Replace ssh with Qnapware OpenSSH: Difference between revisions

From QNAPedia
Jump to navigation Jump to search
← Older editNewer edit →
Stenci (talk | contribs)
2 edits
No edit summary
Fleshing out instructions a bit, adding an init script (based on login.sh), and describing how to get authorized_keys support for normal users
Line 3: Line 3:
Recommend changing QNAP system sshd to use any port other than 22.  (Like 2222 or something)
Recommend changing QNAP system sshd to use any port other than 22.  (Like 2222 or something)


#Install Entware for opkg support (Note that this replaces the older non-supported as of Dec-2014 Optware)
#Install QNAPware for opkg support (Note: This replaces both Entware and Optware)
#opkg install openssh-server
#opkg install openssh-server
#ssh-keygen -t rsa -f ssh_host_rsa_key
#echo 'export PATH=/Apps/opt/bin:/Apps/opt/sbin:$PATH' >> /etc/profile # Optional, but recommended
#ssh-keygen -t dsa -f ssh_host_dsa_key
#ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_rsa_key -N ''-t rsa''
#Add sshd user to /etc/passwd and sshd group to /etc/group
#ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_dsa_key -N ''-t dsa''
#*echo sshd:x:74:>>/etc/group
#ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ecdsa_key -N ''-t ecdsa''
#*echo sshd:x:74:74:Priviledge-separated SSH:/var/empty/sshd:/sbin/nologin>>/etc/passwd
#ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ed25519_key -N ''-t ed25519''
#..
#useradd --system --no-create-home sshd
#ln -s ../init.d/openssh.sh /etc/init.d/S86openssh
#ln -s ../init.d/openssh.sh /etc/rcK.d/K34openssh
#Create /etc/init.d/openssh.sh
<div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><nowiki>#!/bin/sh
 
SSH=/Apps/opt/sbin/opensshd
SSHD_CONF=/Apps/opt/etc/ssh/sshd_config
 
/sbin/test -f $SSHD || exit 0
 
[ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp
 
DEFAULT_SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
SSH_PORT=22
SSHKEY_CONFIG_DIR=/etc/config/ssh
case "$1" in
    start)
        /bin/chmod 0640 /etc/config/shadow* /etc/default_config/shadow
        if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` != FALSE ]; then
                echo -n "Starting OpenSSH (opensshd) service: "
                /sbin/daemon_mgr opensshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT"
                echo "OK"
                touch /var/lock/subsys/opensshd
        fi
 
        ;;
    stop)
        echo -n "Shutting down OpenSSH (opensshd) service: "
        /sbin/daemon_mgr opensshd stop $SSH
        /usr/bin/killall opensshd 2>/dev/null
        rm -f /var/lock/subsys/opensshd
        echo "OK"
        ;;
 
    restart)
        $0 stop
        $0 start
        ;;     
    *)
        echo "Usage: /etc/init.d/openssh.sh {start|stop|restart}"
        exit 1
esac
 
exit 0
</nowiki>
</div>
Optionally, if you'd like users other than admin to log in with authorized_keys:
 
#Edit /Apps/opt/etc/ssh/sshd_config, set&nbsp;AuthorizedKeysFile to /opt/home/%u/.ssh/authorized_keys
#mkdir -p /opt/home/someuser/.ssh
#<span style="line-height: 20.8px;">mkdir -p /opt/home -m 755</span>
 
<span style="line-height: 20.8px;">Run these for every user you want to be &nbsp;(replace someuser with your actual username):</span>
 
#mkdir -m 700&nbsp;-p /opt/home/someuser/.ssh
#touch&nbsp;<span style="line-height: 20.8px;">/opt/home/someuser/.ssh/authorized_keys</span>
#<span style="line-height: 20.8px;">chmod 600&nbsp;/opt/home/someuser/.ssh/authorized_keys</span>
 
[[Category:SSH]]
[[Category:SSH]]

Revision as of 07:26, 1 January 2016

Note: Work in progress.

Recommend changing QNAP system sshd to use any port other than 22.  (Like 2222 or something)

  1. Install QNAPware for opkg support (Note: This replaces both Entware and Optware)
  2. opkg install openssh-server
  3. echo 'export PATH=/Apps/opt/bin:/Apps/opt/sbin:$PATH' >> /etc/profile # Optional, but recommended
  4. ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_rsa_key -N -t rsa
  5. ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_dsa_key -N -t dsa
  6. ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ecdsa_key -N -t ecdsa
  7. ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ed25519_key -N -t ed25519
  8. useradd --system --no-create-home sshd
  9. ln -s ../init.d/openssh.sh /etc/init.d/S86openssh
  10. ln -s ../init.d/openssh.sh /etc/rcK.d/K34openssh
  11. Create /etc/init.d/openssh.sh
#!/bin/sh SSH=/Apps/opt/sbin/opensshd SSHD_CONF=/Apps/opt/etc/ssh/sshd_config /sbin/test -f $SSHD || exit 0 [ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp DEFAULT_SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22` SSH_PORT=22 SSHKEY_CONFIG_DIR=/etc/config/ssh case "$1" in start) /bin/chmod 0640 /etc/config/shadow* /etc/default_config/shadow if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` != FALSE ]; then echo -n "Starting OpenSSH (opensshd) service: " /sbin/daemon_mgr opensshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT" echo "OK" touch /var/lock/subsys/opensshd fi  ;; stop) echo -n "Shutting down OpenSSH (opensshd) service: " /sbin/daemon_mgr opensshd stop $SSH /usr/bin/killall opensshd 2>/dev/null rm -f /var/lock/subsys/opensshd echo "OK"  ;; restart) $0 stop $0 start  ;; *) echo "Usage: /etc/init.d/openssh.sh {start|stop|restart}" exit 1 esac exit 0

Optionally, if you'd like users other than admin to log in with authorized_keys:

  1. Edit /Apps/opt/etc/ssh/sshd_config, set AuthorizedKeysFile to /opt/home/%u/.ssh/authorized_keys
  2. mkdir -p /opt/home/someuser/.ssh
  3. mkdir -p /opt/home -m 755

Run these for every user you want to be  (replace someuser with your actual username):

  1. mkdir -m 700 -p /opt/home/someuser/.ssh
  2. touch /opt/home/someuser/.ssh/authorized_keys
  3. chmod 600 /opt/home/someuser/.ssh/authorized_keys

Retrieved from "https://wiki.qnap.com/mediawiki/index.php?title=Replace_ssh_with_Qnapware_OpenSSH&oldid=1152"