Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

OpenSSH Plugin & companion Plugin DenyHosts for unRAID 5b11+ (v6 vers available)

Featured Replies

Edit: 19th May 2014

All, I am currently experimenting with a version of the SSH plugin which is compatible with unRAID v6.  As of unRAID version 6, SSH is now baked in.  However at the time of writing, the configuration of SSH is pretty basic and although perhaps Tom intends to add more later, I thought it might be an idea to extend the current feature set so that some more of the SSH settings were manageable from inside the webgui, as they are if running my OpenSSH plugin on unRAID v5 systems. 

 

I've mainly written this as a way to learn how Tom has structured the new plugin / extensions part and how it can be used to install and update plugins.  As such, it should be possible to install using the webgui. 

 

Go to unRAID webGui -> Extensions:

3aaBNt2.png

 

Enter https://github.com/overbyrn/unRAID6/raw/master/ssh.plg into the Install Extension box and press the Install button.  A window should open showing the plugin installation taking place.

 

Re-enter the Extension page and go to plugins.  The newly installed plugin should show in the list of installed plugins:

 

JzM6BpZ.png

 


 

Edit: 29th March 2013

 

I have completely re-written the SSH plug-in.  As such all of the details in this first post have been removed as most of them are now irrelevant.

 

Please head over to my GitHub page for the plug-in.  I have provided full instructions and a detailed explanation of the plug-in on GitHub. 

 

Key highlights of the new plug-in;

  • multiple users can be selected for SSH
  • user *root* can be used
  • full integration with standard UnRAID user management web page.  eg. users created in UnRAID are presented as options in SSH plug-in
  • Support for per user private / public key pair.  Creation of keys is done at command line, but full steps are listed including how to convert private OpenSSH key to compatible Putty key.  PuttyGen for linux is also included, ensuring everything can be done from your UnRAID system
  • Internal plug-in updates.  Plug-in will report if new version found, giving option to perform an update from within itself
  • Removal of dependency package "OpenSSL-solibs".  Only OpenSSH package is needed.  This removes any current issues where later plugins (SimpleFeatures 1.0.11 I'm looking at you), use later ssl packages.

 

Here are the relevant links:

 

Direct link to the plugin: https://github.com/overbyrn/UnRAID/raw/master/openssh_overbyrn.plg

 

Full installation instructions on my main GitHub page https://github.com/overbyrn/UnRAID

 

 

As always, please feedback any issues found to this thread.  Also if you have any ideas for enhancements, fixes etc.

 

 

Kind Regards,

overbyrn

  • Replies 177
  • Views 50.5k
  • Created
  • Last Reply
  • Author

Updated - 30th March 2013

 

Just as with OpenSSh, I have completely re-written the DenyHosts plug-in. 

 

Please head over to my GitHub page for the plug-in. 

 

Key highlight of the new plug-in is that the majority of DenyHosts config options can be controlled from the webgui.  Due to the nature of the DenyHosts parameters, some explanation of each setting was needed, so I have included some information for each setting within the webgui...

 

QoXgkRZ.png

 

 

Here are the relevant links:

 

Direct link to the plugin: https://github.com/overbyrn/UnRAID/raw/master/denyhosts_overbyrn.plg

 

Full installation instructions on my main GitHub page https://github.com/overbyrn/UnRAID

 

 

As always, please feedback any issues found to this thread.  Also if you have any ideas for enhancements, fixes etc.

 

 

NB: if you are running SimpleFeatures Email Notify Plugin version 1.0.10, you will need to make a simple small change to that plugin as it attempts to "prune" some unused directories.  Unfortunately the prune is a too aggressive and removes a directory belonging to python which is needed when installing beets (or other python packages).

 

To fix this, open simpleFeatures.email.notify-1.0.10-noarch-1.plg".  On line 13, change the following from:

<!ENTITY prune "true"><!-- set to "false" to suppress pruning -->

to

<!ENTITY prune "false"><!-- set to "false" to suppress pruning -->

Reboot for the change to take effect.

 

 

 

 

 

Kind Regards,

overbyrn

THANK YOU!!!!

 

Not sure what I've been doing wrong for so long, but I never did get the public key thing to work with my non-root users. This did it (and showed me the few little things I missed).

 

DenyHosts is a great idea too. I've had it running by a script for a while, but your plugin is a much nicer way of doing this.

 

Anyways, nice work here.

Hmm, looks like this causes some problems if you make the user "nobody".  Just an FYI.

  • Author

Hmm... user "nobody" doesn't have shell access, so that might be an issue.

 

Thankfully I chose not to copy /etc/passwd and /etc/shadow to /boot/config to have the user survive a reboot.  So if it did stuff up user nobody, then a reboot and new user selection in the SSH WebGUI settings page should fix it.

 

I've added a check in the WebGUI to prevent entering root or nobody.  First post amended with new version of plugin.

 

 

I just noticed tonight that I've been getting lots of seg faults related to crond when I have this plugin enabled.  Here's an example:

 

Jun 17 21:26:01 Tower ntpd[1122]: new interface(s) found: waking up resolver

Jun 17 21:26:01 Tower crond[1145]: exit status 1 from user root /usr/lib/sa/sa1 1 1

Jun 17 21:26:01 Tower kernel: crond[8005]: segfault at b77cd51c ip b77cd51c sp bfa848f8 error 15 in ld-2.11.1.so[b77cd000+1000]

Jun 17 21:26:37 Tower init: Re-reading inittab

Jun 17 21:26:43 Tower logger: Installing audio codecs

Jun 17 21:27:19 Tower logger: Installing virtualbox

Jun 17 21:27:29 Tower logger: Installing flexget

Jun 17 21:28:01 Tower crond[1145]: exit status 1 from user root /usr/lib/sa/sa1 1 1

Jun 17 21:28:01 Tower kernel: crond[25889]: segfault at b77cd51c ip b77cd51c sp bfa848f8 error 15 in ld-2.11.1.so (deleted)[b77cd000+1000]

 

If I disable the plugin and restart, all is well. I can use the openssh package via unmenu without any issues, so I'm not sure what could be the problem here. Very strange.  I'm using the latest RC4 of unraid, if it matters...

This is some awesome work.  Thanks so much.

  • Author

I just noticed tonight that I've been getting lots of seg faults related to crond when I have this plugin enabled.  Here's an example:

 

Jun 17 21:26:01 Tower ntpd[1122]: new interface(s) found: waking up resolver

Jun 17 21:26:01 Tower crond[1145]: exit status 1 from user root /usr/lib/sa/sa1 1 1

Jun 17 21:26:01 Tower kernel: crond[8005]: segfault at b77cd51c ip b77cd51c sp bfa848f8 error 15 in ld-2.11.1.so[b77cd000+1000]

Jun 17 21:26:37 Tower init: Re-reading inittab

Jun 17 21:26:43 Tower logger: Installing audio codecs

Jun 17 21:27:19 Tower logger: Installing virtualbox

Jun 17 21:27:29 Tower logger: Installing flexget

Jun 17 21:28:01 Tower crond[1145]: exit status 1 from user root /usr/lib/sa/sa1 1 1

Jun 17 21:28:01 Tower kernel: crond[25889]: segfault at b77cd51c ip b77cd51c sp bfa848f8 error 15 in ld-2.11.1.so (deleted)[b77cd000+1000]

 

If I disable the plugin and restart, all is well. I can use the openssh package via unmenu without any issues, so I'm not sure what could be the problem here. Very strange.  I'm using the latest RC4 of unraid, if it matters...

 

botez, you're right.  I've looked into it and it seems GLIBC 2.15 is the culprit.  Not wholly familiar with what GLIBC provides, although from the package, it does contain a lot of shared lib files and makes a fair few changes/updates at the /usr/lib level.  Enough to make me nervous anyway.

 

So for now, I've reverted the plugin to using OpenSSH v5.9p1 which doesn't have the dependency on GLIBC 2.15.

 

I've amended the plugin to v0.3 and linked in the first post.

 

It's probably best when you get a chance to reboot your server to wipe out the GLIBC stuff, grab the plugin new version and let it install v5.9 of OpenSSH instead.  I've done similar here and so far over the course of today I've not seen the cron segfaults show up.  Give it a try and report back.  Hopefully the errors will go for you also.

 

looks like I have to stop and start the service in order for other changes to take effect.  Is that just the way it is, or is that a bug?  Not that I expect to do that often, but i was just testing out "Permit Root Login" to prove it works and noticed it.

 

Otherwise, thanks.  Great work.

  • Author

looks like I have to stop and start the service in order for other changes to take effect.  Is that just the way it is, or is that a bug?  Not that I expect to do that often, but i was just testing out "Permit Root Login" to prove it works and noticed it.

 

Otherwise, thanks.  Great work.

By design only in so much as whilst learning to write a plugin, I examined existing plugins and for the most part they all tended to follow a similar process of when Apply is hit, the config is saved and behind the scenes another php page is called which does the grunt work of configuring and starting stopping the service.  Usually nothing is done other than save the config if the service is already running, so to make a change active, a stop is needed and then a start which again calls the config/start code.

 

Not sure what it'd take to implement the change you mention.  I'd happily do it, if it wasn't too much work but off the top of my head I'm already asking myself how to decide what changes to allow and if the answer is some then why not all and if all then that could include a user change and probably a fair few extra checks and thne I'd probably have to decide how to restart the SSH process so that it either a) kills all current connections and reloads new config or b) kills SSH process and reloads without closing existing SSH sessions.

 

Hmm...

 

"Possibly" simpler solution ... add a NOTICE to the web gui letting people know that changes will not take affect until the service is restarted?  add a restart button?  Include a WARNING that all active SSH sessions will be terminated?

 

But like I said, not raelly an issue people have to deal with often i would think, so I can't see any benefit to going all comlicated unless you just want the challenge.  But letting users know they need to restart at the least would help a lot [shrug].

Hi,

 

I'm on a Mac and had a short struggle with this but got it to work. Thought I'd share what happened.

 

After installation I tried to login but got this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##.        (## stands for numbers and letters like in MAC addresses)

Please contact your system administrator.

Add correct host key in /Users/username/.ssh/known_hosts to get rid of this message.

Offending key in /Users/username/.ssh/known_hosts:7

RSA host key for ##.#.#.## has changed and you have requested strict checking.  (## stands for my IP number of the tower)

Host key verification failed.

 

what I had to do was edit the file 'known_hosts' and delete the IP number and everything that followed the IP# (a very long string...)

after that I was able to login - a "first time login" including "Are you sure you want to continue connecting (yes/no)?"

 

to get to the file I opened the finder, clicked Go (menu), then 'Go to Folder' and entered '/Users/username/.ssh/' (replace username with your username)

maybe this helps some newbie like myself

This plugin made some mess in my unRaid 5.0-rc5. First I didn't know what is going on, but later I discovered that after I enabled the plugin, my /sbin directory disappeared.

 

This is how my root dir looks like after enabling the plugin:

drwxr-xr-x  2 root root    0 2011-01-31 05:33 bin/
drwxrwxrwx  4 root root 4096 1970-01-01 01:00 boot/
drwxr-xr-x 12 root root 3300 2012-06-24 23:16 dev/
drwxr-xr-x 25 root root    0 2012-06-24 23:21 etc/
drwxr-xr-x  3 root root    0 2012-06-24 23:21 home/
lrwxrwxrwx  1 root root   10 2012-06-21 01:57 init -> /sbin/init
drwxr-xr-x  6 root root    0 2012-06-24 23:19 lib/
drwxr-xr-x  8 root root    0 2012-06-24 23:16 mnt/
dr-xr-xr-x 79 root root    0 2012-06-24 23:16 proc/
drwx--x---  3 root root    0 2012-06-24 23:17 root/
drwxr-xr-x 12 root root    0 2012-06-24 23:16 sys/
drwxrwxrwt  5 root root    0 2012-06-24 23:20 tmp/
drwxr-xr-x 12 root root    0 2011-11-08 03:52 usr/
drwxr-xr-x 15 root root    0 2011-11-08 03:52 var/

This plugin made some mess in my unRaid 5.0-rc5. First I didn't know what is going on, but later I discovered that after I enabled the plugin, my /sbin directory disappeared.

 

 

could this have anything to do with a strage behavior of my unRAID (5.0-beta14)?

I got never ending repetitions of

sh: /usr/sbin/hdparm: No such file or directory

  • Author

This plugin made some mess in my unRaid 5.0-rc5. First I didn't know what is going on, but later I discovered that after I enabled the plugin, my /sbin directory disappeared.

 

This is how my root dir looks like after enabling the plugin:

drwxr-xr-x  2 root root    0 2011-01-31 05:33 bin/
drwxrwxrwx  4 root root 4096 1970-01-01 01:00 boot/
drwxr-xr-x 12 root root 3300 2012-06-24 23:16 dev/
drwxr-xr-x 25 root root    0 2012-06-24 23:21 etc/
drwxr-xr-x  3 root root    0 2012-06-24 23:21 home/
lrwxrwxrwx  1 root root   10 2012-06-21 01:57 init -> /sbin/init
drwxr-xr-x  6 root root    0 2012-06-24 23:19 lib/
drwxr-xr-x  8 root root    0 2012-06-24 23:16 mnt/
dr-xr-xr-x 79 root root    0 2012-06-24 23:16 proc/
drwx--x---  3 root root    0 2012-06-24 23:17 root/
drwxr-xr-x 12 root root    0 2012-06-24 23:16 sys/
drwxrwxrwt  5 root root    0 2012-06-24 23:20 tmp/
drwxr-xr-x 12 root root    0 2011-11-08 03:52 usr/
drwxr-xr-x 15 root root    0 2011-11-08 03:52 var/

 

p4xel, are you running any other plugins?  Can you provide a copy of the log file (/var/log/plugins/openssh)?  Can you recall what steps you took during the plugin installation.  Something that might help provide a clue as at the moment I do not understand how the plugin could affect your system unless it is not compatible in some way with later versions of Unraid.  I did my development and testing on 5.0-beta 12a as that is what I still currently run.

 

Furthermore, in order to ensure the current plugin is ok, before writing this reply, I performed an installation of the plugin (v0.4) as from my OP onto a fresh installation of 5.0-beta 12a.  Everything worked as expected, the plugin installed, I configured and enabled through the WebGUI and nothing strange happened to the /sbin directory.

 

I currently don't have a later version of UnRAID 5 to try it on.  I will try to install 5.0-rc5 later if time permits, but in the meantime I welcome more information from you as to better understand if there is a problem or incompatibility with the plugin.

 

EDIT: Working fine on a fresh 5.0-rc5 installation.  You're going to have to provide some more information if we're to confirm the root cause of your problem is this plugin, as at the moment I'm struggling to see how the plugin can cause what you've described.

 

 

 

 

That's exactly what I was thinking while I struggled with this problem. After I narrowed the problem to tis plugin I did a fresh installation of 5.0-rc5 with no other plugins installed. I ran installplg through telnet and up to this point it was all OK, but after I enabled the plugin it messed up /sbin. I have no idea how and why. I will try to recreate the issue and provide some logs.

  • Author

That's exactly what I was thinking while I struggled with this problem. After I narrowed the problem to tis plugin I did a fresh installation of 5.0-rc5 with no other plugins installed. I ran installplg through telnet and up to this point it was all OK, but after I enabled the plugin it messed up /sbin. I have no idea how and why. I will try to recreate the issue and provide some logs.

 

Ok, I think I've worked it out.  The plugin does not work well if an existing user is chosen.  I'd already put in a basic check to prevent the obvious culprits - root & nobody - but it needs the checking extended so that any user already present on the UnRAID system is not allowed to be chosen for use in the OpenSSH plugin. 

 

When a user is created from within the regular Users tab of the UnRAID webgui, it's assigned a home directory of / and a shell of /bin/false so that it's not possible to telnet in with the user.

 

OpenSSH needs a user which has its own home directory eg. /home/fred in order to create the needed .ssh sub-directory for the public host keys.

 

The code for the user creation part of the plugin uses a delete & re-create logic as it was easiest at the time.  This is too dangerous in its present form as when run against an existing user, it attempts to remove the home dir, which in this case is / if it's an existing user. 

 

I'll put in a proper user check as soon as I can.  In the meantime, the #1 Golden Rule is :

 

DO NOT USE AN EXISTING USER ALREADY DEFINED IN UNRAID FOR OPENSSH.  IN THE OPENSSH PLUGIN, ENTER A TOTALLY NEW USER DEDICATED ONLY TO OPENSSH

 

I'll put a warning to that effect on the OP until I've put in some better checking.

 

 

Just wanted to say thanks. I installed this a few weeks ago and it's been working great.

  • 2 weeks later...

The code for the user creation part of the plugin uses a delete & re-create logic as it was easiest at the time.  This is too dangerous in its present form as when run against an existing user, it attempts to remove the home dir, which in this case is / if it's an existing user. 

 

overbyrn, your script comments mention it being difficult to remove an account password; and that being the reason for an account delete/re-create.  Have you considered using "passwd --delete <username>"?

  • Author

overbyrn, your script comments mention it being difficult to remove an account password; and that being the reason for an account delete/re-create.  Have you considered using "passwd --delete <username>"?

 

Vince, nice catch.  I missed that param from passwd.  I think I can use that instead of the ugly userdel command.  Will hopefully have time over the weekend.  Many Thanks!

 

I've just been blocked from my own server while at work. Does DenyHosts have a timeout (1 hour)? Or do I need to wait until I get home to reset it? Do I just remove the IP address from /etc/hosts.deny?

  • Author

I've just been blocked from my own server while at work. Does DenyHosts have a timeout (1 hour)? Or do I need to wait until I get home to reset it? Do I just remove the IP address from /etc/hosts.deny?

harry,

 

DenyHosts has an hourly purge routine, but it's bad news I'm afraid as regardless if you've configured SSH to allow root or non-root logins, the following two parameters decide how long must pass before clearing an existing denied entry;

 

AGE_RESET_VALID = 5 days.  This parameter determines how long to wait before resetting a valid (in /etc/passwd) non-root user.

AGE_RESET_ROOT = 25 days.  As above but for user root.

 

How you fix this depends on where your plugin work dir is.  If like me you've put it on persistent storage such as a cache drive, then you'll have a file called "allowed-hosts" in the work dir location.

 

Mine looks like;

root@Tower:/mnt/cache/.services/denyhosts# more allowed-hosts
# the following line prevents denyhosts from blocking these addresses
158.234.6.10
192.168.0.*

 

You can use this to mask IP ranges which will never get denied.

 

If you already have your work dir on persistent storage, then you need to do more than edit /etc/hosts.deny.

 

From the DenyHosts FAQ:

How can I remove an IP address that DenyHosts blocked?

 

If you have been accidentally locked out of one of your hosts (because DenyHosts has added it to /etc/hosts.deny you may have noticed that simply removing it from /etc/hosts.deny does not in itself correct the issue) since DenyHosts keeps track of the attempts in the WORK_DIR files. In order to cleanse the address you will need to do the following:

 

    Stop DenyHosts

    Remove the IP address from /etc/hosts.deny

    Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.

    Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.

    Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.

    Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.

    Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.

    (optional) Consider adding the IP address to WORK_DIR/allowed-hosts

    Start DenyHosts

 

Note: Not all of the WORK_DIR files will contain the IP address so you may want to use grep to determine which files contain the IP address.

 

If however you've installed the work dir to ramFS such as /usr/local/denyhosts, then the simplest way is to reboot UnRAID as it'll clear the syslog and DenyHosts logs will start fresh without anything being denied.

 

Maybe it's time I exposed some of the settings through the UnRAID webgui.  I was just being lazy and took a one-size-fits-all approach  ;)

 

 

Regards,

overbyrn

Overbyrn,

 

That's for the extensive reply. I think the reboot will be the easiest option ;)

 

Don't go changing what you've got on my account. I didn't realise, but starting an SSH login and then closing it before entering any details counts towards an incorrect login.

 

Harry

  • Author

dexn, thanks for the heads up.  Was silly of me to map to the current Slackware location as that was bound to change at some point.

 

Have modified the plugin to reference the same version solibs from my local Dropbox copy until I'm at a PC and able to find a valid link and/or test a working later version.

 

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.