How To Replace SSH Daemon With OpenSSH
Jump to navigation
Jump to search
Overview
I've seen many different solutions to implement OpenSSH, but none really brought a full switch over to openssh. While the many documents out there reflect how to replace the binary and get the openssh system to start up, most fail to show how to repoint underlying QNAP links to the /opt/etc/openssh configurations. With that said most implementations use hostkeys/keys that were generated under the old system possiblity leaving it unsecure.
High level features of this implementation
- Enhanced the original start scripts provided from QNAP.
- Creates initial 'admin' home directory as specified in /etc/passwd
- Use of configuration parameters set in the GUI. The ports you set in the GUI will be the ones that openssh will use. Further you can disable/enable openssh via the GUI.
- Support for firmware 3.3 of enabling/disabling SFTP via the GUI
- Persistent script. Restarts via the GUI will use the new code, IE enabling/disabling of SSH or telnet.
- Script ensures, upon booting, that it waits for the system QNAP ssh system to start before attempting to start openssh to replace the QNAP SSH daemon. This is important as we do not want competing SSHD processes.
The Alternative way
The port which the standard Qnap sshd listens to is configurable from the web interface... Change it to something else, then run OpenSSH on port 22. You don't need to fiddle with system config files or replace the sshd binary, just leave them be and edit /opt/etc/openssh/* to your liking.
Then you can either run OpenSSH sshd binary in the autorun.sh script (it daemonizes by default), or you can make sure that "/opt/etc/init.d/" files are correctly started on start up (follow instructions in Install_Optware_IPKG).
Installation
NOTE: This will require you to be either logged into the QNAP via Telnet or SSH in order to execute the commands denoted as #.
- Install_Optware_IPKG. Optware is the conduit for installing OpenSSH.
- Install the OpenSSH package using Optware.
# ipkg update # ipkg install openssh
- mount /tmp/config, following the instructions in the article Running Your Own Application at Startup.
- Copy the script below, login.sh, to /tmp/config/login.sh
- Make /tmp/config/login.sh executable
# chmod +x /tmp/config/login.sh
- Create or Edit /tmp/config/autorun.sh and add the following
/bin/cp /tmp/config/login.sh /tmp ; /bin/sh /tmp/login.sh restart &
- Ensure /tmp/config/autorun.sh is executable
# chmod +x /tmp/config/autorun.sh
- Reboot
# reboot
[Tested on TS-410, TS-459, TS-509 and TS-869.]
login.sh
Updated for Firmware 3.4.3
#!/bin/sh
SLEEP_MAX=600
SSHD=/opt/sbin/sshd
TELNET=/bin/utelnetd
SSHD_CONF=/opt/etc/openssh/sshd_config
SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131`
TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT`
SSHKEY_CONFIG_DIR=/opt/etc/openssh
BOOT_CONF=`/bin/cat /etc/default_config/BOOT.conf`
generte_ssh_key()
{
[ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR
if [ -f /opt/bin/ssh-keygen ]; then
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key*
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N ""
/bin/sync
fi
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key*
/opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N ""
/bin/sync
fi
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key*
/opt/bin/ssh-keygen -t ecdsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key -N ""
/bin/sync
fi
fi
}
update_sshd_config()
{
ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE`
if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then
/bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null
if [ $? != 0 ]; then
/bin/sed '107i\Subsystem sftp \/usr\/libexec\/sftp-server' ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
fi
else
/bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null
if [ $? = 0 ]; then
/bin/sed "/\/usr\/libexec\/sftp-server/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
/bin/rm ${SSHD_CONF}.tmp
fi
fi
}
enable_openssh()
{
# Check to see if we already copied the old sshd
if [ ! -e /usr/sbin/sshd_orig ]; then
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd
fi
# Finally, replace the current login script if neccessary so further restarts via the web interface work
/bin/grep "enable_openssh" /etc/init.d/login.sh > /dev/null
if [ $? != 0 ]; then
if [ -e $0 ]; then
cp $0 /etc/init.d/login.sh
fi
fi
# Make sure we have a home directory on a persistent drive
# Note, this will only create the admin home directory
if [ ! -e "/share/MD0_DATA/home" ]; then
/bin/mkdir /share/MD0_DATA/home
/bin/mkdir /share/MD0_DATA/home/admin
/bin/chmod og-rx /share/MD0_DATA/home/admin
fi
# Link persistent home directory to referenced home dirs in /etc/passwd
if [ ! -e "/share/homes" ]; then
ln -s /share/MD0_DATA/home /share/homes
fi
}
# Wait $SLEEP seconds or determine if the system is done booting before proceeding
SLEEP_COUNTER=0
while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do
sleep 1
let "SLEEP_COUNTER += 1"
done
/sbin/test -f $SSHD || exit 0
/sbin/test -f $TELNET || exit 0
[ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp
case "$1" in
start)
if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then
echo "Starting sshd services: disabled."
else
echo -n "Starting sshd services: "
enable_openssh
generte_ssh_key
update_sshd_config
/sbin/daemon_mgr sshd start "$SSHD -f ${SSHD_CONF} -p $SSH_PORT"
echo "sshd."
touch /var/lock/subsys/sshd
fi
if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then
echo "Starting telnet services: disabled."
else
echo -n "Starting telnet services: "
/sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &"
echo "utelnetd."
touch /var/lock/subsys/utelnetd
fi
;;
stop)
echo -n "Shutting down sshd services:"
/sbin/daemon_mgr sshd stop $SSHD
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
echo "sshd"
echo -n "Shutting down telnet services:"
/sbin/daemon_mgr utelnetd stop $TELNET
rm -f /var/lock/subsys/utelnetd
echo "utelnetd"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/login.sh {start|stop|restart}"
exit 1
esac
exit 0
TS-212
Firmware 3.5.2 Build 1126T
Created with some melding of the above script with that found by default on the 3.5.2 Build 1126T firmware (on mtdblock5), the following script seems to work as intended on a TS-212.
#!/bin/sh
SLEEP_MAX=600
SSHD=/opt/sbin/sshd
TELNET=/bin/utelnetd
SSHD_CONF=/opt/etc/openssh/sshd_config
/sbin/test -f $SSHD || exit 0
/sbin/test -f $TELNET || exit 0
[ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp
SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131`
TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT`
SSHKEY_CONFIG_DIR=/opt/etc/openssh
BOOT_CONF=`/bin/cat /etc/default_config/BOOT.conf`
generte_ssh_key()
{
[ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR
if [ -f /opt/bin/ssh-keygen ]; then
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key*
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N ""
/bin/touch /etc/config/ssh_key.fla
/bin/sync
fi
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key*
/opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N ""
/bin/touch /etc/config/ssh_key.fla
/bin/sync
fi
/bin/cmp /etc/ssh/ssh_host_rsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key 1>>/dev/null 2>>/dev/null
retrsa1=$?
/bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null
retrsa2=$?
/bin/cmp /etc/ssh/ssh_host_dsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key 1>>/dev/null 2>>/dev/null
retdsa1=$?
/bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null
retdsa2=$?
[ $retrsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key /etc/ssh/
[ $retrsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub /etc/ssh/
[ $retdsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key /etc/ssh/
[ $retdsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub /etc/ssh/
if [ -d /etc/config/ssh ]; then
/bin/rm -rf /root/.ssh 1>>/dev/null 2>>/dev/null
/bin/ln -sf /etc/config/ssh /root/.ssh
[ -f /etc/config/ssh/id_rsa ] || /bin/ln -sf ssh_host_rsa_key /etc/config/ssh/id_rsa
[ -f /etc/config/ssh/id_rsa.pub ] || /bin/ln -sf ssh_host_rsa_key.pub /etc/config/ssh/id_rsa.pub
fi
if [ "x${BOOT_CONF}" = "xTS-NASX86" ] && [ ! -f /etc/config/ssh_key.fla ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* 2>>/dev/null
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* 2>>/dev/null
/usr/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N ""
/usr/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N ""
/bin/touch /etc/config/ssh_key.fla
fi
fi
}
update_sshd_config()
{
ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE`
if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then
/bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null
if [ $? != 0 ]; then
/bin/sed '107i\Subsystem sftp \/usr\/libexec\/sftp-server' ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
fi
else
/bin/grep "/usr/libexec/sftp-server" ${SSHD_CONF} > /dev/null
if [ $? = 0 ]; then
/bin/sed "/\/usr\/libexec\/sftp-server/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
/bin/rm ${SSHD_CONF}.tmp
fi
fi
}
enable_openssh()
{
# Check to see if we already copied the old sshd
if [ ! -e /usr/sbin/sshd_orig ]; then
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd
fi
# Finally, replace the current login script if neccessary so further restarts via the web interface work
/bin/grep "enable_openssh" /etc/init.d/login.sh > /dev/null
if [ $? != 0 ]; then
if [ -e $0 ]; then
cp $0 /etc/init.d/login.sh
fi
fi
# Make sure we have a home directory on a persistent drive
# Note, this will only create the admin home directory
if [ ! -e "/share/MD0_DATA/home" ]; then
/bin/mkdir /share/MD0_DATA/home
/bin/mkdir /share/MD0_DATA/home/admin
/bin/chmod og-rx /share/MD0_DATA/home/admin
fi
# Link persistent home directory to referenced home dirs in /etc/passwd
if [ ! -e "/share/homes" ]; then
ln -s /share/MD0_DATA/home /share/homes
fi
}
# Wait $SLEEP seconds or determine if the system is done booting before proceeding
SLEEP_COUNTER=0
while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do
sleep 1
let "SLEEP_COUNTER += 1"
done
/sbin/test -f $SSHD || exit 0
/sbin/test -f $TELNET || exit 0
[ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp
case "$1" in
start)
if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then
echo "Starting sshd services: disabled."
else
echo -n "Starting sshd services: "
enable_openssh
generte_ssh_key
update_sshd_config
/sbin/daemon_mgr sshd start "$SSHD -f ${SSHD_CONF} -p $SSH_PORT"
echo "sshd."
touch /var/lock/subsys/sshd
fi
if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then
echo "Starting telnet services: disabled."
else
echo -n "Starting telnet services: "
/sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &"
echo "utelnetd."
touch /var/lock/subsys/utelnetd
fi
if [ `/sbin/getcfg "TFTP Server" "Enable" -u -d FALSE` = FALSE ]; then
echo "Starting opentftpd services: disabled."
else
/etc/init.d/opentftp.sh start
fi
;;
stop)
echo -n "Shutting down sshd services:"
/sbin/daemon_mgr sshd stop $SSHD
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
echo "sshd"
echo -n "Shutting down telnet services:"
/sbin/daemon_mgr utelnetd stop $TELNET
rm -f /var/lock/subsys/utelnetd
echo "utelnetd"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/login.sh {start|stop|restart}"
exit 1
esac
exit 0
Firmware 4.0.5
It seems that the default sshd shipped with this version allows users other than admin. It is only needed to add the allowed usernames (including admin) to the AllowUsers directive in /etc/ssh/sshd_config.
AllowUsers admin USERNAME
Unfortunately, changes to that file are not persistent across reboot. Copying the modified sshd_config script to /tmp/config, and making the autorun.sh script copy it back in /etc/ssh on boot should work.
If using the Optware-provided OpenSSH is still required, the following additional changes are needed.
Sometimes between 3.5.x and 4.0.5, OpenSSH seems to have started expecting ECDSA keys. The login.sh script needs to generate them too in generte_ssh_keys [sic].
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key*
/opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key -N ""
/bin/touch /etc/config/ssh_key.fla
/bin/sync
fi
TS-419P+ with Firmware 3.6.1 Build 0302T
#!/bin/sh
SSH=/opt/sbin/sshd
TELNET=/bin/utelnetd
SSHD_CONF=/opt/etc/openssh/sshd_config
SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131`
TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT`
SSHKEY_CONFIG_DIR=/opt/etc/openssh
SLEEP_MAX=300
generte_ssh_key()
{
[ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR
if [ -f /opt/bin/ssh-keygen ]; then
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ];
then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key*
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
/bin/sync
fi
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ];
then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key*
/opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
/bin/sync
fi
[ -d $SSHKEY_CONFIG_DIR/root ] || /bin/mkdir $SSHKEY_CONFIG_DIR/root
if [ ! -f ${SSHKEY_CONFIG_DIR}/root/id_rsa ] || [ ! -f ${SSHKEY_CONFIG_DIR}/root/id_rsa.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/root/id_rsa*
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/root/id_rsa -N ""
/bin/touch /opt/etc/openssh/root/ssh_key.fla
/bin/sync
fi
if [ -d /opt/etc/openssh ]; then
/bin/rm -rf /root/.ssh 1>>/dev/null 2>>/dev/null
/bin/ln -sf /opt/etc/openssh/root /root/.ssh
fi
if [ ! -f /opt/etc/openssh/ssh_key.fla ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* 2>>/dev/null
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* 2>>/dev/null
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N ""
/opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
fi
if [ ! -f /opt/etc/openssh/root/ssh_key.fla ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/id_rsa* 2>>/dev/null
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/id_rsa -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
fi
fi
}
update_sshd_config()
{
ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE`
if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then
/bin/grep "/opt/libexec/sftp-server" ${SSHD_CONF} > /dev/null
if [ $? != 0 ]; then
/bin/sed '107i\Subsystem sftp \/opt\/libexec\/sftp-server' ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
fi
else
/bin/grep "/opt/libexec/sftp-server" ${SSHD_CONF} > /dev/null
if [ $? == 0 ]; then
/bin/sed "/\/opt\/libexec\/sftp-server/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
fi
fi
}
enable_openssh()
{
# Check to see if we already copied the old sshd
if [ ! -e /usr/sbin/sshd_orig ]; then
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd
fi
# Finally, replace the current login script if neccessary so further restarts via the web interface work
/bin/grep "enable_openssh" ${SSHD_CONF} > /dev/null
if [ $? != 0 ]; then
if [ -e /tmp/login.sh ]; then
cp /tmp/login.sh /etc/init.d/login.sh
fi
fi
}
# Wait $SLEEP seconds or determine if the system is done booting before proceeding
SLEEP_COUNTER=0
while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do
sleep 1
let "SLEEP_COUNTER += 1"
done
/sbin/test -f $SSH || exit 0
/sbin/test -f $TELNET || exit 0
case "$1" in
start)
if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then
echo "Starting sshd services: disabled."
else
echo -n "Starting sshd services: "
enable_openssh
generte_ssh_key
update_sshd_config
/sbin/daemon_mgr sshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT"
echo "sshd."
touch /var/lock/subsys/sshd
fi
if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then
echo "Starting telnet services: disabled."
else
echo -n "Starting telnet services: "
/sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &"
echo "utelnetd."
touch /var/lock/subsys/utelnetd
fi
;;
stop)
echo -n "Shutting down sshd services:"
/sbin/daemon_mgr sshd stop $SSH
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
echo "sshd"
echo -n "Shutting down telnet services:"
/sbin/daemon_mgr utelnetd stop $TELNET
rm -f /var/lock/subsys/utelnetd
echo "utelnetd"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/login.sh {start|stop|restart}"
exit 1
esac
exit 0
TS-119 with 3.8.3 Build 20130426
Works with OpenSSH_5.9p1 and the QPKG-based method from <a href="Running%20Your%20Own%20Application%20at%20Startup">Running Your Own Application at Startup</a>.
#!/bin/sh
SSH=/opt/sbin/sshd
TELNET=/bin/utelnetd
SSHD_CONF=/opt/etc/openssh/sshd_config
/sbin/test -f $SSHD || exit 0
/sbin/test -f $TELNET || exit 0
[ -f "/bin/cmp" ] || ln -sf /bin/busybox /bin/cmp
SSH_PORT=`/sbin/getcfg LOGIN "SSH Port" -d 22`
DEAFULT_TELNET_PORT=`/sbin/getcfg -f /var/default LOGIN "TELNET Port" -d 13131`
TELNET_PORT=`/sbin/getcfg LOGIN "TELNET Port" -d $DEAFULT_TELNET_PORT`
SSHKEY_CONFIG_DIR=/opt/etc/openssh
BOOT_CONF=`/bin/cat /etc/default_config/BOOT.conf`
SLEEP_MAX=300
generte_ssh_key()
{
[ -d $SSHKEY_CONFIG_DIR ] || /bin/mkdir $SSHKEY_CONFIG_DIR
if [ -f /opt/bin/ssh-keygen ]; then
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key*
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
/bin/sync
fi
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key*
/opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
/bin/sync
fi
if [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key ] || [ ! -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key*
/opt/bin/ssh-keygen -t ecdsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
/bin/sync
fi
/bin/cmp /etc/ssh/ssh_host_rsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key 1>>/dev/null 2>>/dev/null
retrsa1=$?
/bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null
retrsa2=$?
/bin/cmp /etc/ssh/ssh_host_dsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key 1>>/dev/null 2>>/dev/null
retdsa1=$?
/bin/cmp /etc/ssh/ssh_host_dsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub 1>>/dev/null 2>>/dev/null
retdsa2=$?
/bin/cmp /etc/ssh/ssh_host_ecdsa_key ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key 1>>/dev/null 2>>/dev/null
retecdsa1=$?
/bin/cmp /etc/ssh/ssh_host_ecdsa_key.pub ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub 1>>/dev/null 2>>/dev/null
retecdsa2=$?
[ $retrsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key /etc/ssh/
[ $retrsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key.pub /etc/ssh/
[ $retdsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key /etc/ssh/
[ $retdsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key.pub /etc/ssh/
[ $retecdsa1 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key /etc/ssh/
[ $retecdsa2 -eq 0 ] || /bin/cp -a ${SSHKEY_CONFIG_DIR}/ssh_host_ecdsa_key.pub /etc/ssh/
if [ -d /opt/etc/openssh ]; then
/bin/rm -rf /root/.ssh 1>>/dev/null 2>>/dev/null
/bin/ln -sf /opt/etc/openssh/root /root/.ssh
[ -f /etc/config/ssh/id_rsa ] || /bin/ln -sf ssh_host_rsa_key /etc/config/ssh/id_rsa
[ -f /etc/config/ssh/id_rsa.pub ] || /bin/ln -sf ssh_host_rsa_key.pub /etc/config/ssh/id_rsa.pub
fi
if [ "x${BOOT_CONF}" = "xTS-NASX86" ] && [ ! -f /opt/etc/openssh/ssh_key.fla ]; then
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key* 2>>/dev/null
/bin/rm -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key* 2>>/dev/null
/opt/bin/ssh-keygen -t rsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_rsa_key -N ""
/opt/bin/ssh-keygen -t dsa -f ${SSHKEY_CONFIG_DIR}/ssh_host_dsa_key -N ""
/bin/touch /opt/etc/openssh/ssh_key.fla
fi
fi
}
update_sshd_config()
{
ENABLED_SFTP=`/sbin/getcfg LOGIN "SFTP Enable" -u -d TRUE`
if [ "x${ENABLED_SFTP}" = "xTRUE" ]; then
/bin/grep "internal-sftp" ${SSHD_CONF} > /dev/null
if [ $? != 0 ]; then
/bin/sed '107i\Subsystem sftp internal-sftp' ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
fi
else
/bin/grep "internal-sftp" ${SSHD_CONF} > /dev/null
if [ $? = 0 ]; then
/bin/sed "/internal-sftp/d" ${SSHD_CONF} > ${SSHD_CONF}.tmp
/bin/cp -f ${SSHD_CONF}.tmp ${SSHD_CONF}
fi
fi
}
enable_openssh()
{
# Check to see if we already copied the old sshd
if [ ! -e /usr/sbin/sshd_orig ]; then
mv /usr/sbin/sshd /usr/sbin/sshd_orig
cp /opt/sbin/sshd /usr/sbin/sshd
fi
# Finally, replace the current login script if necessary so further restarts via the web interface work
/bin/grep "enable_openssh" /etc/init.d/login.sh > /dev/null
if [ $? != 0 ]; then
if [ -e $0 ]; then
cp $0 /etc/init.d/login.sh
fi
fi
# Make sure we have a home directory on a persistent drive
# Note, this will only create the admin home directory
if [ ! -e "/share/HDA_DATA/home" ]; then
/bin/mkdir /share/HDA_DATA/home
/bin/mkdir /share/HDA_DATA/home/admin
/bin/chmod og-rx /share/HDA_DATA/home/admin
fi
# Link persistent home directory to referenced home dirs in /etc/passwd
if [ ! -e "/share/homes" ]; then
ln -s /share/HDA_DATA/home /share/homes
fi
}
# Wait $SLEEP seconds or determine if the system is done booting before proceeding
SLEEP_COUNTER=0
while [[ ! -e /tmp/.boot_done && $SLEEP_COUNTER -le $SLEEP_MAX ]]; do
sleep 1
let "SLEEP_COUNTER += 1"
done
case "$1" in
start)
if [ `/sbin/getcfg LOGIN "SSH Enable" -u -d TRUE` = FALSE ]; then
echo "Starting sshd services: disabled."
else
echo -n "Starting sshd services: "
enable_openssh
generte_ssh_key
update_sshd_config
/sbin/daemon_mgr sshd start "$SSH -f ${SSHD_CONF} -p $SSH_PORT"
echo "sshd."
touch /var/lock/subsys/sshd
fi
if [ `/sbin/getcfg LOGIN "TELNET Enable" -u -d FALSE` = FALSE ]; then
echo "Starting telnet services: disabled."
else
echo -n "Starting telnet services: "
/sbin/daemon_mgr utelnetd start "$TELNET -p $TELNET_PORT &"
echo "utelnetd."
touch /var/lock/subsys/utelnetd
fi
if [ `/sbin/getcfg "TFTP Server" "Enable" -u -d FALSE` = FALSE ]; then
echo "Starting opentftpd services: disabled."
else
/etc/init.d/opentftp.sh start
fi
;;
stop)
echo -n "Shutting down sshd services:"
/sbin/daemon_mgr sshd stop $SSH
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
echo "sshd"
echo -n "Shutting down telnet services:"
/sbin/daemon_mgr utelnetd stop $TELNET
rm -f /var/lock/subsys/utelnetd
echo "utelnetd"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/login.sh {start|stop|restart}"
exit 1
esac
exit 0
Configuration
Configuration files are maintained in /opt/etc/openssh, such as the sshd_config
Restarting openssh without rebooting
Once the system is setup, it might be useful to make changes to the sshd_config and restart the daemon without rebooting. You can do this one of two ways.
GUI
- Untick the box in the GUI to disable SSH and hit apply
- Re-enable and hit apply
Disabling guest account
With OpenSSH, by default all users can log in, which means that the user "guest" with the default password "guest" can also log in and this may be undesirable to you.You may then want to remove this account with "deluser guest" from the command line with the admin account Verry bad idea as at least the qnap admin webinterface and FTP stoped working on 4.0.2. By pure luck SSH still works and restoring the user fixes the problem. You can also give it a password with "passwd guest" instead.
Contributions to documentation
This howto was written by Papengut and edited by stevebow and jk42 then later re-written by patbaker82. See the Page History link for more contributors.
Note: This article overlaps with Replace ssh. The two articles should probably get merged.
<a _fcknotitle="true" href="Category:SSH">SSH</a>