How To Replace SSH Daemon With OpenSSH
Overview
I've seen many different solutions to implement OpenSSH, but none really brought a full switch over to openssh. While the many documents out there reflect how to replace the binary and get the openssh system to start up, most fail to show how to repoint underlying QNAP links to the /opt/etc/openssh configurations. With that said most implementations use hostkeys/keys that were generated under the old system possiblity leaving it unsecure.
High level features of this implementation
- Enhanced the original start scripts provided from QNAP.
- Creates initial 'admin' home directory as specified in /etc/passwd
- Use of configuration parameters set in the GUI. The ports you set in the GUI will be the ones that openssh will use. Further you can disable/enable openssh via the GUI.
- Support for firmware 3.3 of enabling/disabling SFTP via the GUI
- Persistent script. Restarts via the GUI will use the new code, IE enabling/disabling of SSH or telnet.
- Script ensures, upon booting, that it waits for the system QNAP ssh system to start before attempting to start openssh to replace the QNAP SSH daemon. This is important as we do not want competing SSHD processes.
The Alternative way
The port which the standard Qnap sshd listens to is configurable from the web interface... Change it to something else, then run OpenSSH on port 22. You don't need to fiddle with system config files or replace the sshd binary, just leave them be and edit /opt/etc/openssh/* to your liking.
Then you can either run OpenSSH sshd binary in the autorun.sh script (it daemonizes by default), or you can make sure that "/opt/etc/init.d/" files are correctly started on start up (follow instructions in Install Optware IPKG).
Installation
NOTE: This will require you to be either logged into the QNAP via Telnet or SSH in order to execute the commands denoted as #.
- Install Optware IPKG. Optware is the conduit for installing OpenSSH.
- Install the Openssh package using Optware.
# ipkg update # ipkg install openssh
- mount /tmp/config, following the instructions in the article Running Your Own Application at Startup.
- Copy the script below, login.sh, to /tmp/config/login.sh
- Make /tmp/config/login.sh executable
# chmod +x /tmp/config/login.sh
- Create or Edit /tmp/config/autorun.sh and add the following
/bin/cp /tmp/config/login.sh /tmp ; /bin/sh /tmp/login.sh restart &
- Ensure /tmp/config/autorun.sh is executable
# chmod +x /tmp/config/autorun.sh
- Reboot
# reboot
[Tested on TS-410, TS-459, TS-509 and TS-869.]
login.sh
Updated for Firmware 3.4.3
#!/bin/sh SLEEP_MAX=600 SSHD=/opt/sbin/sshd TELNET=/bin/utelnetd SSHD_CONF=/opt/etc/openssh/sshd_config SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22` DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131` TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT` SSHKEY_CONFIG_DIR=/opt/etc/openssh BOOT_CONF=`/bin/cat /etc/default_config/BOOT.conf` generte_ssh_key() { [ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR if [ -f /opt/bin/ssh-keygen ]; then if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N "" /bin/sync fi if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* /opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N "" /bin/sync fi if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key* /opt/bin/ssh-keygen -t ecdsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key -N "" /bin/sync fi fi } update_sshd_config() { ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE` if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then /bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null if [ $? != 0 ]; then /bin/sed '107i\Subsystem sftp \/usr\/libexec\/sftp-server' ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} fi else /bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null if [ $? = 0 ]; then /bin/sed "/\/usr\/libexec\/sftp-server/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} /bin/rm ${SSHD_CONF}.tmp fi fi } enable_openssh() { # Check to see if we already copied the old sshd if [ ! -e /usr/sbin/sshd_orig ]; then mv /usr/sbin/sshd /usr/sbin/sshd_orig cp /opt/sbin/sshd /usr/sbin/sshd fi # Finally, replace the current login script if neccessary so further restarts via the web interface work /bin/grep "enable_openssh" /etc/init.d/login.sh > /dev/null if [ $? != 0 ]; then if [ -e $0 ]; then cp $0 /etc/init.d/login.sh fi fi # Make sure we have a home directory on a persistent drive # Note, this will only create the admin home directory if [ ! -e "/share/MD0_DATA/home" ]; then /bin/mkdir /share/MD0_DATA/home /bin/mkdir /share/MD0_DATA/home/admin /bin/chmod og-rx /share/MD0_DATA/home/admin fi # Link persistent home directory to referenced home dirs in /etc/passwd if [ ! -e "/share/homes" ]; then ln -s /share/MD0_DATA/home /share/homes fi } # Wait $SLEEP seconds or determine if the system is done booting before proceeding SLEEP_COUNTER=0 while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do sleep 1 let "SLEEP_COUNTER += 1" done /sbin/test -f $SSHD || exit 0 /sbin/test -f $TELNET || exit 0 [ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp case "$1" in start) if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then echo "Starting sshd services: disabled." else echo -n "Starting sshd services: " enable_openssh generte_ssh_key update_sshd_config /sbin/daemon_mgr sshd start "$SSHD -f ${SSHD_CONF} -p $SSH_PORT" echo "sshd." touch /var/lock/subsys/sshd fi if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then echo "Starting telnet services: disabled." else echo -n "Starting telnet services: " /sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &" echo "utelnetd." touch /var/lock/subsys/utelnetd fi ;; stop) echo -n "Shutting down sshd services:" /sbin/daemon_mgr sshd stop $SSHD /usr/bin/killall sshd rm -f /var/lock/subsys/sshd echo "sshd" echo -n "Shutting down telnet services:" /sbin/daemon_mgr utelnetd stop $TELNET rm -f /var/lock/subsys/utelnetd echo "utelnetd" ;; restart) $0 stop $0 start ;; *) echo "Usage: /etc/init.d/login.sh {start|stop|restart}" exit 1 esac exit 0
TS-212
Firmware 3.5.2 Build 1126T
Created with some melding of the above script with that found by default on the 3.5.2 Build 1126T firmware (on mtdblock5), the following script seems to work as intended on a TS-212.
#!/bin/sh SLEEP_MAX=600 SSHD=/opt/sbin/sshd TELNET=/bin/utelnetd SSHD_CONF=/opt/etc/openssh/sshd_config /sbin/test -f $SSHD || exit 0 /sbin/test -f $TELNET || exit 0 [ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22` DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131` TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT` SSHKEY_CONFIG_DIR=/opt/etc/openssh BOOT_CONF=`/bin/cat /etc/default_config/BOOT.conf` generte_ssh_key() { [ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR if [ -f /opt/bin/ssh-keygen ]; then if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N "" /bin/touch /etc/config/ssh_key.fla /bin/sync fi if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* /opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N "" /bin/touch /etc/config/ssh_key.fla /bin/sync fi /bin/cmp /etc/ssh/ssh_host_rsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key 1>>/dev/null 2>>/dev/null retrsa1=$? /bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null retrsa2=$? /bin/cmp /etc/ssh/ssh_host_dsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key 1>>/dev/null 2>>/dev/null retdsa1=$? /bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null retdsa2=$? [ $retrsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key /etc/ssh/ [ $retrsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub /etc/ssh/ [ $retdsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key /etc/ssh/ [ $retdsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub /etc/ssh/ if [ -d /etc/config/ssh ]; then /bin/rm -rf /root/.ssh 1>>/dev/null 2>>/dev/null /bin/ln -sf /etc/config/ssh /root/.ssh [ -f /etc/config/ssh/id_rsa ] || /bin/ln -sf ssh_host_rsa_key /etc/config/ssh/id_rsa [ -f /etc/config/ssh/id_rsa.pub ] || /bin/ln -sf ssh_host_rsa_key.pub /etc/config/ssh/id_rsa.pub fi if [ "x${BOOT_CONF}" = "xTS-NASX86" ] && [ ! -f /etc/config/ssh_key.fla ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* 2>>/dev/null /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* 2>>/dev/null /usr/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N "" /usr/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N "" /bin/touch /etc/config/ssh_key.fla fi fi } update_sshd_config() { ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE` if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then /bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null if [ $? != 0 ]; then /bin/sed '107i\Subsystem sftp \/usr\/libexec\/sftp-server' ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} fi else /bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null if [ $? = 0 ]; then /bin/sed "/\/usr\/libexec\/sftp-server/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} /bin/rm ${SSHD_CONF}.tmp fi fi } enable_openssh() { # Check to see if we already copied the old sshd if [ ! -e /usr/sbin/sshd_orig ]; then mv /usr/sbin/sshd /usr/sbin/sshd_orig cp /opt/sbin/sshd /usr/sbin/sshd fi # Finally, replace the current login script if neccessary so further restarts via the web interface work /bin/grep "enable_openssh" /etc/init.d/login.sh > /dev/null if [ $? != 0 ]; then if [ -e $0 ]; then cp $0 /etc/init.d/login.sh fi fi # Make sure we have a home directory on a persistent drive # Note, this will only create the admin home directory if [ ! -e "/share/MD0_DATA/home" ]; then /bin/mkdir /share/MD0_DATA/home /bin/mkdir /share/MD0_DATA/home/admin /bin/chmod og-rx /share/MD0_DATA/home/admin fi # Link persistent home directory to referenced home dirs in /etc/passwd if [ ! -e "/share/homes" ]; then ln -s /share/MD0_DATA/home /share/homes fi } # Wait $SLEEP seconds or determine if the system is done booting before proceeding SLEEP_COUNTER=0 while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do sleep 1 let "SLEEP_COUNTER += 1" done /sbin/test -f $SSHD || exit 0 /sbin/test -f $TELNET || exit 0 [ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp case "$1" in start) if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then echo "Starting sshd services: disabled." else echo -n "Starting sshd services: " enable_openssh generte_ssh_key update_sshd_config /sbin/daemon_mgr sshd start "$SSHD -f ${SSHD_CONF} -p $SSH_PORT" echo "sshd." touch /var/lock/subsys/sshd fi if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then echo "Starting telnet services: disabled." else echo -n "Starting telnet services: " /sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &" echo "utelnetd." touch /var/lock/subsys/utelnetd fi if [ `/sbin/getcfg "TFTP Server" "Enable" -u -d FALSE` = FALSE ]; then echo "Starting opentftpd services: disabled." else /etc/init.d/opentftp.sh start fi ;; stop) echo -n "Shutting down sshd services:" /sbin/daemon_mgr sshd stop $SSHD /usr/bin/killall sshd rm -f /var/lock/subsys/sshd echo "sshd" echo -n "Shutting down telnet services:" /sbin/daemon_mgr utelnetd stop $TELNET rm -f /var/lock/subsys/utelnetd echo "utelnetd" ;; restart) $0 stop $0 start ;; *) echo "Usage: /etc/init.d/login.sh {start|stop|restart}" exit 1 esac exit 0
Firmware 4.0.5
It seems that the default sshd shipped with this version allows users other than admin. It is only needed to add the allowed usernames (including admin) to the AllowUsers directive in /etc/ssh/sshd_config.
AllowUsers admin USERNAME
Unfortunately, changes to that file are not persistent across reboot. Copying the modified sshd_config script to /tmp/config, and making the autorun.sh script copy it back in /etc/ssh on boot should work.
If using the Optware-provided OpenSSH is still required, the following additional changes are needed.
Sometimes between 3.5.x and 4.0.5, OpenSSH seems to have started expecting ECDSA keys. The login.sh script needs to generate them too in generte_ssh_keys [sic].
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key* /opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key -N "" /bin/touch /etc/config/ssh_key.fla /bin/sync fi
TS-419P+ with Firmware 3.6.1 Build 0302T
#!/bin/sh SSH=/opt/sbin/sshd TELNET=/bin/utelnetd SSHD_CONF=/opt/etc/openssh/sshd_config SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22` DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131` TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT` SSHKEY_CONFIG_DIR=/opt/etc/openssh SLEEP_MAX=300 generte_ssh_key() { [ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR if [ -f /opt/bin/ssh-keygen ]; then if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N "" /bin/touch /opt/etc/openssh/ssh_key.fla /bin/sync fi if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* /opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N "" /bin/touch /opt/etc/openssh/ssh_key.fla /bin/sync fi [ -d $SSHKEY_CONFIG_DIR/root ] || /bin/mkdir $SSHKEY_CONFIG_DIR/root if [ ! -f ${SSHKEY_CONFIG_DIR}/root/id_rsa ] || [ ! -f ${SSHKEY_CONFIG_DIR}/root/id_rsa.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/root/id_rsa* /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/root/id_rsa -N "" /bin/touch /opt/etc/openssh/root/ssh_key.fla /bin/sync fi if [ -d /opt/etc/openssh ]; then /bin/rm -rf /root/.ssh 1>>/dev/null 2>>/dev/null /bin/ln -sf /opt/etc/openssh/root /root/.ssh fi if [ ! -f /opt/etc/openssh/ssh_key.fla ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* 2>>/dev/null /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* 2>>/dev/null /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N "" /opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N "" /bin/touch /opt/etc/openssh/ssh_key.fla fi if [ ! -f /opt/etc/openssh/root/ssh_key.fla ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/id_rsa* 2>>/dev/null /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/id_rsa -N "" /bin/touch /opt/etc/openssh/ssh_key.fla fi fi } update_sshd_config() { ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE` if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then /bin/grep "/opt/libexec/sftp-server" ${SSHD_CONF} > /dev/null if [ $? != 0 ]; then /bin/sed '107i\Subsystem sftp \/opt\/libexec\/sftp-server' ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} fi else /bin/grep "/opt/libexec/sftp-server" ${SSHD_CONF} > /dev/null if [ $? == 0 ]; then /bin/sed "/\/opt\/libexec\/sftp-server/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} fi fi } enable_openssh() { # Check to see if we already copied the old sshd if [ ! -e /usr/sbin/sshd_orig ]; then mv /usr/sbin/sshd /usr/sbin/sshd_orig cp /opt/sbin/sshd /usr/sbin/sshd fi # Finally, replace the current login script if neccessary so further restarts via the web interface work /bin/grep "enable_openssh" ${SSHD_CONF} > /dev/null if [ $? != 0 ]; then if [ -e /tmp/login.sh ]; then cp /tmp/login.sh /etc/init.d/login.sh fi fi } # Wait $SLEEP seconds or determine if the system is done booting before proceeding SLEEP_COUNTER=0 while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do sleep 1 let "SLEEP_COUNTER += 1" done /sbin/test -f $SSH || exit 0 /sbin/test -f $TELNET || exit 0 case "$1" in start) if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then echo "Starting sshd services: disabled." else echo -n "Starting sshd services: " enable_openssh generte_ssh_key update_sshd_config /sbin/daemon_mgr sshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT" echo "sshd." touch /var/lock/subsys/sshd fi if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then echo "Starting telnet services: disabled." else echo -n "Starting telnet services: " /sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &" echo "utelnetd." touch /var/lock/subsys/utelnetd fi ;; stop) echo -n "Shutting down sshd services:" /sbin/daemon_mgr sshd stop $SSH /usr/bin/killall sshd rm -f /var/lock/subsys/sshd echo "sshd" echo -n "Shutting down telnet services:" /sbin/daemon_mgr utelnetd stop $TELNET rm -f /var/lock/subsys/utelnetd echo "utelnetd" ;; restart) $0 stop $0 start ;; *) echo "Usage: /etc/init.d/login.sh {start|stop|restart}" exit 1 esac exit 0
TS-119 with 3.8.3 Build 20130426
Works with OpenSSH_5.9p1 and the QPKG-based method from Running Your Own Application at Startup.
#!/bin/sh SSH=/opt/sbin/sshd TELNET=/bin/utelnetd SSHD_CONF=/opt/etc/openssh/sshd_config /sbin/test -f $SSHD || exit 0 /sbin/test -f $TELNET || exit 0 [ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22` DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131` TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT` SSHKEY_CONFIG_DIR=/opt/etc/openssh BOOT_CONF=`/bin/cat /etc/default_config/BOOT.conf` SLEEP_MAX=300 generte_ssh_key() { [ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR if [ -f /opt/bin/ssh-keygen ]; then if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N "" /bin/touch /opt/etc/openssh/ssh_key.fla /bin/sync fi if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* /opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N "" /bin/touch /opt/etc/openssh/ssh_key.fla /bin/sync fi if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key* /opt/bin/ssh-keygen -t ecdsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key -N "" /bin/touch /opt/etc/openssh/ssh_key.fla /bin/sync fi /bin/cmp /etc/ssh/ssh_host_rsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key 1>>/dev/null 2>>/dev/null retrsa1=$? /bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null retrsa2=$? /bin/cmp /etc/ssh/ssh_host_dsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key 1>>/dev/null 2>>/dev/null retdsa1=$? /bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null retdsa2=$? /bin/cmp /etc/ssh/ssh_host_ecdsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key 1>>/dev/null 2>>/dev/null retecdsa1=$? /bin/cmp /etc/ssh/ssh_host_ecdsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub 1>>/dev/null 2>>/dev/null retecdsa2=$? [ $retrsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key /etc/ssh/ [ $retrsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub /etc/ssh/ [ $retdsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key /etc/ssh/ [ $retdsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub /etc/ssh/ [ $retecdsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key /etc/ssh/ [ $retecdsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub /etc/ssh/ if [ -d /opt/etc/openssh ]; then /bin/rm -rf /root/.ssh 1>>/dev/null 2>>/dev/null /bin/ln -sf /opt/etc/openssh/root /root/.ssh [ -f /etc/config/ssh/id_rsa ] || /bin/ln -sf ssh_host_rsa_key /etc/config/ssh/id_rsa [ -f /etc/config/ssh/id_rsa.pub ] || /bin/ln -sf ssh_host_rsa_key.pub /etc/config/ssh/id_rsa.pub fi if [ "x${BOOT_CONF}" = "xTS-NASX86" ] && [ ! -f /opt/etc/openssh/ssh_key.fla ]; then /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* 2>>/dev/null /bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* 2>>/dev/null /opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N "" /opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N "" /bin/touch /opt/etc/openssh/ssh_key.fla fi fi } update_sshd_config() { ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE` if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then /bin/grep "internal-sftp" ${SSHD_CONF} > /dev/null if [ $? != 0 ]; then /bin/sed '107i\Subsystem sftp internal-sftp' ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} fi else /bin/grep "internal-sftp" ${SSHD_CONF} > /dev/null if [ $? = 0 ]; then /bin/sed "/internal-sftp/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp /bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF} fi fi } enable_openssh() { # Check to see if we already copied the old sshd if [ ! -e /usr/sbin/sshd_orig ]; then mv /usr/sbin/sshd /usr/sbin/sshd_orig cp /opt/sbin/sshd /usr/sbin/sshd fi # Finally, replace the current login script if necessary so further restarts via the web interface work /bin/grep "enable_openssh" /etc/init.d/login.sh > /dev/null if [ $? != 0 ]; then if [ -e $0 ]; then cp $0 /etc/init.d/login.sh fi fi # Make sure we have a home directory on a persistent drive # Note, this will only create the admin home directory if [ ! -e "/share/HDA_DATA/home" ]; then /bin/mkdir /share/HDA_DATA/home /bin/mkdir /share/HDA_DATA/home/admin /bin/chmod og-rx /share/HDA_DATA/home/admin fi # Link persistent home directory to referenced home dirs in /etc/passwd if [ ! -e "/share/homes" ]; then ln -s /share/HDA_DATA/home /share/homes fi } # Wait $SLEEP seconds or determine if the system is done booting before proceeding SLEEP_COUNTER=0 while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do sleep 1 let "SLEEP_COUNTER += 1" done case "$1" in start) if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then echo "Starting sshd services: disabled." else echo -n "Starting sshd services: " enable_openssh generte_ssh_key update_sshd_config /sbin/daemon_mgr sshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT" echo "sshd." touch /var/lock/subsys/sshd fi if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then echo "Starting telnet services: disabled." else echo -n "Starting telnet services: " /sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &" echo "utelnetd." touch /var/lock/subsys/utelnetd fi if [ `/sbin/getcfg "TFTP Server" "Enable" -u -d FALSE` = FALSE ]; then echo "Starting opentftpd services: disabled." else /etc/init.d/opentftp.sh start fi ;; stop) echo -n "Shutting down sshd services:" /sbin/daemon_mgr sshd stop $SSH /usr/bin/killall sshd rm -f /var/lock/subsys/sshd echo "sshd" echo -n "Shutting down telnet services:" /sbin/daemon_mgr utelnetd stop $TELNET rm -f /var/lock/subsys/utelnetd echo "utelnetd" ;; restart) $0 stop $0 start ;; *) echo "Usage: /etc/init.d/login.sh {start|stop|restart}" exit 1 esac exit 0
Configuration
Configuration files are maintained in /opt/etc/openssh, such as the sshd_config
Restarting openssh without rebooting
Once the system is setup, it might be useful to make changes to the sshd_config and restart the daemon without rebooting. You can do this one of two ways.
GUI
- Untick the box in the GUI to disable SSH and hit apply
- Re-enable and hit apply
Disabling guest account
With OpenSSH, by default all users can log in, which means that the user "guest" with the default password "guest" can also log in and this may be undesirable to you.You may then want to remove this account with "deluser guest" from the command line with the admin account Verry bad idea as at least the qnap admin webinterface and FTP stoped working on 4.0.2. By pure luck SSH still works and restoring the user fixes the problem. You can also give it a password with "passwd guest" instead.
Contributions to documentation
This howto was written by Papengut and edited by stevebow and jk42 then later re-written by patbaker82. See the Page History link for more contributors.
Note: This article overlaps with <a _fcknotitle="true" href="Replace ssh">Replace ssh</a>. The two articles should probably get merged.
<a _fcknotitle="true" href="Category:SSH">SSH</a>