Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

OpenSSH Plugin & companion Plugin DenyHosts for unRAID 5b11+ (v6 vers available)

Featured Replies

Thanks for making this!

 

Decided to give this a shot, originally had the unMenu OpenSSH plugin installed. Disabled that one, rebooted and installed this one. Running into a slight snag though.

 

Specified user SSH in the settings page (not an existing user), started the plugin.

 

I notice that the appropriate folders are created in the /home/SSH/.ssh directory with an authorized_keys file

 

Despite this I am not able to login either with a keys file or with the username SSH /password combination. I've tried enabling password authentication and restarting the plugin to no avail.  Oddly enough I am able to login using my old key pair under the user root.  I know using the old unMENU package file I would have to manually edit the authorized_keys file located in /root/.ssh when adding new keys.

 

Any thoughts on how to get this up and running with a non-root login? Thanks!

  • Replies 177
  • Views 50.5k
  • Created
  • Last Reply
  • Author

Sounds like you're almost there in terms of being able to login with a key pair.  The plugin checks for and if non-existant, generates a key pair inside the plugin dir on your flash drive.  If everything went as planned, you should have two files "id_rsa", "id_rsa.pub" in /boot/config/plugins/openssh.  The plugin takes "id_rsa.pub" and creates a copy as /home/{sshuser}/.ssh/authorized_keys.

 

Assuming you're using putty to ssh into UnRAID, all you should need to do is create an entry in putty for your unRAID server, make sure it's set to SSH and from the options tree go to Connection->SSH->Auth.  Browse for your private key, which in this case is "/boot/config/plugins/openssh/id_rsa".

 

That should be all you need to do for putty to login and authenticate using the key pair.

 

If in doubt, stop the plugin, delete id_rsa and id_rsa.pub from your flash drive and restart the plugin.  It'll generate a new key pair.

 

Give that a shot and let me know if you're still getting problems.

 

I've tried deleting the id_rsa/id_rsa.pub files and restarting the plugin to generate a new key pair, no dice. I am still able to login with an old key pair under the username root that I generated with the previous openSSH plugin, but no luck when I try to use the generated id_rsa file in the plugin directory to login with associated user SSH.  Also tried coverting the file to a ppk file with Puttygen, again no luck :(

 

Oddly even though Password authentication is enabled I am unable to use the SSH Username/password combination that I specified in the plugin...

  • Author

I've tried deleting the id_rsa/id_rsa.pub files and restarting the plugin to generate a new key pair, no dice. I am still able to login with an old key pair under the username root that I generated with the previous openSSH plugin, but no luck when I try to use the generated id_rsa file in the plugin directory to login with associated user SSH.  Also tried coverting the file to a ppk file with Puttygen, again no luck :(

 

Oddly even though Password authentication is enabled I am unable to use the SSH Username/password combination that I specified in the plugin...

 

Sorry for the slow reply, been a tad busy until now.  I'll try to reproduce here as can't immediately see what the issue is.  Realised I'd missed out the part about converting id_rsa through puttygen after I'd hit submit but didn't go back to re-edit the post.  Glad you figured that step out.

 

It's strange that you can't login with just password even though it's enabled.  OpenSSH is picky where keys are concerned as even when they're in the correct location with the right name, if the ownership and permissions are not set exactly, then an SSH key session will fail.

 

I'll do some testing here and let you know if I find anything.  If not, then we'll probably need to strip everything out and start again as something odd or unplanned must be happening.

 

Would like to get to the bottom of it and fix it, especially if it highlights an issue within the plugin.

  • Author

@wewantrice, to follow up on my last post.  I have gone through all the steps to install openssh v0.4 plugin to a vanilla unraid system and successfully created a user which at first could ssh in using putty by password only, then after generating ppk file from id_rsa and adding to putty entry, able to login using key pair authentication.  Then, I stopped ssh from webgui, turned off password authentication and restarted ssh.  Trying to login again using key pair putty session was successful.  Lastly I removed the key file from the putty entry and tried once more to login where I got (correctly) a message saying there was no supported authentication methods available.

 

At this point I think that I can say the plugin seems to be working okay. 

 

I can only suggest something unique with your system is causing the trouble.  Is this the first time you have configured OpenSSH?  eg. have you only used the plugin done by me or have you previously perhaps used it from the unMenu package?  Just want to make sure nothing else is trying to install and configure OpenSSH.

 

I suggest removing the openssh plugin config dir from your flash drive (/boot/config/plugins/openssh), delete the .plg file and re-download a fresh copy of the v0.4 from the original post in this thread.  Reboot your UnRAID which will clear down any remaining ssh entries such as /home/user and /etc/ssh. 

 

If you wish, you can also delete "openssh-5.9p1-i486-2_slack13.37.txz" and "openssl-solibs-0.9.8x-i486-1.txz" from your /packages dir on flash drive so as to let the plugin re-download them.

 

After a reboot, make sure openssh plugin is in the unRAID webgui and start it with everything left as default including the user and password.

 

At this point, you should be able to create a putty entry and login as the user / pass combo.  If this works, then generate the putty .ppk version of private key from /boot/config/plugins/openssh/id_rsa source file.  Try to login with this.

 

 

Regards,

overbyrn

 

 

 

Hi all though mostly overbyrn,

 

It's nice with a plugin for ssl, ssh and denyhosts. However I don't like that the plugin downloads the ssl from a non-trusted location, and especially that it does not contain a checksum that I can verify against a 'more trusted' source.

 

I found a openssl 0.9.8x here:

http://slackware.cs.utah.edu/pub/slackware/slackware-13.1/patches/packages/

but I guess you made changes. Maybe I missed it from the thread, but if not, could you please fill me in on what are the changes and why they were necessary?

 

Cheers Alex

  • Author

Hi Alex,

 

Thank you for the nudge.  I have been meaning to change the plugin so that the OpenSSH files are downloaded from a Slackware source and not my own Dropbox.  A while back someone noticed the plugin had stopped working due to openssl-solibs-0.9.8x-i486-1.txz no longer being available at the location the plugin used.  At the time I briefly searched for a version to link to, but I could only find earlier or later versions, so I quickly amended the plugin to point to my local copy.

 

I do not have to change the package in any way, so thanks to your link I have amended the plugin so that it once again gets the file from the Slackware source and I have also included it's MD5 checksum.

 

The OP post has been updated with new version 0.5 of the plugin to reflect the change.

 

I've quickly tested it here and everything seems to work okay.

 

 

Regards,

overbyrn

  • 2 weeks later...

Hey thanks for the help, finally got it up and running. Just read about Authy today. http://goo.gl/dmcdL

 

Essentially it's an API that allows the addition of two factor authentication to any existing SSH installation. It does this through an authenticated app on your cell phone or via text message to a registered phone. You can install it via a simple bash script, which I've managed to do and it seems to work pretty well. Any thoughts on integrating something like this into a plugin? Having an extra layer of security never seems like a bad thing these days. Thanks for all your hard work!

  • 4 weeks later...

When stopping the array OpenSSH is stopped as well. Is there a way to keep this plugin from stopping when stopping the array as this is the only way I have of troubleshooting errors if the array fails to stop?

 

Cheers

  • Author

When stopping the array OpenSSH is stopped as well. Is there a way to keep this plugin from stopping when stopping the array as this is the only way I have of troubleshooting errors if the array fails to stop?

 

Cheers

rm /usr/local/emhttp/plugins/openssh/event/unmounting_disks

 

The above will not survive a reboot. 

 

For that, a change to the plugin file is necessary.  Delete lines 503 thru 512 from 'opensshd-0.5-i486-rj.plg'.  This will prevent the event handler file from being created which is what stops openssh when the array is stopped.

 

 

I guess I could add that to the go config also?

How do i test that the denyhosts plugin is working? i have the free version of unraid and installed both the ssh and denyhost plugin and started them. when i click on the running link from the denyhost webui plugin i can see a log that never updates. its last lines are:

2012-09-27 10:27:16,015 - denyhosts : INFO restricted: set([])
2012-09-27 10:27:16,016 - denyhosts : INFO launching DenyHosts daemon (version 2.6)...
2012-09-27 10:27:16,022 - denyhosts : INFO DenyHosts daemon is now running, pid: 32361
2012-09-27 10:27:16,023 - denyhosts : INFO send daemon process a TERM signal to terminate cleanly
2012-09-27 10:27:16,023 - denyhosts : INFO eg. kill -TERM 32361
2012-09-27 10:27:16,024 - denyhosts : INFO monitoring log: /var/log/syslog
2012-09-27 10:27:16,024 - denyhosts : INFO sync_time: 3600
2012-09-27 10:27:16,025 - denyhosts : INFO daemon_purge: 3600
2012-09-27 10:27:16,025 - denyhosts : INFO daemon_sleep: 30
2012-09-27 10:27:16,026 - denyhosts : INFO purge_sleep_ratio: 120
2012-09-27 10:27:16,026 - denyhosts : INFO denyhosts synchronization disabled

 

I tried incorrectly logging into my ssl connection 6 times until it maxed out and i dont see any entry logs about those failed connections. I just want to make sure its running correctly.

When stopping the array OpenSSH is stopped as well. Is there a way to keep this plugin from stopping when stopping the array as this is the only way I have of troubleshooting errors if the array fails to stop?

 

Cheers

rm /usr/local/emhttp/plugins/openssh/event/unmounting_disks

 

The above will not survive a reboot. 

 

For that, a change to the plugin file is necessary.  Delete lines 503 thru 512 from 'opensshd-0.5-i486-rj.plg'.  This will prevent the event handler file from being created which is what stops openssh when the array is stopped.

 

HA!!! I just ran into this issue myself when shaking down 5.0rc8a.  I put the array into maintenance mode and then I couldn't SSH in.  I asked and they said "talk to the plugin dev" but I never got around to it.  Thanks for this.  And yeah i think it is worth changing the plug-in because being able to SSH while in maintenance mode would be kind of useful vice being forced to go to the server, especially if it is headless and telnet has been disabled for security reasons.

  • Author

When stopping the array OpenSSH is stopped as well. Is there a way to keep this plugin from stopping when stopping the array as this is the only way I have of troubleshooting errors if the array fails to stop?

 

Cheers

rm /usr/local/emhttp/plugins/openssh/event/unmounting_disks

 

The above will not survive a reboot. 

 

For that, a change to the plugin file is necessary.  Delete lines 503 thru 512 from 'opensshd-0.5-i486-rj.plg'.  This will prevent the event handler file from being created which is what stops openssh when the array is stopped.

 

HA!!! I just ran into this issue myself when shaking down 5.0rc8a.  I put the array into maintenance mode and then I couldn't SSH in.  I asked and they said "talk to the plugin dev" but I never got around to it.  Thanks for this.  And yeah i think it is worth changing the plug-in because being able to SSH while in maintenance mode would be kind of useful vice being forced to go to the server, especially if it is headless and telnet has been disabled for security reasons.

 

I agree.  I'll amend the plugin so that it remains online when the array is unmounted.  Watch for a new version soon.

  • Author

How do i test that the denyhosts plugin is working?

 

The SSHD rules for when it logs a failed attempt to the syslog can be a bit awkward to understand.

 

From the sshd_config man page:

    MaxAuthTries

    Specifies the maximum number of authentication attempts permitted

    per connection.  Once the number of failures reaches half this

    value, additional failures are logged.  The default is 6.

 

MaxAuthTries can be set within the OpenSSH config page.  I tend to set mine to 3.  In this case, every failure over the third, you should see that reflected in the syslog. 

 

Then you've got DenyHosts own thresholds on top of that.  The config value "DENY_THRESHOLD_INVALID" is set to 5.  So DenyHosts needs to see at least 5 failures in the syslog before it denies that host.

 

The Denyhosts log should update at least once an hour as there's an hourly process whereby it checks for old denied entries and purges if it's older than 1 week.

 

I suggest you lower your MaxAuthRetries right down, then for whatever number you've chosen, fail to login that number of times.  Check your syslog for signs of those failures.  Then repeat upto 5 times.  DenyHosts checks the syslog every 30seconds, so you should see that reflected as an entry in DenyHosts own log file.

 

 

great explanation, thanks.

 

so stupid question. If SSH allows x number of attempts before writing a failure in the syslog, couldn't a "hacker" just attempt one password and then reconnect to completely remove DenyHost from the equation. (unless your MaxAuthTries is set to 1).

  • Author

so stupid question. If SSH allows x number of attempts before writing a failure in the syslog, couldn't a "hacker" just attempt one password and then reconnect to completely remove DenyHost from the equation. (unless your MaxAuthTries is set to 1).

In it's current form, you're correct.  Unless you dropped MaxAuthTries down to one and lowered DenyHosts DENY_THRESHOLD_INVALID value, then someone could potentially fail to login once, drop the authentication session and re-try. 

 

At that point I think it comes down to taking at long hard look as who you're protecting yourself against and what you're doing to secure the system.  We all accept that opening up a system to the Internet comes with a risk.  If you decide to take that risk, then all you can do is harden your system as best as possible.

 

DenyHosts (and similar tools such as Fail2Ban) are there to add an extra layer into SSH and help keep out some of the crazies.  They're great for catching brute force attempts which by their nature scan for and when found, cycle through a dictionary of well known passwords.  A determined hacker may spend more time trying to access one system, in which case you need to consider what else you're doing to prevent unauthorised access such as turning off password authentication and using a private/public key set.

 

Suggest you look at creating a private/public key pair.  There's plenty of information on the net including sites which will generate them for you.  Once you've created the private & public files, save a copy of the public file to the plugin's folder on flash (/boot/config/plugins/openssh).  Make sure you name the file "id_rsa.pub".  The plugin should pick this up and put it into the correct location upon install/reboot or disable/enable.  Depends on how you then intend to connect using SSH.  If you plan to use a tool like Putty, you'll need to create a putty .ppk version of the private key.  PuttyGen is your friend. 

 

You may not want to use keys, but I figure I'd mention it in case it's useful to someone else reading this thread.

 

 

 

 

 

excellent, thanks for the info. As a novice to linux and security concepts, this post goes well above and beyond.

  • 1 month later...
  • Author

Finally got around to amending the plugin as mentioned in an earlier post.

 

Now OpenSSH will continue to run regardless of whether the array is running or stopped.

 

Updated original post with link to new version v0.6

Thanks for that.  Really appreciate the effort.

  • 3 weeks later...

Finally got around to amending the plugin as mentioned in an earlier post.

 

Now OpenSSH will continue to run regardless of whether the array is running or stopped.

 

Updated original post with link to new version v0.6

 

What's the best way to upgrade the installed plugin?

 

Delete the old /boot.config/plugins/openssh_xxxx.plg file and then do an installplg on the new version?

How do you access WebGui?

 

I have installed this plugin from unmenu.....what next?

 

Thanks

  • Author

How do you access WebGui?

 

I have installed this plugin from unmenu.....what next?

 

Thanks

The unmenu version is not the same as plugin.  They are two totally different versions, installed in different ways.  Please follow the installation instructions on the first post on how to install SSH using the plugin.  Then you will see and be able to control some of the main settings for SSH from the webgui.

So i should uninstall it from unmenu then? ...

 

  • Author

I've never installed openssh from unmenu and don't know what configuration options exist.  Check to see if it covers your needs and if you decide to try the plugin, I think it would be best to disable or uninstall openssh from the unmenu package manager, do a clean reboot and then install the plugin as per the first post of this thread.

 

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.