[HOWTO] openSSH installation cook book

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
mbalu
New here
Posts: 5
Joined: Tue Feb 23, 2010 6:11 am

Re: [HOWTO] openSSH installation cook book

Post by mbalu »

Hi all,

Thanks for that post ! (It also works with my TS-459) :D

:idea: a little tip to not change the '/mnt/HDA_ROOT/.config/ssh/sshd_config' file each time you add a new user...
Just replace:

Code: Select all

...
AllowUsers admin
...
by

Code: Select all

...
# AllowUsers admin
AllowGroups administrators sshd
...
in '/mnt/HDA_ROOT/.config/ssh/sshd_config' file.

Then, you just need to add a group called 'sshd', and add it to users who are allowed to use SSH (you can do it from the QNAP administration interface).

Hoping that it will help someone...
BR/
Marc
spamalope
Starting out
Posts: 19
Joined: Sat Nov 21, 2009 4:33 am

Re: [HOWTO] openSSH installation cook book

Post by spamalope »

I had problems troubleshooting my configuration until I found instructions about how to run sshd in debug mode.

You can run a second sshd on a different port without stopping the current sshd, so testing doesn't require restarting processes.

Enable telnet and log into the nas with telnet.

Run this command '/usr/sbin/sshd -d -p 9876 -f /etc/ssh/sshd_config'

Make sure you specify the entire path to your sshd or sshd will complain and refuse to work. You can use the -f option to specify any config file. The -p option specifies the port number, -d turns on debug mode. You'll see a few pages of start-up information after you enter the command, and the terminal will stay in sshd until you hit 'ctrl-c' to cancel or you've connected and disconnected once.

On the client side, specify 9876 as the port number (-p from command line SSH). When you try to connect you'll see notices about what's happening in the telnet window.
patbaker82
Getting the hang of things
Posts: 63
Joined: Fri Aug 21, 2009 6:54 am

Re: [HOWTO] openSSH installation cook book

Post by patbaker82 »

moe
New here
Posts: 7
Joined: Thu Nov 12, 2009 1:18 am

Re: [HOWTO] openSSH installation cook book

Post by moe »

Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
http://forum.qnap.com/viewtopic.php?f=1 ... 45&start=0
moe
New here
Posts: 7
Joined: Thu Nov 12, 2009 1:18 am

Re: [HOWTO] openSSH installation cook book

Post by moe »

schumaku wrote:Use the one on this page, Wiki and the other one do cover the older TS-x09 systems.

The very best solution would be QNAP to remove this very unhappy "admin only" limitation as soon as possible, and update to the latest OpenSSH and OpenSSL code. Cannot be true customers have to replace such a key module.

-Kurt.

+1
patbaker82
Getting the hang of things
Posts: 63
Joined: Fri Aug 21, 2009 6:54 am

Re: [HOWTO] openSSH installation cook book

Post by patbaker82 »

moe wrote:Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
http://forum.qnap.com/viewtopic.php?f=1 ... 45&start=0
Strange, I have this installed on a TS-509 and a TS-459 with firmware version @ 3.3.0 Build 0607T. Are you sure you're installing it correctly? I would telnet into the box, if you can, and get some additional information if you can.
patbaker82
Getting the hang of things
Posts: 63
Joined: Fri Aug 21, 2009 6:54 am

Re: [HOWTO] openSSH installation cook book

Post by patbaker82 »

father_mande wrote:Hi,

Just for your information ...

/tmp/.boot_done don't exist in TS-x09 Arm series .... but exist now (last firmware in TS-x10, TS-x19 series)

Philippe.
Good to know. Feel free to mod the script, otherwise I will do so when I get some free time.
User avatar
marsoupilami
Starting out
Posts: 15
Joined: Sat Jul 31, 2010 3:51 pm

Re: [HOWTO] openSSH installation cook book

Post by marsoupilami »

Yop

I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.

Here is the new script for my_install_openssh.sh:

Code: Select all

#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh 
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten 
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log

sleep 15 # let the system finish it's startup tasks
# if you don't wait here, sshd will produce 
# zombie process and all will go wrong

/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# depending on the target, mounting of /opt can be late
# so waiting for availability of /opt/sbin/sshd
# with a deadlock in case of no sshd!
count=1 
while [ ! -f /opt/sbin/sshd ]
do
  sleep 1 
  let count="count+1"
  if [ "$count" -eq 30 ]
  then 
    echo /opt/sbin/sshd not found after 30 seconds >> $LOG
    exit
  fi
done
echo /opt/sbin/sshd found after $count seconds >> $LOG

ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd 
# get openSSH daemon in place
                            
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
rm -f /tmp/my_install_openssh.sh # cleanup the rubish
Now it's working fine with my TS219P

I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr :D
Houba
TS-253D with 16GB memory
patbaker82
Getting the hang of things
Posts: 63
Joined: Fri Aug 21, 2009 6:54 am

Re: [HOWTO] openSSH installation cook book

Post by patbaker82 »

marsoupilami wrote:Yop

I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.

Here is the new script for my_install_openssh.sh:

Code: Select all

#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh 
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten 
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log

sleep 15 # let the system finish it's startup tasks
# if you don't wait here, sshd will produce 
# zombie process and all will go wrong

/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# depending on the target, mounting of /opt can be late
# so waiting for availability of /opt/sbin/sshd
# with a deadlock in case of no sshd!
count=1 
while [ ! -f /opt/sbin/sshd ]
do
  sleep 1 
  let count="count+1"
  if [ "$count" -eq 30 ]
  then 
    echo /opt/sbin/sshd not found after 30 seconds >> $LOG
    exit
  fi
done
echo /opt/sbin/sshd found after $count seconds >> $LOG

ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd 
# get openSSH daemon in place
                            
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
rm -f /tmp/my_install_openssh.sh # cleanup the rubish
Now it's working fine with my TS219P

I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr :D
Either does the solution in the WIKI, at least it doesn't anymore. Not justifying one is better than the other, just clarifying a point.
joschum
New here
Posts: 8
Joined: Fri Dec 24, 2010 2:10 am

Re: [HOWTO] openSSH installation cook book

Post by joschum »

I have installed openssh on a TS439-PRO. Authentication using a public/private keypair has worked for a long time but somehow it does not work anymore. The output of ssh -v is:

...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: <USERNAME>@amygdala
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/<USERNAME>/.ssh/id_rsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>

Any ideas how to resolve this issue?

The same key works for loggin into another linux machine without problem.

joschum
Zophar
Getting the hang of things
Posts: 71
Joined: Fri Sep 17, 2010 3:06 pm
Location: Switzerland

Re: [HOWTO] openSSH installation cook book

Post by Zophar »

Petr wrote:
  • ...
    3, open SSH is not part of default installation
    ...
Well I've found that on my QNAP (419P):
[~] # /mnt/ext/usr/bin/openssl version
OpenSSL 0.9.7a Feb 19 2003

My question is:
- Should I be able to use it (I have some issue with config file wich is easy to resolve)

I'm working on a .qpkg and I have to use openssl to generate a key and a certificate at install time. So I just want to ensure that openssl is or is not installed by default on QNAP systems (So i'm sure to use ipkg openssl as a dependency). Does someone has an answer?
tmt
Experience counts
Posts: 1006
Joined: Mon Nov 16, 2009 11:02 am

Re: [HOWTO] openSSH installation cook book

Post by tmt »

I don't think you should depend on anything in /mnt/ext, that's a private area used by the QNAP utilities. My SS-439 doesn't have a /mnt/ext/usr directory at all, for instance.

As for openssl, no the full package is not available on the stock NAS, but the ssh-keygen binary is present in /usr/bin and used by the system. If all you need is to generate keys and certs, I think you can count on using it.
SS-439, Ubuntu Server 12.04.3 LTS, EXT4, RAID10, 4xHitachi 5K1000
TS-112, 4.1.x Beta, EXT4, 1xHitachi 7K1000
micke
Experience counts
Posts: 1363
Joined: Sat Feb 06, 2010 2:42 pm
Location: Taipei, Taiwan

Re: [HOWTO] openSSH installation cook book

Post by micke »

tmt wrote:I don't think you should depend on anything in /mnt/ext, that's a private area used by the QNAP utilities.
On the 419P (and maybe on most other ARM devices) /usr is a symlink to /mnt/ext/usr. The RAM disk is not big enough to be able to store the system, so parts of the system is stored on the HDD volume (mounted on /mnt/ext).

Still, it would make more sense to use a /usr path than /mnt/ext/usr, e.g. '/usr/bin/openssl version'.

/Mike
falofolio
Getting the hang of things
Posts: 65
Joined: Thu Jun 25, 2009 6:55 pm

Re: [HOWTO] openSSH installation cook book

Post by falofolio »

Hi Petr

I managed to get your solution working on my TS-219P with Firmware v3.4.0 build 0212T. However, the only thing I needed to modify was the first 'sleep' command.

I had to set the 5 sec. to a much larger number (e.g. 240 sec) to get it working, because like marsoupilami wrote /opt dir (see code below) is mounted very late at start-up.

Code: Select all

 cp /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place
To be sure, I also set the second sleep command to 15 sec. instead of 5 sec. However, I am not sure if that is necessary.


Thanks!
moleculezz
Know my way around
Posts: 108
Joined: Sat Nov 21, 2009 5:56 am

Re: [HOWTO] openSSH installation cook book

Post by moleculezz »

Is it possible to make this work by using this method.
I thought maybe I could add the login.sh script in /opt/etc/init.d/S01openssh or something and have it autorun from there.
Would this work?
TS-459 Pro+ || TS-419P II
Locked

Return to “Miscellaneous”