(but keeping QNAP's SSHD version active as well)
Audience: This post requires some Linux skills, as it requires pre-installation of Optware IPKG, and requires modifying the "autorun.sh". Both of these tasks should be considered MEDIUM to EXPERT Linux Skills required. This is not a project for Linux newbies.
Prerequisites: Installing OpenSSH requires that Optware is already installed. If you don't have Optware IPKG installed, stop here, and go install Optware IPKG first. Please following the instructions in QNAPedia article: Install Optware IPKG, preferably using the QPKG method. I will refer to QNAPedia article: Running Your Own Application at Startup later in this article, so I recommend at least glancing at both of these Wikipedia articles, to ensure you have enough Linux skills to follow both of these documents.
Abstract: QNAP's provided SSHd Server restricts access to Admin-only (by design), and in the v3.8.0/v3.8.1 Firmware does not respect the $HOME Field in the /etc/passwd (which is a symlink to /etc/config/passwd). Consider the following:
Excerpt from /etc/passwd:
admin0:0:administrator,,,:/share/homes/admin:/bin/sh
QNAP's SSHd daemon incorrectly sets the $HOME directory, and the $HOME environment variable to: /root as well, completely ignoring the $HOME environment variable (in the SSHd provided in Firmware v3.8.0 & v3.8.1). This is a very annoying BUG!
QNAPedia article: How To Replace SSH Daemon With OpenSSH is DANGEROUS, because it is attempting to replace the built-in one, rather than supplementing it. If Optware doesn't startup correctly, (for example after a Firmware upgrade), the QNAP owner can find themselves locked-out of their own system.
IMHO the solution is to retain the original SSHd daemon, but move it to an non-standard port, (just as QNAP does with it's "Telnet Daemon", putting Telnet on port 13131/TCP, rather the standard Telnet port 23/TCP). By taking QNAP's daemon off standard SSH port 22/TCP and placing it on a non-standard port, say 12121/TCP (any unused TCP port would do), this leaves port 22/TCP unused by the Firmware which permits installing OpenSSH (via Optware) and letting it attach to the now vacant port 22/TCP.
Doing this will give the QNAP owner a defacto-standard SSHd daemon on port 22/TCP, without disabling the QNAP provided one, which would be still available on non-standard port 12121. This setup leaves the QNAP owner with two(2) working SSHd daemons running at all times: OpenSSH running on 22/TCP, and QNAP's SSHd running on port 12121. Both the following commands would work from a Mac or Linux "Terminal" session:
Ssh to NAS via OpenSSH:
Code: Select all
ssh admin@NAS-IP
Ssh to NAS via QNAP SSHd:
Code: Select all
ssh -p 12121 admin@NAS-IP
Implementation: The first step in getting OpenSSH installed is to free up port TCP/22 on the NAS, by changing the port used by the QNAP Firmware. For this task simply proceed as follows:
- Access the Admin WebUI of your NAS, at http://NAS-IP:8080
- To configure the system settings, click “Administration” on the login portal.
- Click the triangle icon next to "Network Services" to expand the tree and view the items listed under this section
- Select "Telnet / SSH" to access the Telnet and SSH settings
- Reconfigure the settings to change the SSH port from the default port 22/TCP to non-standard port 12121/TCP
- Click
The next step is to install OpenSSH via Optware. This is far easier than installing installing Optware was.
Login to your NAS via SSH on port 12121, (login as "admin"; see above), and enter the following commands:
Code: Select all
ipkg update
ipkg install openssh
#Start OpenSSH
/opt/sbin/sshd 2>/dev/null
Congratulations, OpenSSH Server is now running using default settings on Port 22/TCP (Standard SSHd port).
Lets test it, and ensure that you can login on the standard port.
From your PC attempt to Ssh to NAS via OpenSSH:
Code: Select all
ssh admin@NAS-IP
If you are able to successfully login, then you know OpenSSH is installed properly. (If this fails) please reply to this message with information about the failure).
If your test Login worked, then you can follow the steps in QNAPedia article: Running Your Own Application at Startup to add the following lines to your "autorun.sh" file.
Code: Select all
#Start OpenSSH
/opt/sbin/sshd
Lets ensure that you can login on the standard port.
From your PC attempt to Ssh to NAS via OpenSSH:
Code: Select all
ssh admin@NAS-IP
also retry Ssh to NAS via QNAP SSHd:
Code: Select all
ssh -p 12121 admin@NAS-IP
Now it is time to configure your Host Keys and Private Keys. Consult QNAPedia article: How To Set Up Authorized Keys. Failure to create your own keys will leave your system insecure, so don't be lazy. Setup your keys properly.
Quirks and Usage Tips: Due to the aforementioned $HOME bug in QNAP's SSHd implementation, there are couple of things that you need to be aware of. When access your NAS via SSH protocol on port 12121/TCP therefore will use the BASH environment created by QNAP, with your $HOME located on the RAMdisk, where the .profile etc will get overwritten at every boot. Don't bother changing these files, as they will get overwritten at every boot. (Blame QNAP not me, it's their flawed design).
When you login via SSH protocol on (default SSH) port 22/TCP via SSH (ie via the OpenSSH Server), it will set your $HOME to the one listed in the /etc/passwd file. (In my configuration it properly sets my $HOME directory, and $HOME variable to "/share/homes/admin" correctly. This means I can customize my ".profile", ".bashrc", & etc and my changes will survive a reboot. This alone makes this modification worth doing!
The other advantage of using OpenSSH rather than QNAP-SSHd for your SSH access, is that the OpenSSH implementation will allow "users" to login, as OpenSSH does not suffer from the same "stupid" Admin-only restriction that QNAP's SSHd does. You may want to take advantage of this "feature". If you create users via the Admin WebUI (See: Users section of the QNAP Turbo NAS User Manual) they too can log into the NAS. They will not have "root" priviledges, so this is relatively safe. If you don't like this behaviour, you MUST change the users shell listed in the /etc/passwd file to: /bin/false rather than /bin/sh in order to prevent them from logging in via SSH. BE AWARE OF THIS. I view this as a "feature", as I can control who can and who can not login to my NAS be editing the /etc/passwd file. (Consider yourself warned).
Some readers will view this as a disadvantage.
Caveat: My autostart method could use some work. I didn't bother to build a proper start/stop script for this, (as I always want SSH running anyway), but OpenSSH should really be setup properly with a openssh.sh start/stop script probably started from /opt/etc/init.d if you following the instructions from the Running /opt/etc/init.d/* on startup section of the QNAPedia article: Install Optware IPKG. If any community members desire this, please post a reply to this message asking me to do so. (I skipped it at this time, simply because I haven't bothered for my own use yet.
Anyway folks, I hope the QNAP NAS Community finds this article helpful. Sorry I couldn't simplify these instructions any better than this. Hopefully QNAP will eventually replace their broken SSHd daemon with a bug-fixed version that doesn't have the Admin-only restriction, and which actually respects the $HOME directory defined in the password file. Until this happens, this is a solution that provides the advantages of OpenSSH without loosing access to the default SSHd daemon provided by QNAP. Hopefully one day my instructions contained in this article will no longer be required.
Patrick.