[HOWTO] openSSH installation cook book
-
- Starting out
- Posts: 17
- Joined: Sun Sep 27, 2009 5:41 pm
Re: [HOWTO] openSSH installation cook book
removde by user 2010-02-09
see below
see below
Last edited by antrisch on Tue Feb 09, 2010 10:12 pm, edited 1 time in total.
-
- Starting out
- Posts: 17
- Joined: Sun Sep 27, 2009 5:41 pm
Re: [HOWTO] openSSH installation cook book
Seems im talking to my self!!!
but i cant be happier IT WORKS!!!!!
i had to change the sleep settings in my_install_openssh.sh to 15 instead of 5
i also change the location of the file my_install_openssh.sh to a place where it dosent get deleted
i chose thus location /share/HDA_DATA/.qpkg/my_install_openssh.sh
p.s if you try these changes don't forget to change the autorun.sh so it points to the right directory of my_install_openssh.sh d.s
/a
but i cant be happier IT WORKS!!!!!
i had to change the sleep settings in my_install_openssh.sh to 15 instead of 5
i also change the location of the file my_install_openssh.sh to a place where it dosent get deleted
i chose thus location /share/HDA_DATA/.qpkg/my_install_openssh.sh
p.s if you try these changes don't forget to change the autorun.sh so it points to the right directory of my_install_openssh.sh d.s
/a
Last edited by antrisch on Tue Feb 09, 2010 10:13 pm, edited 1 time in total.
-
- Starting out
- Posts: 17
- Joined: Sun Sep 27, 2009 5:41 pm
Re: [HOWTO] openSSH installation cook book
OK I think I start to understand this scripts they are quite ingenious
What it actually dose is to copy/replace qnaps ssh deamon with the Openssh deamon at start up
YES I’m very new to Unix/Linux commands but I’m a eager learner so i would appreciate some more help!
------------------------- Part 1 for understanding of script, NEED CONFIRMATION PLEASE -------------------------
/usr/sbin/ this is the qnap original ssh deamon (file name: sshd) which is moved and changed name to
(file name: sshd_orig) with the command
/share/HDA_DATA/.qkpg/sbin/sshd
e.g. this is the same location symbolic link folder
Question:
Could someone verify that I have understood.
--------------------------------------------------- end of part 1 ----------------------------------------------------------------
-------------- Part 2 where to edit the Openssh sshd_config and security , NEED VERIFICATIN AND HELP --------------
/mnt/HDA_ROOT/.config/ssh/ "In this folder I should change the settings of openssh the sshd_config this file is copied to /etc/ssh/ (with script at start up) this is the command in the script
/etc/ssh/ "in this folder the config file gets replaced see comment above"
Qestions about security
shouldn’t the sshd_config file be secure e.g. only admin has write/edit rights to this file
if so
the script my_install_openssh.sh which has the command
should also be secure otherwise some one could change the script and copy their on setting file to etc/ssh
isn’t that right? if so where should I place the script file so only admin has right to edit the file
is this a good place? /share/HDA_DATA/.qpkg/ I tried to use the /tmp/config/ but the file got erase at reboot. hence all the other post in this forum
------------------------------------------------------- end of part 2 -------------------------------------------------------------
What it actually dose is to copy/replace qnaps ssh deamon with the Openssh deamon at start up
YES I’m very new to Unix/Linux commands but I’m a eager learner so i would appreciate some more help!
------------------------- Part 1 for understanding of script, NEED CONFIRMATION PLEASE -------------------------
/usr/sbin/ this is the qnap original ssh deamon (file name: sshd) which is moved and changed name to
(file name: sshd_orig) with the command
Code: Select all
mv /usr/sbin/sshd /usr/sbin/sshd_orig
e.g. this is the same location symbolic link folder
/opt/sbin/sshd "this is the OpenSSh deamon (file name: sshd) which substitute/replace the qnap original sshd deamon with this commandopt/ = /share/HDA_DATA/.qkpg/Optware/
Code: Select all
cp /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place
Could someone verify that I have understood.
--------------------------------------------------- end of part 1 ----------------------------------------------------------------
-------------- Part 2 where to edit the Openssh sshd_config and security , NEED VERIFICATIN AND HELP --------------
/mnt/HDA_ROOT/.config/ssh/ "In this folder I should change the settings of openssh the sshd_config this file is copied to /etc/ssh/ (with script at start up) this is the command in the script
Code: Select all
cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
Qestions about security
shouldn’t the sshd_config file be secure e.g. only admin has write/edit rights to this file
if so
the script my_install_openssh.sh which has the command
Code: Select all
cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
isn’t that right? if so where should I place the script file so only admin has right to edit the file
is this a good place? /share/HDA_DATA/.qpkg/ I tried to use the /tmp/config/ but the file got erase at reboot. hence all the other post in this forum
------------------------------------------------------- end of part 2 -------------------------------------------------------------
-
- Starting out
- Posts: 17
- Joined: Sun Sep 27, 2009 5:41 pm
Re: [HOWTO] openSSH installation cook book
part 1 still nedd help and/or input
Part 2
found out the answere by trial and error test...
e.g logged in as user and i cant edit the script or the config file so im pretty sure they are safe
--------------------- Part 3 I want to understand which keys, NEED SOME EXPLANATION ------------------------
in my qnap I have a symbolic link (folder) which is called opt/
this link folder directs me to /share/HDA_DATA/.qkpg/Optware/
e.g.
opt/ = /share/HDA_DATA/.qkpg/Optware/
i also found this link
/etc/config/ = /mnt/HDA_ROOT/.config/
and here is where I get confused
In these folders I can find config file and keys for ssh such as sshd_config & ssh_host_rsa_key.pub for detaild list please see below
these are the folders/ "directory's" i found
/share/HDA_DATA/.qkpg/Optware/etc/openssh
e.g. this is the same opt/etc/openssh ( i call it / name it directory 1)
But I can also find almost the same files in these folders do I need all of these files?
/etc/ssh ( i call it / name it directory 2)
/mnt/HDA_ROOT/.config/ssh ( i call it / name it directory 3)
e.g this is the same /etc/config/ssh
I have read about the files on the openssh site and I understand what they are for.
I assume that I have 2 sets of this file due I now have 2 ssh installed but why do I have 3 sets?
Questions:
Can someone explain the purpose of 3 sets?
Do I need all of the files
which files are in use?
Can I delete some of the files or is there no point to delete the files
in the directories i can find thees files
----- directory 1: /share/HDA_DATA/.qkpg/Optware/etc/openssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
ssh_hoast_key.pub
ssh_host_key
ssh_config
moduli
-------------------------------------------------------------------------
---- directory 2: /etc/ssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
-------------------------------------------------------------------------
----- directory 3: /mnt/HDA_ROOT/.config/ssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
id_rsa.pub (link symbol on the file when i see it via winscp)
id_dsa.pub
id_rsa (link symbol on the file when i see it via winscp)
id_dsa
authorized_keys (this is the active file i linked to in the sshd_config)
-------------------------------------------------------------------------
------------------------------------------------------- end of part 3 -------------------------------------------------------------
Part 2
found out the answere by trial and error test...
e.g logged in as user and i cant edit the script or the config file so im pretty sure they are safe
--------------------- Part 3 I want to understand which keys, NEED SOME EXPLANATION ------------------------
in my qnap I have a symbolic link (folder) which is called opt/
this link folder directs me to /share/HDA_DATA/.qkpg/Optware/
e.g.
opt/ = /share/HDA_DATA/.qkpg/Optware/
i also found this link
/etc/config/ = /mnt/HDA_ROOT/.config/
and here is where I get confused
In these folders I can find config file and keys for ssh such as sshd_config & ssh_host_rsa_key.pub for detaild list please see below
these are the folders/ "directory's" i found
/share/HDA_DATA/.qkpg/Optware/etc/openssh
e.g. this is the same opt/etc/openssh ( i call it / name it directory 1)
But I can also find almost the same files in these folders do I need all of these files?
/etc/ssh ( i call it / name it directory 2)
/mnt/HDA_ROOT/.config/ssh ( i call it / name it directory 3)
e.g this is the same /etc/config/ssh
I have read about the files on the openssh site and I understand what they are for.
I assume that I have 2 sets of this file due I now have 2 ssh installed but why do I have 3 sets?
Questions:
Can someone explain the purpose of 3 sets?
Do I need all of the files
which files are in use?
Can I delete some of the files or is there no point to delete the files
in the directories i can find thees files
----- directory 1: /share/HDA_DATA/.qkpg/Optware/etc/openssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
ssh_hoast_key.pub
ssh_host_key
ssh_config
moduli
-------------------------------------------------------------------------
---- directory 2: /etc/ssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
-------------------------------------------------------------------------
----- directory 3: /mnt/HDA_ROOT/.config/ssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
id_rsa.pub (link symbol on the file when i see it via winscp)
id_dsa.pub
id_rsa (link symbol on the file when i see it via winscp)
id_dsa
authorized_keys (this is the active file i linked to in the sshd_config)
-------------------------------------------------------------------------
------------------------------------------------------- end of part 3 -------------------------------------------------------------
- lucas72
- Moderator
- Posts: 369
- Joined: Wed Sep 19, 2007 11:23 pm
- Location: Rome - Italy
-
- New here
- Posts: 5
- Joined: Tue Feb 23, 2010 6:11 am
Re: [HOWTO] openSSH installation cook book
Hi all,
Thanks for that post ! (It also works with my TS-459)
a little tip to not change the '/mnt/HDA_ROOT/.config/ssh/sshd_config' file each time you add a new user...
Just replace:
by
in '/mnt/HDA_ROOT/.config/ssh/sshd_config' file.
Then, you just need to add a group called 'sshd', and add it to users who are allowed to use SSH (you can do it from the QNAP administration interface).
Hoping that it will help someone...
BR/
Marc
Thanks for that post ! (It also works with my TS-459)
a little tip to not change the '/mnt/HDA_ROOT/.config/ssh/sshd_config' file each time you add a new user...
Just replace:
Code: Select all
...
AllowUsers admin
...
Code: Select all
...
# AllowUsers admin
AllowGroups administrators sshd
...
Then, you just need to add a group called 'sshd', and add it to users who are allowed to use SSH (you can do it from the QNAP administration interface).
Hoping that it will help someone...
BR/
Marc
-
- Starting out
- Posts: 19
- Joined: Sat Nov 21, 2009 4:33 am
Re: [HOWTO] openSSH installation cook book
I had problems troubleshooting my configuration until I found instructions about how to run sshd in debug mode.
You can run a second sshd on a different port without stopping the current sshd, so testing doesn't require restarting processes.
Enable telnet and log into the nas with telnet.
Run this command '/usr/sbin/sshd -d -p 9876 -f /etc/ssh/sshd_config'
Make sure you specify the entire path to your sshd or sshd will complain and refuse to work. You can use the -f option to specify any config file. The -p option specifies the port number, -d turns on debug mode. You'll see a few pages of start-up information after you enter the command, and the terminal will stay in sshd until you hit 'ctrl-c' to cancel or you've connected and disconnected once.
On the client side, specify 9876 as the port number (-p from command line SSH). When you try to connect you'll see notices about what's happening in the telnet window.
You can run a second sshd on a different port without stopping the current sshd, so testing doesn't require restarting processes.
Enable telnet and log into the nas with telnet.
Run this command '/usr/sbin/sshd -d -p 9876 -f /etc/ssh/sshd_config'
Make sure you specify the entire path to your sshd or sshd will complain and refuse to work. You can use the -f option to specify any config file. The -p option specifies the port number, -d turns on debug mode. You'll see a few pages of start-up information after you enter the command, and the terminal will stay in sshd until you hit 'ctrl-c' to cancel or you've connected and disconnected once.
On the client side, specify 9876 as the port number (-p from command line SSH). When you try to connect you'll see notices about what's happening in the telnet window.
-
- Getting the hang of things
- Posts: 63
- Joined: Fri Aug 21, 2009 6:54 am
-
- New here
- Posts: 7
- Joined: Thu Nov 12, 2009 1:18 am
Re: [HOWTO] openSSH installation cook book
Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
http://forum.qnap.com/viewtopic.php?f=1 ... 45&start=0
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
http://forum.qnap.com/viewtopic.php?f=1 ... 45&start=0
-
- New here
- Posts: 7
- Joined: Thu Nov 12, 2009 1:18 am
Re: [HOWTO] openSSH installation cook book
schumaku wrote:Use the one on this page, Wiki and the other one do cover the older TS-x09 systems.
The very best solution would be QNAP to remove this very unhappy "admin only" limitation as soon as possible, and update to the latest OpenSSH and OpenSSL code. Cannot be true customers have to replace such a key module.
-Kurt.
+1
-
- Getting the hang of things
- Posts: 63
- Joined: Fri Aug 21, 2009 6:54 am
Re: [HOWTO] openSSH installation cook book
Strange, I have this installed on a TS-509 and a TS-459 with firmware version @ 3.3.0 Build 0607T. Are you sure you're installing it correctly? I would telnet into the box, if you can, and get some additional information if you can.moe wrote:Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
http://forum.qnap.com/viewtopic.php?f=1 ... 45&start=0
-
- Getting the hang of things
- Posts: 63
- Joined: Fri Aug 21, 2009 6:54 am
Re: [HOWTO] openSSH installation cook book
Good to know. Feel free to mod the script, otherwise I will do so when I get some free time.father_mande wrote:Hi,
Just for your information ...
/tmp/.boot_done don't exist in TS-x09 Arm series .... but exist now (last firmware in TS-x10, TS-x19 series)
Philippe.
- marsoupilami
- Starting out
- Posts: 15
- Joined: Sat Jul 31, 2010 3:51 pm
Re: [HOWTO] openSSH installation cook book
Yop
I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.
Here is the new script for my_install_openssh.sh:
Now it's working fine with my TS219P
I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr
I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.
Here is the new script for my_install_openssh.sh:
Code: Select all
#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log
sleep 15 # let the system finish it's startup tasks
# if you don't wait here, sshd will produce
# zombie process and all will go wrong
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
# depending on the target, mounting of /opt can be late
# so waiting for availability of /opt/sbin/sshd
# with a deadlock in case of no sshd!
count=1
while [ ! -f /opt/sbin/sshd ]
do
sleep 1
let count="count+1"
if [ "$count" -eq 30 ]
then
echo /opt/sbin/sshd not found after 30 seconds >> $LOG
exit
fi
done
echo /opt/sbin/sshd found after $count seconds >> $LOG
ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right
cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd
# get openSSH daemon in place
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
rm -f /tmp/my_install_openssh.sh # cleanup the rubish
I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr
Houba
TS-253D with 16GB memory
TS-253D with 16GB memory
-
- Getting the hang of things
- Posts: 63
- Joined: Fri Aug 21, 2009 6:54 am
Re: [HOWTO] openSSH installation cook book
Either does the solution in the WIKI, at least it doesn't anymore. Not justifying one is better than the other, just clarifying a point.marsoupilami wrote:Yop
I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.
Here is the new script for my_install_openssh.sh:Now it's working fine with my TS219PCode: Select all
#!/bin/sh # # PURPOSE: start of openSSH daemon on QNAP 439 NAS # # PREREQUISITE: # steps to install openSSH: # ipkg update # ipkg install openssh # cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/ # edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting # cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh # # do not worry about old config - it's coming every time (from flash RAM ?) after reboot # # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten # # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced # # by openSSH daeemon # # the code below rewrites the default config after reboot # by the openSSH config. # this is necessary, because system runs "on ramdisk" and # changes to configuration are not persistent LOG=/tmp/openSSH_startup.log sleep 15 # let the system finish it's startup tasks # if you don't wait here, sshd will produce # zombie process and all will go wrong /sbin/daemon_mgr sshd stop /usr/sbin/sshd /usr/bin/killall sshd rm -f /var/lock/subsys/sshd # depending on the target, mounting of /opt can be late # so waiting for availability of /opt/sbin/sshd # with a deadlock in case of no sshd! count=1 while [ ! -f /opt/sbin/sshd ] do sleep 1 let count="count+1" if [ "$count" -eq 30 ] then echo /opt/sbin/sshd not found after 30 seconds >> $LOG exit fi done echo /opt/sbin/sshd found after $count seconds >> $LOG ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config mv /usr/sbin/sshd /usr/sbin/sshd_orig cp /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place # this chmod is here to allow run commands by other users than admin # I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801 /bin/chmod u+s /bin/login /etc/init.d/login.sh start |tee -a $LOG # start the sshd rm -f /tmp/my_install_openssh.sh # cleanup the rubish
I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr
-
- New here
- Posts: 8
- Joined: Fri Dec 24, 2010 2:10 am
Re: [HOWTO] openSSH installation cook book
I have installed openssh on a TS439-PRO. Authentication using a public/private keypair has worked for a long time but somehow it does not work anymore. The output of ssh -v is:
...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: <USERNAME>@amygdala
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/<USERNAME>/.ssh/id_rsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Any ideas how to resolve this issue?
The same key works for loggin into another linux machine without problem.
joschum
...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: <USERNAME>@amygdala
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/<USERNAME>/.ssh/id_rsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Any ideas how to resolve this issue?
The same key works for loggin into another linux machine without problem.
joschum