Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

OpenSSH Plugin & companion Plugin DenyHosts for unRAID 5b11+ (v6 vers available)

Featured Replies

Ok, thanks. I'll give it a try.

  • Replies 177
  • Views 50.5k
  • Created
  • Last Reply
  • Author

What's the best way to upgrade the installed plugin?

 

Delete the old /boot.config/plugins/openssh_xxxx.plg file and then do an installplg on the new version?

Correct.  The safest approach is to only delete /boot/config/plugins/openssh_xxx.plg file.  Don't delete the openssh folder as this contains your existing config and server keys.  The change I made in 0.6 to run regardless of the array status only affects plugin files created during (re)install.  So deleting the plugin and rebooting with new version in-place will do the job.

I tried doing as in the first post and this is what i get:

 

Warning: simplexml_load_file(): I/O warning : failed to load external entity "/boot/config/plugins/opensshd-0.6-i486-rj.plg" in /usr/local/sbin/installplg on line 13
xml parse error

  • Author

I tried doing as in the first post and this is what i get:

 

Warning: simplexml_load_file(): I/O warning : failed to load external entity "/boot/config/plugins/opensshd-0.6-i486-rj.plg" in /usr/local/sbin/installplg on line 13
xml parse error

 

That error comes up when you try to run installplg with a wrong path.  For example, when I try to install a plugin that does not exist with either this name or at this location, I get the same message:

root@Tower:/tmp# installplg /boot/config/plugins/madeupname.plg

installing plugin: madeupname

 

Warning: simplexml_load_file(): I/O warning : failed to load external entity "/boot/config/plugins/madeupname.plg" in /usr/local/sbin/installplg on line 13

xml parse error

root@Tower:/tmp#

 

Make sure you have saved the file to the location you intended.  Then recheck the command you are typing as something is wrong with where you have saved it and what you are typing to install it.

 

 

Well i kind of doublechecked everything....i am saving using windows explorer and then copying through network to flash drive.

 

Edit: I even  tried saving directly from internet explorer to flash drive.

 

If i run from mc this is what i get:

 

root@MOVIESERVER:/boot/config/plugins# ./opensshd-0.6-i486-rj.xml
./opensshd-0.6-i486-rj.xml: line 1: syntax error near unexpected token `newline'
./opensshd-0.6-i486-rj.xml: line 1: `<?xml version='1.0' standalone='yes'?>'

Ok i got the problem, Internet Explorer (i though so!) automatically save this file as xml and not plg!

 

 

#$%##% MS  >:(

  • Author

Yea, watch out for saving plugin files.  Make sure they're .plg file extensions.

 

Also, even though it sounds like you've fixed it, you need to be aware that you don't generally install plugins by just putting the plugin filename on the command line. 

 

You have to type "installplg" before the filename.

 

eg.

installplg opensshd-0.6-i486-rj.xml

 

 

 

 

Yes, i did it. Everything is working now ok.

Does max_auth_retries also apply to password entry?

 

Or you can retry password access (if it is enabled ofcourse), unlimited number of times?

 

Thanks

Thanks

  • 2 months later...

 

DO NOT USE AN EXISTING USER ALREADY DEFINED IN UNRAID FOR OPENSSH.  IN THE OPENSSH PLUGIN, ENTER A TOTALLY NEW USER DEDICATED ONLY TO OPENSSH

 

 

Will a future version of this plugin allow existing unRAID users to be given SSH access?  I'm currently using the unmenu version of OpenSSH - for which I'm comfortable manually creating users/groups, managing SSH access and allow access via sudoers etc.  However, I'd be interested in switching should your plugin allow creating SSH access for existing users.

For what exactly do I need the ssh user?

 

Do I have to create the user via webinterface or can I use a script with the "useradd" command so that this user doesn't show up in the WebGUI (looks better  8))?

  • Author

 

DO NOT USE AN EXISTING USER ALREADY DEFINED IN UNRAID FOR OPENSSH.  IN THE OPENSSH PLUGIN, ENTER A TOTALLY NEW USER DEDICATED ONLY TO OPENSSH

 

 

Will a future version of this plugin allow existing unRAID users to be given SSH access?  I'm currently using the unmenu version of OpenSSH - for which I'm comfortable manually creating users/groups, managing SSH access and allow access via sudoers etc.  However, I'd be interested in switching should your plugin allow creating SSH access for existing users.

 

The simple answer is, it might. 

 

The long answer is that I did rewrite the plugin some time ago as the above warning not to use an existing user was due to the hacky way I coded the script (it deletes and readds the user upon a change as at the time I couldn't find a suitable way to assign the hashed password).  The rewritten version overcomes this and no longer needs to delete the user.  In theory it could be extended to using existing users but I don't have a clear view on how that functionality should be done.  If you have ideas, I'm all ears.  For instance, lets assume the plugin enumerates a list of existing users from that stored in /etc/passwd.  After weeding out 'system' users, we're left with the possibility of users that were created inside unRAID webgui and users created by other means such as another plugin or the system owner.  What logic should be used to safely compile a list of users that SSH can use?  Should I assume a GUID >= 1000 is a suitable user?

 

The message above by seim is also a perfect example of my uncertainly in how to do this.  Here someone doesn't want to clutter up the WebGUI with users.  I get that, but then I think unRAID has a user add function for a reason and doing things outside of this goes against the UnRAID standard (if there is such a thing). 

 

I'm happy to have a go at it when time permits, but before I do I'd like yourself and others to give me input on the best approach.

 

 

Regards,

overbyrn

Personally, I would like functionality on the main users page in the webgui (eg a check box to add SSH access to that user) - however, that's not an option for various reasons.

 

I think a suitable alternative would be to list the (current unRAID) users in your plugin config page and be able to select which users have SSH access - this would make user management simpler.  Some people may also want to create an SSH only user.

 

As for determining non-system users - usually UID >= 1000 are non-system users but this can be configured so may not be exact in all cases...  I can't see a reason why an unRAID user would change these values - but for the sake of not hard coding , you could get the values from /etc/login.defs 

 

EG:

 

/etc/login.defs

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN          1000
UID_MAX          60000
# System accounts
SYS_UID_MIN          101
SYS_UID_MAX          999

 

EDIT:Typo

Well it might not be a good idea, but I usually log in as root, because there's nothing I wanna do via SSH that does not require root access. So I have the sshuser only because it won't start without..

 

I took a look in your .plg file and yeah.. I'm not sure where exactly you specify the sshuser as valid and any other as invalid for login with ssh.

Fourthermore the user is created by an 'useradd' command in some .php file, which is kinda interesting, because when I create a user by myself in the commandline it doesn't show up in the WebGUI, and the one that gets created by your script it does..

Is root login with private/public key pairs impossible with this plugin?

The reason I ask is because I have some scripts I run remotely which need to be run as root, and thus require passwordless login with private/public key pairs...

I use the unmenu version of openssh, but I'd like to move all the unmenu addon packages to the unRAID 5 plugin system.

 

same here

Just change the x to a y in that filename and correct the md5.

 

Thanks for the help. That fixed it. The plugin would have worked fine if the repository had left the older version of that file (and MD5) up there. Hope there is nothing in the new version that breaks anything.

I installed this plugin and I can now ssh in using public key encryption. I would not have been able to figure this out on my own, so I want to let the authors know how much I appreciate their work.

 

Thank you!

Is root login with private/public key pairs impossible with this plugin?

The reason I ask is because I have some scripts I run remotely which need to be run as root, and thus require passwordless login with private/public key pairs...

I use the unmenu version of openssh, but I'd like to move all the unmenu addon packages to the unRAID 5 plugin system.

 

Can't you just telnet into root once logged in via ssh? That's what I do when I need to do something as root.

Is root login with private/public key pairs impossible with this plugin?

The reason I ask is because I have some scripts I run remotely which need to be run as root, and thus require passwordless login with private/public key pairs...

I use the unmenu version of openssh, but I'd like to move all the unmenu addon packages to the unRAID 5 plugin system.

 

Can't you just telnet into root once logged in via ssh? That's what I do when I need to do something as root.

 

Telnet is not safe when connectiong remotely.

Also I think it's strange that in the OP it lists "root login with password" as possible, but "root login with private/public key pairs" not possible?

The first is clearly the more insecure alternative of them two...

In my book, and i guess in everyone else who's concerned about safety, private/public key pairs trump passwords...

 

 

Telnet is not safe when connectiong remotely.

Also I think it's strange that in the OP it lists "root login with password" as possible, but "root login with private/public key pairs" not possible?

The first is clearly the more insecure alternative of them two...

In my book, and i guess in everyone else who's concerned about safety, private/public key pairs trump passwords...

 

Its harder to do private/public key with root as the home directory is not persistent across reboots....

 

Personally I ssh as sshuser (which I have set up with a persistent home directory) and then just su my way to root if needed..  Although I must work out why I can't do somethings as sshuser that I can with other users..

 

Chris

 

Telnet is not safe when connectiong remotely.

Also I think it's strange that in the OP it lists "root login with password" as possible, but "root login with private/public key pairs" not possible?

The first is clearly the more insecure alternative of them two...

In my book, and i guess in everyone else who's concerned about safety, private/public key pairs trump passwords...

 

Its harder to do private/public key with root as the home directory is not persistent across reboots....

 

Personally I ssh as sshuser (which I have set up with a persistent home directory) and then just su my way to root if needed..  Although I must work out why I can't do somethings as sshuser that I can with other users..

 

Chris

 

Well, I have modified my go script to copy the files in the .ssh directory from their backup location on the flash drive ("/boot/scripts/root/.ssh/" in my case) to the /root/.ssh directory during startup.

 

It should not be hard to modify the plugin to support key pairs for the root user.

It would be nice to have support for root login with key pairs, as it's safer than root login with password.

 

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.