[HOWTO] openSSH installation cook book
Posted: Thu Jul 09, 2009 7:26 am
I have seen many posts on other dicussions about how to install openSSH on QNAP NAS - in my case model 439
None of them actually 100% worked well.
There are numerous problems to overcome.
You don't get log entries for failed logins and they will not trigger IP ban. Make sure your password can't be guessed.
SSH login attempt will wake up the disc from hibernation as well with original ssh daemon.
How to install openSSH:
There are two scripts you will use:
my_install_openssh.sh
#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log
SLEEP_COUNTER=0
SLEEP_MAX=480
# let the system finish it's startup tasks. If you don't wait here, sshd will produce
# zombie process and all will go wrong
while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do
sleep 1; let "SLEEP_COUNTER += 1"
done
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
sleep 5 # sleep to let the sshd go gracefully down
`date` >>$LOG
echo "ps -ef|grep ssh|grep -v grep" >>$LOG
ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right
cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
ln -s /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
`date` >>$LOG
rm -f /tmp/my_install_openssh.sh # cleanup the rubish
if file /tmp/config/autorun.sh does not exist, you can use command
cat >/tmp/config/autorun.sh
or use your favourite editor to add two crucial lines below to the /tmp/config/autorun.sh
autorun.sh
#!/bin/sh
#
# my_install_openssh.sh has to be executed on background and defer its run after autorun.sh, because
# /opt/sbin is not available during execution of /tmp/config/autorun.sh on QNAP 439, Firmware 3.1.0 Build 0627T
# furthermore kill of sshd results into zombie process
#
F=my_install_openssh.sh; cp /tmp/config/"$F" /tmp/; chmod +x /tmp/"$F"
/tmp/my_install_openssh.sh &
How to rollback this solution
Depending on whether you created /tmp/config/autorun.sh or added lines there - remove the file or lines from it and reboot the NAS.
first aid
If you screw something up, remember, you can use telnet or restart daemon from web interface.
None of them actually 100% worked well.
There are numerous problems to overcome.
- 1, QNAP OS is basically running on RAM disk -> configuration files are not persistent.
2, persistent configuration files are not readily available after the NAS is up
3, open SSH is not part of default installation
- security: -primary, and my only reason is - to be able to use other than admin user accessing the system
flexibility: -you might want to use some ssh functionality such tunneling etc. - you need to be able to configure stuff
this solution is persistent through firmware updates
You don't get log entries for failed logins and they will not trigger IP ban. Make sure your password can't be guessed.
SSH login attempt will wake up the disc from hibernation as well with original ssh daemon.
How to install openSSH:
There are two scripts you will use:
- my_install_openssh.sh
autorun.sh
depending on your NAS platform, execute one of mount commands below:
# mount /dev/sdx6 /tmp/config # on Intel x86 based QNAP 439, 509, 639, ...
# or
# mount /dev/mtdblock5 /tmp/config # on other processor architecures
create/edit scripts in following locations:- /tmp/config/my_install_openssh.sh
/tmp/config/autorun.sh
chmod +x /tmp/config/autorun.sh # give execution permission !
sync; reboot # reboot the NAS
- /tmp/config/my_install_openssh.sh
my_install_openssh.sh
#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log
SLEEP_COUNTER=0
SLEEP_MAX=480
# let the system finish it's startup tasks. If you don't wait here, sshd will produce
# zombie process and all will go wrong
while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do
sleep 1; let "SLEEP_COUNTER += 1"
done
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
sleep 5 # sleep to let the sshd go gracefully down
`date` >>$LOG
echo "ps -ef|grep ssh|grep -v grep" >>$LOG
ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right
cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
ln -s /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
`date` >>$LOG
rm -f /tmp/my_install_openssh.sh # cleanup the rubish
if file /tmp/config/autorun.sh does not exist, you can use command
cat >/tmp/config/autorun.sh
or use your favourite editor to add two crucial lines below to the /tmp/config/autorun.sh
autorun.sh
#!/bin/sh
#
# my_install_openssh.sh has to be executed on background and defer its run after autorun.sh, because
# /opt/sbin is not available during execution of /tmp/config/autorun.sh on QNAP 439, Firmware 3.1.0 Build 0627T
# furthermore kill of sshd results into zombie process
#
F=my_install_openssh.sh; cp /tmp/config/"$F" /tmp/; chmod +x /tmp/"$F"
/tmp/my_install_openssh.sh &
How to rollback this solution
Depending on whether you created /tmp/config/autorun.sh or added lines there - remove the file or lines from it and reboot the NAS.
first aid
If you screw something up, remember, you can use telnet or restart daemon from web interface.