HOWTO] openSSH installation cook book

Post by falofolio »

Hi Petr

Many thanks for sharing this with us. As I am newbie to this matter two questions:

1.) Do I need to activate the ssh service in the webinterface beforehand or afterwards? Or just don't touch it, because it will be activated anyway with the scripts you present here?
2.) Do I need to go through this cook book, again, after upgrading the firmware of my Qnap?


Ciao!
portseven
New here
Posts: 4
Joined: Sat Nov 21, 2009 6:13 am

Re: [HOWTO] openSSH installation cook book

Post by portseven »

Anyone tried this on a TS-210?
arcatdmz
First post
Posts: 1
Joined: Tue Jan 19, 2010 3:50 pm

Re: [HOWTO] openSSH installation cook book

Post by arcatdmz »

I had to add

Code: Select all

echo "sshd : ALL" >>/etc/hosts.allow
before

Code: Select all

/etc/init.d/login.sh start |tee -a $LOG # start the sshd
of "my_install_openssh.sh" to get this solution work on my TS-239 Pro.

Without adding the line in hosts.allow, I got "ssh_exchange_identification: Connection closed by remote host." error.
antrisch
Starting out
Posts: 17
Joined: Sun Sep 27, 2009 5:41 pm

Re: [HOWTO] openSSH installation cook book

Post by antrisch »

Hi
I want to install OpenSSH to be able to login as user e.g. not admin

Would this script work on TS-459?

2nd question;
how come that there are so many different ways of installing OpenSSH, which one is the safest and best suited for the TS-459

i have found
1. this side / script
2. http://blog.jameslick.com/?p=1090
3. http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH

Grateful for any input
/A
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: [HOWTO] openSSH installation cook book

Post by schumaku »

Use the one on this page, Wiki and the other one do cover the older TS-x09 systems.

The very best solution would be QNAP to remove this very unhappy "admin only" limitation as soon as possible, and update to the latest OpenSSH and OpenSSL code. Cannot be true customers have to replace such a key module.

-Kurt.
antrisch
Starting out
Posts: 17
Joined: Sun Sep 27, 2009 5:41 pm

Re: [HOWTO] openSSH installation cook book

Post by antrisch »

OK now i have tried to follow the instruction on my QNAP TS-459 above but something gets wrong

when i try to connect i get connection refused
I found out what the problem was so i edited my comment 2010-02-09


/A
Last edited by antrisch on Tue Feb 09, 2010 10:08 pm, edited 1 time in total.
antrisch
Starting out
Posts: 17
Joined: Sun Sep 27, 2009 5:41 pm

Re: [HOWTO] openSSH installation cook book

Post by antrisch »

edit my comment 2010-02-09, found the solution myself

No one that could give me some hints, what could be wrong or what to do!

I really want the openSSH to work

/A
Last edited by antrisch on Tue Feb 09, 2010 10:09 pm, edited 1 time in total.
antrisch
Starting out
Posts: 17
Joined: Sun Sep 27, 2009 5:41 pm

Re: [HOWTO] openSSH installation cook book

Post by antrisch »

removde by user 2010-02-09
see below
Last edited by antrisch on Tue Feb 09, 2010 10:12 pm, edited 1 time in total.
antrisch
Starting out
Posts: 17
Joined: Sun Sep 27, 2009 5:41 pm

Re: [HOWTO] openSSH installation cook book

Post by antrisch »

Seems im talking to my self!!!

but i cant be happier IT WORKS!!!!! :D


i had to change the sleep settings in my_install_openssh.sh to 15 instead of 5

i also change the location of the file my_install_openssh.sh to a place where it dosent get deleted
i chose thus location /share/HDA_DATA/.qpkg/my_install_openssh.sh

p.s if you try these changes don't forget to change the autorun.sh so it points to the right directory of my_install_openssh.sh d.s

/a
Last edited by antrisch on Tue Feb 09, 2010 10:13 pm, edited 1 time in total.
antrisch
Starting out
Posts: 17
Joined: Sun Sep 27, 2009 5:41 pm

Re: [HOWTO] openSSH installation cook book

Post by antrisch »

OK I think I start to understand this scripts they are quite ingenious

What it actually dose is to copy/replace qnaps ssh deamon with the Openssh deamon at start up

YES I’m very new to Unix/Linux commands :D but I’m a eager learner so i would appreciate some more help!


------------------------- Part 1 for understanding of script, NEED CONFIRMATION PLEASE -------------------------

/usr/sbin/ this is the qnap original ssh deamon (file name: sshd) which is moved and changed name to
(file name: sshd_orig) with the command

Code: Select all

mv /usr/sbin/sshd /usr/sbin/sshd_orig
/share/HDA_DATA/.qkpg/sbin/sshd
e.g. this is the same location symbolic link folder
opt/ = /share/HDA_DATA/.qkpg/Optware/
/opt/sbin/sshd "this is the OpenSSh deamon (file name: sshd) which substitute/replace the qnap original sshd deamon with this command

Code: Select all

cp /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place
Question:
Could someone verify that I have understood.

--------------------------------------------------- end of part 1 ----------------------------------------------------------------



-------------- Part 2 where to edit the Openssh sshd_config and security , NEED VERIFICATIN AND HELP --------------

/mnt/HDA_ROOT/.config/ssh/ "In this folder I should change the settings of openssh the sshd_config this file is copied to /etc/ssh/ (with script at start up) this is the command in the script

Code: Select all

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
/etc/ssh/ "in this folder the config file gets replaced see comment above"


Qestions about security

shouldn’t the sshd_config file be secure e.g. only admin has write/edit rights to this file

if so

the script my_install_openssh.sh which has the command

Code: Select all

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
should also be secure otherwise some one could change the script and copy their on setting file to etc/ssh

isn’t that right? if so where should I place the script file so only admin has right to edit the file

is this a good place? /share/HDA_DATA/.qpkg/ I tried to use the /tmp/config/ but the file got erase at reboot. hence all the other post in this forum

------------------------------------------------------- end of part 2 -------------------------------------------------------------
antrisch
Starting out
Posts: 17
Joined: Sun Sep 27, 2009 5:41 pm

Re: [HOWTO] openSSH installation cook book

Post by antrisch »

part 1 still nedd help and/or input


Part 2
found out the answere by trial and error test... :D
e.g logged in as user and i cant edit the script or the config file so im pretty sure they are safe

--------------------- Part 3 I want to understand which keys, NEED SOME EXPLANATION ------------------------


in my qnap I have a symbolic link (folder) which is called opt/

this link folder directs me to /share/HDA_DATA/.qkpg/Optware/

e.g.

opt/ = /share/HDA_DATA/.qkpg/Optware/

i also found this link


/etc/config/ = /mnt/HDA_ROOT/.config/


and here is where I get confused :?:


In these folders I can find config file and keys for ssh such as sshd_config & ssh_host_rsa_key.pub for detaild list please see below

these are the folders/ "directory's" i found


/share/HDA_DATA/.qkpg/Optware/etc/openssh
e.g. this is the same opt/etc/openssh ( i call it / name it directory 1)



But I can also find almost the same files in these folders do I need all of these files?


/etc/ssh ( i call it / name it directory 2)


/mnt/HDA_ROOT/.config/ssh ( i call it / name it directory 3)

e.g this is the same /etc/config/ssh


I have read about the files on the openssh site and I understand what they are for.

I assume that I have 2 sets of this file due I now have 2 ssh installed but why do I have 3 sets?

Questions:
Can someone explain the purpose of 3 sets?
Do I need all of the files
which files are in use?
Can I delete some of the files or is there no point to delete the files


in the directories i can find thees files

----- directory 1: /share/HDA_DATA/.qkpg/Optware/etc/openssh -----


ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)

ssh_hoast_key.pub
ssh_host_key
ssh_config
moduli
-------------------------------------------------------------------------


---- directory 2: /etc/ssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
-------------------------------------------------------------------------


----- directory 3: /mnt/HDA_ROOT/.config/ssh -----

ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)

id_rsa.pub (link symbol on the file when i see it via winscp)
id_dsa.pub
id_rsa (link symbol on the file when i see it via winscp)
id_dsa
authorized_keys (this is the active file i linked to in the sshd_config)
-------------------------------------------------------------------------

------------------------------------------------------- end of part 3 -------------------------------------------------------------
User avatar
lucas72
Moderator
Posts: 369
Joined: Wed Sep 19, 2007 11:23 pm
Location: Rome - Italy

Re: [HOWTO] openSSH installation cook book

Post by lucas72 »

Maybe this might help...
Locked

Return to “Miscellaneous”