Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

OpenSSH Plugin & companion Plugin DenyHosts for unRAID 5b11+ (v6 vers available)

Featured Replies

I was able to follow you until the last step.

after trying to log on as "root" i get this responses:

 

Putty pop-up window:

PuTTY Fatal Error: Disconnected: No supported authentication methods available (server sent: publickey,keyboard-interactive)

 

Putty console:

login as: root

Server refused our key

 

unRaid LOG:

Jun 21 19:50:48 Tower sshd[2679]: Authentication refused: bad ownership or modes for directory /root/.ssh

Jun 21 19:50:48 Tower sshd[2679]: Received disconnect from 192.168.x.x: 14: No supported authentication methods available [preauth]

 

checking the /root/.shh directories i get:

root@Tower:/# ls -la
total 32
drwxr-xr-x 16 root root     0 Jun 21 19:36 ./
drwxr-xr-x 16 root root     0 Jun 21 19:36 ../
drwxrwxrwx  2 root root     0 Jun 21 18:52 bin/
drwxrwxrwx  8 root root 16384 Feb 17 18:49 boot/
drwxr-xr-x 12 root root  3380 Jun 21 18:53 dev/
drwxr-xr-x 27 root root     0 Jun 21 19:36 etc/
drwxr-xr-x  2 root root     0 Jun  3 23:17 home/
lrwxrwxrwx  1 root root    10 Jun  3 23:17 init -> /sbin/init*
drwxr-xr-x  6 root root     0 Jun 21 18:52 lib/
drwxr-xr-x  7 root root     0 Jun 21 18:52 mnt/
dr-xr-xr-x 92 root root     0 Jun 21 18:52 proc/
drwx--x---  3 root root     0 Jun 21 19:46 root/
drwxr-xr-x  2 root root     0 Nov 21  2008 sbin/
dr-xr-xr-x 12 root root     0 Jun 21 18:52 sys/
drwxrwxrwt  5 root root     0 Jun 21 19:36 tmp/
drwxr-xr-x 15 root root     0 Nov  8  2011 usr/
drwxr-xr-x 15 root root     0 Nov  8  2011 var/

 

and for the /.shh

root@Tower:~# ls -la
total 20
drwx--x---  3 root root    0 Jun 21 19:46 ./
drwxr-xr-x 16 root root    0 Jun 21 19:36 ../
-rw-------  1 root root  620 Jun 21 19:49 .bash_history
-rw-r--r--  1 root root   51 Jun 12 04:06 .bash_profile
drwxrwxrwx  2 root root    0 Jun 21 19:40 .ssh/
lrwxrwxrwx  1 root root   26 Jun 12 04:06 initconfig -> /usr/local/sbin/initconf                                    ig
-rwxr-xr-x  1 root root  171 Jun 12 04:06 mdcmd*
-rwxr-xr-x  1 root root 7565 Jun 12 04:06 mkmbr*
lrwxrwxrwx  1 root root   25 Jun 12 04:06 powerdown -> /usr/local/sbin/powerdown                                    *
lrwxrwxrwx  1 root root   18 Jun 12 04:06 samba -> /etc/rc.d/rc.samba*

  • Replies 177
  • Views 50.5k
  • Created
  • Last Reply

after setting the access rights for /root/.shh to 700 i got a bit further

root@Tower:~#chmod 700 /root/.ssh
root@Tower:~# ls -la
total 20
drwx--x---  3 root root    0 Jun 21 19:46 ./
drwxr-xr-x 16 root root    0 Jun 21 19:36 ../
-rw-------  1 root root  704 Jun 21 20:04 .bash_history
-rw-r--r--  1 root root   51 Jun 12 04:06 .bash_profile
drwx------  2 root root    0 Jun 21 19:40 .ssh/
lrwxrwxrwx  1 root root   26 Jun 12 04:06 initconfig -> /usr/local/sbin/initconfig
-rwxr-xr-x  1 root root  171 Jun 12 04:06 mdcmd*
-rwxr-xr-x  1 root root 7565 Jun 12 04:06 mkmbr*
lrwxrwxrwx  1 root root   25 Jun 12 04:06 powerdown -> /usr/local/sbin/powerdown*
lrwxrwxrwx  1 root root   18 Jun 12 04:06 samba -> /etc/rc.d/rc.samba*

 

authorized_keys

root@Tower:~/.ssh# chmod 600 authorized_keys
root@Tower:~/.ssh# ls -la
total 4
drwx------ 2 root root   0 Jun 21 19:40 ./
drwx--x--- 3 root root   0 Jun 21 19:46 ../
-rw------- 1 root root 392 Jun 21 19:40 authorized_keys

 

the unRaid log refuses connection with the quote

unRaid LOG:

Jun 21 20:10:16 Tower sshd[8922]: Received disconnect from 192.168.x.x: 14: No supported authentication methods available [preauth]

 

Putty pop-up window:

PuTTY Fatal Error: Disconnected: No supported authentication methods available (server sent: publickey,keyboard-interactive)

 

Putty console:

login as: root

Server refused our key

 

I finally managed to get SFTP running.

I think there were 3 problems:

1.) i didn't execute installpkg and never got the initial handshake before entering the Login

2.) permission rights for /root/.shh were not correct

3.) the private/public keys started to function after regenerating them (and cleaning up messed up Putty settings for the saved old SSH session)

 

Thanks again for the assistance.

  • Author

I finally managed to get SFTP running.

I think there were 3 problems:

1.) i didn't execute installpkg and never got the initial handshake before entering the Login

2.) permission rights for /root/.shh were not correct

3.) the private/public keys started to function after regenerating them (and cleaning up messed up Putty settings for the saved old SSH session)

 

Thanks again for the assistance.

 

:) Glad you got it working.

I finally managed to get SFTP running.

I think there were 3 problems:

1.) i didn't execute installpkg and never got the initial handshake before entering the Login

2.) permission rights for /root/.shh were not correct

3.) the private/public keys started to function after regenerating them (and cleaning up messed up Putty settings for the saved old SSH session)

 

Thanks again for the assistance.

 

Thank you!!!  Mine is working now as well after setting the mode to 700 on the root and user .ssh directories

Now we just need the plugin to set it 700 :)

 

  • 1 month later...
  • 1 month later...

Will DenyHosts email a log report of failed or blocked attempts?

  • Author

Will DenyHosts email a log report of failed or blocked attempts?

No.  Denyhosts has the ability to email via SMTP, but I have not chosen to include this within the configurable items in the plugin.  For now Denyhosts only reports blocked attempts to syslog.

 

So is there a way to block all hosts but the few I give it?  Wanting to allow like 3 hosts and the rest block.

  • Author

So is there a way to block all hosts but the few I give it?  Wanting to allow like 3 hosts and the rest block.

 

From the sshd_config man page...

AllowUsers

This keyword can be followed by a list of user name patterns, separated by spaces.  If specified, login is allowed only for user names that match one of the patterns. '*' and '?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized.  By default, login is allowed for all users.  If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

 

Not tried it myself, but once openssh plugin is installed, check /boot(flash)/config/plugins/ssh for a file called "sshd_config".

 

Edit and add an AllowUsers line.  Something like this perhaps;

 

AllowUsers [email protected].*,1.2.3.4,5.6.7.8 [email protected].* [email protected].*

 

Stop and Start (not restart) openssh from the plugin.

 

Test.

 

 

 

Regards,

overbyrn

  • 3 months later...

Rich, Thx a lot for this plugin. Getting pubkey login to work has been quite a stuborn challenge for me, but this plugin helped a lot.

 

In the process I a small bug in the plugin, causing the .ssh dir to not be created on enable. I have attached a simple patch.

 

The plugin modified my users home dir. I had chosen /admin as home dir for my user, and the plugin redefined this to /home/admin. This threw me off course for some time. I would prefer if it would just use ~user if that dir exists. I havn't made a patch for that modification, because that's definitely a choice.

 

It turns out that the cause of my headache getting pubkey login to work, is that NONE of the directories ~user, ~user/.ssh may be group+world writable. My ~user dir was world writable because it was copied directly from flash-key. The guides I found only mentioned .ssh and authorized_keys has to be 755 or less, probably because almost nobody runs with world writable home directories :) Your plugin set the correct permissions if it created the home dir, with the patch it always sets the permissions.

 

ps: is there a better way for me to send patches? I still havn't quite learned the git/github way of things.

 

pps: /etc/rc.d/rc.ssh enable  and    /etc/rc.d/rc.ssh disable      will clear the ssh.cfg config file (when executed from shell), and cause the webgui not to start the script again, without error in syslog. Not too nice, but heck, I'm not complaining, I'm grateful for the help your plugin gave me.

 

pps: During my debugging I thought the cause was might be wrong versions of openssl. However now that it works, I have tested it with openssl versions 0.9.8n (default unRaid), 0.9.8r (slack 13.37), 0.9.8y (dynamix' choice), solibs-1.0.1e, and all work.

0001-handle-existing-homedir-with-missing-.ssh-subdir.zip

  • 3 weeks later...

Does anyone know how to persist the home directory between reboots? Currently I just copy everything off to my cache drive and then back after reboot. But if something goes wrong I lose everything in roots home.

Does anyone know how to persist the home directory between reboots? Currently I just copy everything off to my cache drive and then back after reboot. But if something goes wrong I lose everything in roots home.

 

If I were you I'd just keep the home directory on the cache drive and just symlink it to where you want it to be. No copying needed, and you can put the symlink command in the go script.

  • Author

Does anyone know how to persist the home directory between reboots? Currently I just copy everything off to my cache drive and then back after reboot. But if something goes wrong I lose everything in roots home.

 

If I were you I'd just keep the home directory on the cache drive and just symlink it to where you want it to be. No copying needed, and you can put the symlink command in the go script.

Bit surprised to see this question as the plugin by default is designed such that once you select one or many users from the openssh plugin gui page, it creates sub-directories for each user under the plugin settings on the flash.  If you check /boot/config/plugins/ssh, there should be directory entries corresponding to the users selected in the webgui.  When the plugin starts up, if these users home directories are not present, they are created.  They're stored on the flash drive under the plugin to allow you to manually create private and public keys if you wish.  This way each user can have a set of keys stored under their own sub-directory on the flash which gets copied over upon plugin start such as during a reboot.

 

eg;

81rwoo6.png

 

What exactly is not working for you?

 

 

  • 1 month later...

I have 2 users on my v5.0.5 unraid but no users in the openssh setting page or user folder being made in the ssh folder on the flash drive. I tried reboots and stop -restart openssh, but no users there, just root. Do I need the patch at the top of this page? if so how to apply it?

  • Author

I have 2 users on my v5.0.5 unraid but no users in the openssh setting page or user folder being made in the ssh folder on the flash drive. I tried reboots and stop -restart openssh, but no users there, just root. Do I need the patch at the top of this page? if so how to apply it?

How were the users created?

The users were created after the plugin was installed, I created them on the users tab and they show up below root. I gave both users access to my shares. They do appear in the password file if I do;

cat /etc/passwd

 

EDIT: Just tried viewing settings/ssh gui in Firefox and there are my users, no time to delve deeper now, will keep you posted

  • 2 weeks later...

My install was failing...

 

root@Tower:/boot/config/plugins# installplg /boot/config/plugins/openssh_overbyrn.plg
installing plugin: openssh_overbyrn
file /tmp/plugin-prepare: successfully wrote INLINE file contents
  /bin/bash /tmp/plugin-prepare ... success
file /boot/config/plugins/ssh/ssh.png: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/plugin.images/ssh.png ... success
file /boot/config/plugins/images/device_status.png: already exists
file /boot/config/plugins/images/new_config.png: already exists
file /boot/config/plugins/images/information.png: already exists
file /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/packages/openssh/putty-0.62-i486-1rj.txz ... success
  upgradepkg --install-new /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz ...
+==============================================================================
| Skipping package putty-0.62-i486-1rj (already installed)
+==============================================================================


success
file /boot/packages/openssh-5.9p1-i486-2_slack13.37.txz: downloading from -q --no-check-certificate http://slackware.cs.utah.edu/pub/slackware/slackware-13.37/patches/packages/openssh-5.9p1-i486-2_slack13.37.txz ... bad download, deleting

 

...So I did a find and replace in the .plg file, changing openssh-5.9p1-i486-2_slack13.37.txz to openssh-5.9p1-i486-3_slack13.37.txz.  It works now :)

  • Author

My install was failing...

 

root@Tower:/boot/config/plugins# installplg /boot/config/plugins/openssh_overbyrn.plg
installing plugin: openssh_overbyrn
file /tmp/plugin-prepare: successfully wrote INLINE file contents
  /bin/bash /tmp/plugin-prepare ... success
file /boot/config/plugins/ssh/ssh.png: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/plugin.images/ssh.png ... success
file /boot/config/plugins/images/device_status.png: already exists
file /boot/config/plugins/images/new_config.png: already exists
file /boot/config/plugins/images/information.png: already exists
file /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/packages/openssh/putty-0.62-i486-1rj.txz ... success
  upgradepkg --install-new /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz ...
+==============================================================================
| Skipping package putty-0.62-i486-1rj (already installed)
+==============================================================================


success
file /boot/packages/openssh-5.9p1-i486-2_slack13.37.txz: downloading from -q --no-check-certificate http://slackware.cs.utah.edu/pub/slackware/slackware-13.37/patches/packages/openssh-5.9p1-i486-2_slack13.37.txz ... bad download, deleting

 

...So I did a find and replace in the .plg file, changing openssh-5.9p1-i486-2_slack13.37.txz to openssh-5.9p1-i486-3_slack13.37.txz.  It works now :)

Adam, thank you for reporting this as I would not have noticed this for some time.  The openssh package is the only one I don't host on Dropbox as I want users to have the peace of mind that it's being pulled from a known package repository.  Looks like the package patch revision incremented around Mar 27.

 

I have updated my plugin to reference the correct path.  As a result, the plugin will show there's an update to itself from within the unRAID webgui settings page.

 

 

Thanks,

overbyrn

  • 1 month later...
  • Author

Rich, Thx a lot for this plugin. Getting pubkey login to work has been quite a stuborn challenge for me, but this plugin helped a lot.

 

In the process I a small bug in the plugin, causing the .ssh dir to not be created on enable. I have attached a simple patch.

 

The plugin modified my users home dir. I had chosen /admin as home dir for my user, and the plugin redefined this to /home/admin. This threw me off course for some time. I would prefer if it would just use ~user if that dir exists. I havn't made a patch for that modification, because that's definitely a choice.

 

It turns out that the cause of my headache getting pubkey login to work, is that NONE of the directories ~user, ~user/.ssh may be group+world writable. My ~user dir was world writable because it was copied directly from flash-key. The guides I found only mentioned .ssh and authorized_keys has to be 755 or less, probably because almost nobody runs with world writable home directories :) Your plugin set the correct permissions if it created the home dir, with the patch it always sets the permissions.

 

ps: is there a better way for me to send patches? I still havn't quite learned the git/github way of things.

 

pps: /etc/rc.d/rc.ssh enable  and    /etc/rc.d/rc.ssh disable      will clear the ssh.cfg config file (when executed from shell), and cause the webgui not to start the script again, without error in syslog. Not too nice, but heck, I'm not complaining, I'm grateful for the help your plugin gave me.

 

pps: During my debugging I thought the cause was might be wrong versions of openssl. However now that it works, I have tested it with openssl versions 0.9.8n (default unRaid), 0.9.8r (slack 13.37), 0.9.8y (dynamix' choice), solibs-1.0.1e, and all work.

Alex, this may well be one of most delayed replies I've ever done, but I'm in the process of updating my ssh plugin to make it compatible with v6 unRAID and for completeness I remembered you had found an issue with the plugin so thought I'd seek it out and incorporate. 

 

I get what you mean I think about your pubkey login headache and viewing the patch you're basically taking out the check for existence of a home dir so that it indiscriminately sets the correct permissions.  What I've done is re-work it so that only the chown and chmod are outside of the conditional.  This way a check will still be made and only if the users home dir is missing will it create, but regardless it will set the necessary permissions on the users home directory and sub-directories.

 

With regard to the enable / disable clearing the ssh.cfg file.  That's because neither of these functions is expected to be run from command line.  Or rather, they can, but they must be fed ALL of the parameters.  These functions are what gets called from the webgui page when hitting apply with enable or disable set.  The web page passes all arguments from the fields on the webgui, so if you had run the same from command line, you'd need to emulate this activity.

 

If you're running version 6 of unRAID, I will shortly post a version that is compatible and plays nicely with the default plugin / extensions manager that Tom has included for use during install and checking for plugin updates.

 

Thanks once again and sorry for the delay in replying  ;)

Hi Overbyrn,

 

I believe I was also half a year about testing/checking your squeezeserver plugin, so I guess that makes us equal :)

 

What I've done is re-work it so that only the chown and chmod are outside of the conditional.  This way a check will still be made and only if the users home dir is missing will it create, but regardless it will set the necessary permissions on the users home directory and sub-directories.

 

v1.6 does not contain this patch, but I guess its underway. Sounds like to me you are have the following if-statement:

 

      
      if [ ! -d /home/$USERTEMP/.ssh ]; then
        mkdir -p /home/$USERTEMP/.ssh
      fi

 

This is identical in function to leaving out the if-statement if I'm not mistaken, and shorter is better in my preferred coding style (which I shall not dictate for you though :)). In version 1.6 the if-statement actually just checks -d /home/$USERTEMP/, which looks like a bug to me, as the following cp command will fail if .ssh does not exist.

 

If you're running version 6 of unRAID, I will shortly post a version that is compatible and plays nicely with the default plugin / extensions manager that Tom has included for use during install and checking for plugin updates.

 

Sounds like a good idea to just focus on version 6 (which I havn't yet updated to).

  • Author

v1.6 does not contain this patch, but I guess its underway. Sounds like to me you are have the following if-statement:

 

      
      if [ ! -d /home/$USERTEMP/.ssh ]; then
        mkdir -p /home/$USERTEMP/.ssh
      fi

 

This is identical in function to leaving out the if-statement if I'm not mistaken, and shorter is better in my preferred coding style (which I shall not dictate for you though :)). In version 1.6 the if-statement actually just checks -d /home/$USERTEMP/, which looks like a bug to me, as the following cp command will fail if .ssh does not exist.

 

I must remember to update v5 plugin with your changes.

 

As I type this I'm barely awake and the first coffee hasn't kicked in, not to mention re-reading my old code is less than desirable, but let's use the old Rubber duck debugging process of talking this through...

 

That part of the code sets up the whole /home/<user> part when the plugin config changes, is first started etc.  So that if statement is there to check for each user that's selected as an ssh user in the plugin.  On the assumption this is a first boot with plugin already installed, then that IF is responsible for checking if /home/$USERTEMP/ is present.  If missing, then it creates /home/$USERTEMP/.ssh including parent path.  In the v1.6 plugin, it then went on to chmod and chown the necessary dirs.

 

Ahh! Semi-Eureka moment.  I think I see.  So re-reading your first message with the patch, you're saying you already had a user /Admin setup and presumably already in /boot/config/passwd & /boot/config/shadow ?  And the first part of your problem is that the plugin doesn't expect a user outside of /home.  To be honest, I'd not want to change that logic as wouldn't that generally be non-standard user home behavior?

 

But then I'm assuming you accepted /home/Admin instead and that's when you hit the permission issues.  So are you still using some other scripted method to re-establish /home/Admin without letting the ssh plugin do it for you?  Assuming your Admin user has a UID over 1000, then the plugin should pick it up and let it be a valid ssh user choice.  Which takes us back to the part where the IF statement tests for the presence of /home/$USERTEMP, creates if needed and now - in the case of v6 plugin version - does no more but immediately sets the permissions regardless.  I assume this would now take account of a scenario where something outside of the plugin sets up /home/someuser and so the plugin just sets the perms. 

 

Ahh.  Second Eureka moment. That would mean /home/someuser existed, so the conditional would never be met and the creation of .ssh sub-dir is never made. 

 

Right, so then to do this properly it then becomes a case of either remove the conditional or to embed a second to perform a second test for just .ssh sub-dir. 

 

Okay, makes sense now.  Gotta love rubber ducking.  Works every time!

 

 

Yeah rubber ducking is awesome.

 

I like Jeff Atwoods message here which can be summed up as When in doubt, go with brevity: http://blog.codinghorror.com/the-best-code-is-no-code-at-all/

 

A second advise is the following (though giving advice is perhaps ridiculous on a forum thread): Watch your assumptions. It might have been true that due to some complicated interactions of code it was true that .ssh dir would exist if and only if the parent user-dir. To actually perform a test where it fails we will of cause have to think such situations through. However from the standpoint of reviewing code, the less assumptions we can make and the less code we have to read to conclude the code is sound, the better it is.

 

So what I'm trying to say here is, even if the if-statement was correct, then I would not include it because its shorter to leave it out and leaving it out requires less assumptions of previous code to verify soundness.

 

By sound I mean the code does what I intend it to do.

 

Best Alex, and thanks for taking the time to updating your scripts, its part of what keeps unRaid alive for me.

 

  • 3 months later...

Hi thank you so much for these plugins.

 

I've since updated to 64 bit unraid, and am having some troubles getting the denyHosts plugin to work. It literally just wont do anything. The config page doesn't seem to do anything for me. If i hit 'start' or 'save' or anything, it doesn't change the .cfg file, and i see nothing inside my log file either.

 

This is the only plugin i have installed (besides apcupsd - which works fine), everything else i have running via dockers. so its not conflicting python issues.

 

No idea whats happening! No other issues with any other plugins, its really odd.

  • 2 weeks later...
  • Author

Am smack in the middle of rewriting denyhosts and ssh plug-ins for v6. You're correct that denyhosts doesn't have a functioning configuration page. One of the issues is that php in v6 operates slightly differently when it comes to how screen updates work upon submitting a form. Eg when apply button is pressed. I should have denyhosts working within 24hrs. Will post an update here when done.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.