[HOWTO] openSSH installation cook book

[antrisch]

removde by user 2010-02-09
see below

[antrisch]

Seems im talking to my self!!!

but i cant be happier IT WORKS!!!!!


i had to change the sleep settings in my_install_openssh.sh to 15 instead of 5

i also change the location of the file my_install_openssh.sh to a place where it dosent get deleted
i chose thus location /share/HDA_DATA/.qpkg/my_install_openssh.sh

p.s if you try these changes don't forget to change the autorun.sh so it points to the right directory of my_install_openssh.sh d.s

/a

[antrisch]

OK I think I start to understand this scripts they are quite ingenious

What it actually dose is to copy/replace qnaps ssh deamon with the Openssh deamon at start up

YES I’m very new to Unix/Linux commands but I’m a eager learner so i would appreciate some more help!


------------------------- Part 1 for understanding of script, NEED CONFIRMATION PLEASE -------------------------

/usr/sbin/ this is the qnap original ssh deamon (file name: sshd) which is moved and changed name to
(file name: sshd_orig) with the command

Code: Select all

mv /usr/sbin/sshd /usr/sbin/sshd_orig

/share/HDA_DATA/.qkpg/sbin/sshd
e.g. this is the same location symbolic link folder

opt/ = /share/HDA_DATA/.qkpg/Optware/

/opt/sbin/sshd "this is the OpenSSh deamon (file name: sshd) which substitute/replace the qnap original sshd deamon with this command

Code: Select all

cp /opt/sbin/sshd /usr/sbin/sshd # get openSSH daemon in place

Question:
Could someone verify that I have understood.

--------------------------------------------------- end of part 1 ----------------------------------------------------------------



-------------- Part 2 where to edit the Openssh sshd_config and security , NEED VERIFICATIN AND HELP --------------

/mnt/HDA_ROOT/.config/ssh/ "In this folder I should change the settings of openssh the sshd_config this file is copied to /etc/ssh/ (with script at start up) this is the command in the script

Code: Select all

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config

/etc/ssh/ "in this folder the config file gets replaced see comment above"


Qestions about security

shouldn’t the sshd_config file be secure e.g. only admin has write/edit rights to this file

if so

the script my_install_openssh.sh which has the command

Code: Select all

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config

should also be secure otherwise some one could change the script and copy their on setting file to etc/ssh

isn’t that right? if so where should I place the script file so only admin has right to edit the file

is this a good place? /share/HDA_DATA/.qpkg/ I tried to use the /tmp/config/ but the file got erase at reboot. hence all the other post in this forum

------------------------------------------------------- end of part 2 -------------------------------------------------------------

[antrisch]

part 1 still nedd help and/or input


Part 2
found out the answere by trial and error test...
e.g logged in as user and i cant edit the script or the config file so im pretty sure they are safe

--------------------- Part 3 I want to understand which keys, NEED SOME EXPLANATION ------------------------


in my qnap I have a symbolic link (folder) which is called opt/

this link folder directs me to /share/HDA_DATA/.qkpg/Optware/

e.g.

opt/ = /share/HDA_DATA/.qkpg/Optware/

i also found this link


/etc/config/ = /mnt/HDA_ROOT/.config/


and here is where I get confused


In these folders I can find config file and keys for ssh such as sshd_config & ssh_host_rsa_key.pub for detaild list please see below

these are the folders/ "directory's" i found


/share/HDA_DATA/.qkpg/Optware/etc/openssh
e.g. this is the same opt/etc/openssh ( i call it / name it directory 1)



But I can also find almost the same files in these folders do I need all of these files?


/etc/ssh ( i call it / name it directory 2)


/mnt/HDA_ROOT/.config/ssh ( i call it / name it directory 3)

e.g this is the same /etc/config/ssh


I have read about the files on the openssh site and I understand what they are for.

I assume that I have 2 sets of this file due I now have 2 ssh installed but why do I have 3 sets?

Questions:
Can someone explain the purpose of 3 sets?
Do I need all of the files
which files are in use?
Can I delete some of the files or is there no point to delete the files

in the directories i can find thees files

----- directory 1: /share/HDA_DATA/.qkpg/Optware/etc/openssh -----


ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)

ssh_hoast_key.pub
ssh_host_key
ssh_config
moduli
-------------------------------------------------------------------------


---- directory 2: /etc/ssh -----
ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)
-------------------------------------------------------------------------


----- directory 3: /mnt/HDA_ROOT/.config/ssh -----

ssh_host_rsa_key.pub (in all 3 directorys)
ssh_host_dsa_key.pub (in all 3 directorys)
sshd_config (in all 3 directorys)
ssh_host_rsa_key (in all 3 directorys)
ssh_host_dsa_key (in all 3 directorys)

id_rsa.pub (link symbol on the file when i see it via winscp)
id_dsa.pub
id_rsa (link symbol on the file when i see it via winscp)
id_dsa
authorized_keys (this is the active file i linked to in the sshd_config)
-------------------------------------------------------------------------

------------------------------------------------------- end of part 3 -------------------------------------------------------------

[lucas72]

Maybe this might help...

[mbalu]

Hi all,

Thanks for that post ! (It also works with my TS-459)

a little tip to not change the '/mnt/HDA_ROOT/.config/ssh/sshd_config' file each time you add a new user...
Just replace:

Code: Select all

...
AllowUsers admin
...

by

Code: Select all

...
# AllowUsers admin
AllowGroups administrators sshd
...

in '/mnt/HDA_ROOT/.config/ssh/sshd_config' file.

Then, you just need to add a group called 'sshd', and add it to users who are allowed to use SSH (you can do it from the QNAP administration interface).

Hoping that it will help someone...
BR/
Marc

[spamalope]

I had problems troubleshooting my configuration until I found instructions about how to run sshd in debug mode.

You can run a second sshd on a different port without stopping the current sshd, so testing doesn't require restarting processes.

Enable telnet and log into the nas with telnet.

Run this command '/usr/sbin/sshd -d -p 9876 -f /etc/ssh/sshd_config'

Make sure you specify the entire path to your sshd or sshd will complain and refuse to work. You can use the -f option to specify any config file. The -p option specifies the port number, -d turns on debug mode. You'll see a few pages of start-up information after you enter the command, and the terminal will stay in sshd until you hit 'ctrl-c' to cancel or you've connected and disconnected once.

On the client side, specify 9876 as the port number (-p from command line SSH). When you try to connect you'll see notices about what's happening in the telnet window.

[patbaker82]

Updated:
http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH

[moe]

Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
http://forum.qnap.com/viewtopic.php?f=1 ... 45&start=0

[moe]

Use the one on this page, Wiki and the other one do cover the older TS-x09 systems.

The very best solution would be QNAP to remove this very unhappy "admin only" limitation as soon as possible, and update to the latest OpenSSH and OpenSSL code. Cannot be true customers have to replace such a key module.

-Kurt.

+1

[patbaker82]

Hi,
I'm afraid this workaround generates some issues after updating the firmware to v.3.3.0.
Please see the following post:
http://forum.qnap.com/viewtopic.php?f=1 ... 45&start=0

Strange, I have this installed on a TS-509 and a TS-459 with firmware version @ 3.3.0 Build 0607T. Are you sure you're installing it correctly? I would telnet into the box, if you can, and get some additional information if you can.

[patbaker82]

Hi,

Just for your information ...

/tmp/.boot_done don't exist in TS-x09 Arm series .... but exist now (last firmware in TS-x10, TS-x19 series)

Philippe.

Good to know. Feel free to mod the script, otherwise I will do so when I get some free time.

[marsoupilami]

Yop

I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.

Here is the new script for my_install_openssh.sh:

Code: Select all

#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh 
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten 
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log

sleep 15 # let the system finish it's startup tasks
# if you don't wait here, sshd will produce 
# zombie process and all will go wrong

/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# depending on the target, mounting of /opt can be late
# so waiting for availability of /opt/sbin/sshd
# with a deadlock in case of no sshd!
count=1 
while [ ! -f /opt/sbin/sshd ]
do
  sleep 1 
  let count="count+1"
  if [ "$count" -eq 30 ]
  then 
    echo /opt/sbin/sshd not found after 30 seconds >> $LOG
    exit
  fi
done
echo /opt/sbin/sshd found after $count seconds >> $LOG

ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd 
# get openSSH daemon in place
                            
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
rm -f /tmp/my_install_openssh.sh # cleanup the rubish

Now it's working fine with my TS219P

I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr

[patbaker82]

Yop

I had some problems because the /opt dir has been mounted very late at start-up.
So i had modified the script for waiting the /opt dir availability.

Here is the new script for my_install_openssh.sh:

Code: Select all

#!/bin/sh
#
# PURPOSE: start of openSSH daemon on QNAP 439 NAS
#
# PREREQUISITE:
# steps to install openSSH:
# ipkg update
# ipkg install openssh
# cp /etc/ssh/sshd_config /mnt/HDA_ROOT/.config/ssh/
# edit the /mnt/HDA_ROOT/.config/ssh/sshd_config, add users to "AllowUsers" setting
# cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh 
# # do not worry about old config - it's coming every time (from flash RAM ?) after reboot
# # in fact - after every reboot /etc/ssh/sshd_config needs to be overwritten 
# # by openSSH configuration and QNAP /opt/sbin/sshd daemon replaced
# # by openSSH daeemon
#
# the code below rewrites the default config after reboot
# by the openSSH config.
# this is necessary, because system runs "on ramdisk" and
# changes to configuration are not persistent
LOG=/tmp/openSSH_startup.log

sleep 15 # let the system finish it's startup tasks
# if you don't wait here, sshd will produce 
# zombie process and all will go wrong

/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd

# depending on the target, mounting of /opt can be late
# so waiting for availability of /opt/sbin/sshd
# with a deadlock in case of no sshd!
count=1 
while [ ! -f /opt/sbin/sshd ]
do
  sleep 1 
  let count="count+1"
  if [ "$count" -eq 30 ]
  then 
    echo /opt/sbin/sshd not found after 30 seconds >> $LOG
    exit
  fi
done
echo /opt/sbin/sshd found after $count seconds >> $LOG

ps -ef|grep ssh|grep -v grep >>$LOG # this should produce no output, if everything is right

cp /mnt/HDA_ROOT/.config/ssh/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd 
# get openSSH daemon in place
                            
# this chmod is here to allow run commands by other users than admin
# I do not fully understand this. Refer to: http://forum.qnapclub.de/viewtopic.php?f=80&t=1801
/bin/chmod u+s /bin/login
/etc/init.d/login.sh start |tee -a $LOG # start the sshd
rm -f /tmp/my_install_openssh.sh # cleanup the rubish

Now it's working fine with my TS219P

I prefer this solution to this one http://wiki.qnap.com/wiki/How_To_Replac ... th_OpenSSH
because it does not modify key system files that can evolve in the future. So thanks to you Petr

Either does the solution in the WIKI, at least it doesn't anymore. Not justifying one is better than the other, just clarifying a point.

[joschum]

I have installed openssh on a TS439-PRO. Authentication using a public/private keypair has worked for a long time but somehow it does not work anymore. The output of ssh -v is:

...
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: <USERNAME>@amygdala
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/<USERNAME>/.ssh/id_rsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>

Any ideas how to resolve this issue?

The same key works for loggin into another linux machine without problem.

joschum