Difference between revisions of "Replace ssh with Qnapware OpenSSH"
Jump to navigation
Jump to search
(Fleshing out instructions a bit, adding an init script (based on login.sh), and describing how to get authorized_keys support for normal users) |
|||
| Line 3: | Line 3: | ||
Recommend changing QNAP system sshd to use any port other than 22. (Like 2222 or something) | Recommend changing QNAP system sshd to use any port other than 22. (Like 2222 or something) | ||
| − | #Install | + | #Install QNAPware for opkg support (Note: This replaces both Entware and Optware) |
#opkg install openssh-server | #opkg install openssh-server | ||
| − | #ssh-keygen -t rsa -f | + | #echo 'export PATH=/Apps/opt/bin:/Apps/opt/sbin:$PATH' >> /etc/profile # Optional, but recommended |
| − | #ssh-keygen -t | + | #ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_rsa_key -N ''-t rsa'' |
| − | # | + | #ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_dsa_key -N ''-t dsa'' |
| − | # | + | #ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ecdsa_key -N ''-t ecdsa'' |
| − | + | #ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ed25519_key -N ''-t ed25519'' | |
| − | #.. | + | #useradd --system --no-create-home sshd |
| + | #ln -s ../init.d/openssh.sh /etc/init.d/S86openssh | ||
| + | #ln -s ../init.d/openssh.sh /etc/rcK.d/K34openssh | ||
| + | #Create /etc/init.d/openssh.sh | ||
| + | <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><nowiki>#!/bin/sh | ||
| + | |||
| + | SSH=/Apps/opt/sbin/opensshd | ||
| + | SSHD_CONF=/Apps/opt/etc/ssh/sshd_config | ||
| + | |||
| + | /sbin/test -f $SSHD || exit 0 | ||
| + | |||
| + | [ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp | ||
| + | |||
| + | DEFAULT_SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22` | ||
| + | SSH_PORT=22 | ||
| + | SSHKEY_CONFIG_DIR=/etc/config/ssh | ||
| + | case "$1" in | ||
| + | start) | ||
| + | /bin/chmod 0640 /etc/config/shadow* /etc/default_config/shadow | ||
| + | if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` != FALSE ]; then | ||
| + | echo -n "Starting OpenSSH (opensshd) service: " | ||
| + | /sbin/daemon_mgr opensshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT" | ||
| + | echo "OK" | ||
| + | touch /var/lock/subsys/opensshd | ||
| + | fi | ||
| + | |||
| + | ;; | ||
| + | stop) | ||
| + | echo -n "Shutting down OpenSSH (opensshd) service: " | ||
| + | /sbin/daemon_mgr opensshd stop $SSH | ||
| + | /usr/bin/killall opensshd 2>/dev/null | ||
| + | rm -f /var/lock/subsys/opensshd | ||
| + | echo "OK" | ||
| + | ;; | ||
| + | |||
| + | restart) | ||
| + | $0 stop | ||
| + | $0 start | ||
| + | ;; | ||
| + | *) | ||
| + | echo "Usage: /etc/init.d/openssh.sh {start|stop|restart}" | ||
| + | exit 1 | ||
| + | esac | ||
| + | |||
| + | exit 0 | ||
| + | </nowiki> | ||
| + | </div> | ||
| + | Optionally, if you'd like users other than admin to log in with authorized_keys: | ||
| + | |||
| + | #Edit /Apps/opt/etc/ssh/sshd_config, set AuthorizedKeysFile to /opt/home/%u/.ssh/authorized_keys | ||
| + | #mkdir -p /opt/home/someuser/.ssh | ||
| + | #<span style="line-height: 20.8px;">mkdir -p /opt/home -m 755</span> | ||
| + | |||
| + | <span style="line-height: 20.8px;">Run these for every user you want to be (replace someuser with your actual username):</span> | ||
| + | |||
| + | #mkdir -m 700 -p /opt/home/someuser/.ssh | ||
| + | #touch <span style="line-height: 20.8px;">/opt/home/someuser/.ssh/authorized_keys</span> | ||
| + | #<span style="line-height: 20.8px;">chmod 600 /opt/home/someuser/.ssh/authorized_keys</span> | ||
| + | |||
| + | | ||
[[Category:SSH]] | [[Category:SSH]] | ||
Revision as of 23:26, 31 December 2015
Note: Work in progress.
Recommend changing QNAP system sshd to use any port other than 22. (Like 2222 or something)
- Install QNAPware for opkg support (Note: This replaces both Entware and Optware)
- opkg install openssh-server
- echo 'export PATH=/Apps/opt/bin:/Apps/opt/sbin:$PATH' >> /etc/profile # Optional, but recommended
- ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_rsa_key -N -t rsa
- ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_dsa_key -N -t dsa
- ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ecdsa_key -N -t ecdsa
- ssh-keygen -f /Apps/opt/etc/ssh/ssh_host_ed25519_key -N -t ed25519
- useradd --system --no-create-home sshd
- ln -s ../init.d/openssh.sh /etc/init.d/S86openssh
- ln -s ../init.d/openssh.sh /etc/rcK.d/K34openssh
- Create /etc/init.d/openssh.sh
#!/bin/sh
SSH=/Apps/opt/sbin/opensshd
SSHD_CONF=/Apps/opt/etc/ssh/sshd_config
/sbin/test -f $SSHD || exit 0
[ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp
DEFAULT_SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
SSH_PORT=22
SSHKEY_CONFIG_DIR=/etc/config/ssh
case "$1" in
start)
/bin/chmod 0640 /etc/config/shadow* /etc/default_config/shadow
if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` != FALSE ]; then
echo -n "Starting OpenSSH (opensshd) service: "
/sbin/daemon_mgr opensshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT"
echo "OK"
touch /var/lock/subsys/opensshd
fi
;;
stop)
echo -n "Shutting down OpenSSH (opensshd) service: "
/sbin/daemon_mgr opensshd stop $SSH
/usr/bin/killall opensshd 2>/dev/null
rm -f /var/lock/subsys/opensshd
echo "OK"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/openssh.sh {start|stop|restart}"
exit 1
esac
exit 0
Optionally, if you'd like users other than admin to log in with authorized_keys:
- Edit /Apps/opt/etc/ssh/sshd_config, set AuthorizedKeysFile to /opt/home/%u/.ssh/authorized_keys
- mkdir -p /opt/home/someuser/.ssh
- mkdir -p /opt/home -m 755
Run these for every user you want to be (replace someuser with your actual username):
- mkdir -m 700 -p /opt/home/someuser/.ssh
- touch /opt/home/someuser/.ssh/authorized_keys
- chmod 600 /opt/home/someuser/.ssh/authorized_keys