June 21, 201313 yr I was able to follow you until the last step. after trying to log on as "root" i get this responses: Putty pop-up window: PuTTY Fatal Error: Disconnected: No supported authentication methods available (server sent: publickey,keyboard-interactive) Putty console: login as: root Server refused our key unRaid LOG: Jun 21 19:50:48 Tower sshd[2679]: Authentication refused: bad ownership or modes for directory /root/.ssh Jun 21 19:50:48 Tower sshd[2679]: Received disconnect from 192.168.x.x: 14: No supported authentication methods available [preauth] checking the /root/.shh directories i get: root@Tower:/# ls -la total 32 drwxr-xr-x 16 root root 0 Jun 21 19:36 ./ drwxr-xr-x 16 root root 0 Jun 21 19:36 ../ drwxrwxrwx 2 root root 0 Jun 21 18:52 bin/ drwxrwxrwx 8 root root 16384 Feb 17 18:49 boot/ drwxr-xr-x 12 root root 3380 Jun 21 18:53 dev/ drwxr-xr-x 27 root root 0 Jun 21 19:36 etc/ drwxr-xr-x 2 root root 0 Jun 3 23:17 home/ lrwxrwxrwx 1 root root 10 Jun 3 23:17 init -> /sbin/init* drwxr-xr-x 6 root root 0 Jun 21 18:52 lib/ drwxr-xr-x 7 root root 0 Jun 21 18:52 mnt/ dr-xr-xr-x 92 root root 0 Jun 21 18:52 proc/ drwx--x--- 3 root root 0 Jun 21 19:46 root/ drwxr-xr-x 2 root root 0 Nov 21 2008 sbin/ dr-xr-xr-x 12 root root 0 Jun 21 18:52 sys/ drwxrwxrwt 5 root root 0 Jun 21 19:36 tmp/ drwxr-xr-x 15 root root 0 Nov 8 2011 usr/ drwxr-xr-x 15 root root 0 Nov 8 2011 var/ and for the /.shh root@Tower:~# ls -la total 20 drwx--x--- 3 root root 0 Jun 21 19:46 ./ drwxr-xr-x 16 root root 0 Jun 21 19:36 ../ -rw------- 1 root root 620 Jun 21 19:49 .bash_history -rw-r--r-- 1 root root 51 Jun 12 04:06 .bash_profile drwxrwxrwx 2 root root 0 Jun 21 19:40 .ssh/ lrwxrwxrwx 1 root root 26 Jun 12 04:06 initconfig -> /usr/local/sbin/initconf ig -rwxr-xr-x 1 root root 171 Jun 12 04:06 mdcmd* -rwxr-xr-x 1 root root 7565 Jun 12 04:06 mkmbr* lrwxrwxrwx 1 root root 25 Jun 12 04:06 powerdown -> /usr/local/sbin/powerdown * lrwxrwxrwx 1 root root 18 Jun 12 04:06 samba -> /etc/rc.d/rc.samba*
June 21, 201313 yr after setting the access rights for /root/.shh to 700 i got a bit further root@Tower:~#chmod 700 /root/.ssh root@Tower:~# ls -la total 20 drwx--x--- 3 root root 0 Jun 21 19:46 ./ drwxr-xr-x 16 root root 0 Jun 21 19:36 ../ -rw------- 1 root root 704 Jun 21 20:04 .bash_history -rw-r--r-- 1 root root 51 Jun 12 04:06 .bash_profile drwx------ 2 root root 0 Jun 21 19:40 .ssh/ lrwxrwxrwx 1 root root 26 Jun 12 04:06 initconfig -> /usr/local/sbin/initconfig -rwxr-xr-x 1 root root 171 Jun 12 04:06 mdcmd* -rwxr-xr-x 1 root root 7565 Jun 12 04:06 mkmbr* lrwxrwxrwx 1 root root 25 Jun 12 04:06 powerdown -> /usr/local/sbin/powerdown* lrwxrwxrwx 1 root root 18 Jun 12 04:06 samba -> /etc/rc.d/rc.samba* authorized_keys root@Tower:~/.ssh# chmod 600 authorized_keys root@Tower:~/.ssh# ls -la total 4 drwx------ 2 root root 0 Jun 21 19:40 ./ drwx--x--- 3 root root 0 Jun 21 19:46 ../ -rw------- 1 root root 392 Jun 21 19:40 authorized_keys the unRaid log refuses connection with the quote unRaid LOG: Jun 21 20:10:16 Tower sshd[8922]: Received disconnect from 192.168.x.x: 14: No supported authentication methods available [preauth] Putty pop-up window: PuTTY Fatal Error: Disconnected: No supported authentication methods available (server sent: publickey,keyboard-interactive) Putty console: login as: root Server refused our key
June 21, 201313 yr I finally managed to get SFTP running. I think there were 3 problems: 1.) i didn't execute installpkg and never got the initial handshake before entering the Login 2.) permission rights for /root/.shh were not correct 3.) the private/public keys started to function after regenerating them (and cleaning up messed up Putty settings for the saved old SSH session) Thanks again for the assistance.
June 21, 201313 yr Author I finally managed to get SFTP running. I think there were 3 problems: 1.) i didn't execute installpkg and never got the initial handshake before entering the Login 2.) permission rights for /root/.shh were not correct 3.) the private/public keys started to function after regenerating them (and cleaning up messed up Putty settings for the saved old SSH session) Thanks again for the assistance. Glad you got it working.
June 24, 201313 yr I finally managed to get SFTP running. I think there were 3 problems: 1.) i didn't execute installpkg and never got the initial handshake before entering the Login 2.) permission rights for /root/.shh were not correct 3.) the private/public keys started to function after regenerating them (and cleaning up messed up Putty settings for the saved old SSH session) Thanks again for the assistance. Thank you!!! Mine is working now as well after setting the mode to 700 on the root and user .ssh directories Now we just need the plugin to set it 700
August 3, 201312 yr Author Updated OpenSSH and Denyhosts plugin versions. Minor change to fix plugin name truncation when using new UnRAID webgui. More info here: http://lime-technology.com/forum/index.php?topic=28788.msg256470#msg256470
September 10, 201312 yr Author Will DenyHosts email a log report of failed or blocked attempts? No. Denyhosts has the ability to email via SMTP, but I have not chosen to include this within the configurable items in the plugin. For now Denyhosts only reports blocked attempts to syslog.
September 17, 201312 yr So is there a way to block all hosts but the few I give it? Wanting to allow like 3 hosts and the rest block.
September 18, 201312 yr Author So is there a way to block all hosts but the few I give it? Wanting to allow like 3 hosts and the rest block. From the sshd_config man page... AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. '*' and '?' can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. Not tried it myself, but once openssh plugin is installed, check /boot(flash)/config/plugins/ssh for a file called "sshd_config". Edit and add an AllowUsers line. Something like this perhaps; AllowUsers [email protected].*,1.2.3.4,5.6.7.8 [email protected].* [email protected].* Stop and Start (not restart) openssh from the plugin. Test. Regards, overbyrn
January 13, 201412 yr Rich, Thx a lot for this plugin. Getting pubkey login to work has been quite a stuborn challenge for me, but this plugin helped a lot. In the process I a small bug in the plugin, causing the .ssh dir to not be created on enable. I have attached a simple patch. The plugin modified my users home dir. I had chosen /admin as home dir for my user, and the plugin redefined this to /home/admin. This threw me off course for some time. I would prefer if it would just use ~user if that dir exists. I havn't made a patch for that modification, because that's definitely a choice. It turns out that the cause of my headache getting pubkey login to work, is that NONE of the directories ~user, ~user/.ssh may be group+world writable. My ~user dir was world writable because it was copied directly from flash-key. The guides I found only mentioned .ssh and authorized_keys has to be 755 or less, probably because almost nobody runs with world writable home directories Your plugin set the correct permissions if it created the home dir, with the patch it always sets the permissions. ps: is there a better way for me to send patches? I still havn't quite learned the git/github way of things. pps: /etc/rc.d/rc.ssh enable and /etc/rc.d/rc.ssh disable will clear the ssh.cfg config file (when executed from shell), and cause the webgui not to start the script again, without error in syslog. Not too nice, but heck, I'm not complaining, I'm grateful for the help your plugin gave me. pps: During my debugging I thought the cause was might be wrong versions of openssl. However now that it works, I have tested it with openssl versions 0.9.8n (default unRaid), 0.9.8r (slack 13.37), 0.9.8y (dynamix' choice), solibs-1.0.1e, and all work. 0001-handle-existing-homedir-with-missing-.ssh-subdir.zip
January 28, 201412 yr Does anyone know how to persist the home directory between reboots? Currently I just copy everything off to my cache drive and then back after reboot. But if something goes wrong I lose everything in roots home.
January 29, 201412 yr Does anyone know how to persist the home directory between reboots? Currently I just copy everything off to my cache drive and then back after reboot. But if something goes wrong I lose everything in roots home. If I were you I'd just keep the home directory on the cache drive and just symlink it to where you want it to be. No copying needed, and you can put the symlink command in the go script.
January 30, 201412 yr Author Does anyone know how to persist the home directory between reboots? Currently I just copy everything off to my cache drive and then back after reboot. But if something goes wrong I lose everything in roots home. If I were you I'd just keep the home directory on the cache drive and just symlink it to where you want it to be. No copying needed, and you can put the symlink command in the go script. Bit surprised to see this question as the plugin by default is designed such that once you select one or many users from the openssh plugin gui page, it creates sub-directories for each user under the plugin settings on the flash. If you check /boot/config/plugins/ssh, there should be directory entries corresponding to the users selected in the webgui. When the plugin starts up, if these users home directories are not present, they are created. They're stored on the flash drive under the plugin to allow you to manually create private and public keys if you wish. This way each user can have a set of keys stored under their own sub-directory on the flash which gets copied over upon plugin start such as during a reboot. eg; What exactly is not working for you?
March 29, 201412 yr I have 2 users on my v5.0.5 unraid but no users in the openssh setting page or user folder being made in the ssh folder on the flash drive. I tried reboots and stop -restart openssh, but no users there, just root. Do I need the patch at the top of this page? if so how to apply it?
March 29, 201412 yr Author I have 2 users on my v5.0.5 unraid but no users in the openssh setting page or user folder being made in the ssh folder on the flash drive. I tried reboots and stop -restart openssh, but no users there, just root. Do I need the patch at the top of this page? if so how to apply it? How were the users created?
March 29, 201412 yr The users were created after the plugin was installed, I created them on the users tab and they show up below root. I gave both users access to my shares. They do appear in the password file if I do; cat /etc/passwd EDIT: Just tried viewing settings/ssh gui in Firefox and there are my users, no time to delve deeper now, will keep you posted
April 8, 201412 yr My install was failing... root@Tower:/boot/config/plugins# installplg /boot/config/plugins/openssh_overbyrn.plg installing plugin: openssh_overbyrn file /tmp/plugin-prepare: successfully wrote INLINE file contents /bin/bash /tmp/plugin-prepare ... success file /boot/config/plugins/ssh/ssh.png: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/plugin.images/ssh.png ... success file /boot/config/plugins/images/device_status.png: already exists file /boot/config/plugins/images/new_config.png: already exists file /boot/config/plugins/images/information.png: already exists file /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/packages/openssh/putty-0.62-i486-1rj.txz ... success upgradepkg --install-new /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz ... +============================================================================== | Skipping package putty-0.62-i486-1rj (already installed) +============================================================================== success file /boot/packages/openssh-5.9p1-i486-2_slack13.37.txz: downloading from -q --no-check-certificate http://slackware.cs.utah.edu/pub/slackware/slackware-13.37/patches/packages/openssh-5.9p1-i486-2_slack13.37.txz ... bad download, deleting ...So I did a find and replace in the .plg file, changing openssh-5.9p1-i486-2_slack13.37.txz to openssh-5.9p1-i486-3_slack13.37.txz. It works now
April 8, 201412 yr Author My install was failing... root@Tower:/boot/config/plugins# installplg /boot/config/plugins/openssh_overbyrn.plg installing plugin: openssh_overbyrn file /tmp/plugin-prepare: successfully wrote INLINE file contents /bin/bash /tmp/plugin-prepare ... success file /boot/config/plugins/ssh/ssh.png: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/plugin.images/ssh.png ... success file /boot/config/plugins/images/device_status.png: already exists file /boot/config/plugins/images/new_config.png: already exists file /boot/config/plugins/images/information.png: already exists file /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz: downloading from -q --no-check-certificate https://dl.dropbox.com/u/572553/UnRAID/packages/openssh/putty-0.62-i486-1rj.txz ... success upgradepkg --install-new /boot/config/plugins/ssh/putty-0.62-i486-1rj.txz ... +============================================================================== | Skipping package putty-0.62-i486-1rj (already installed) +============================================================================== success file /boot/packages/openssh-5.9p1-i486-2_slack13.37.txz: downloading from -q --no-check-certificate http://slackware.cs.utah.edu/pub/slackware/slackware-13.37/patches/packages/openssh-5.9p1-i486-2_slack13.37.txz ... bad download, deleting ...So I did a find and replace in the .plg file, changing openssh-5.9p1-i486-2_slack13.37.txz to openssh-5.9p1-i486-3_slack13.37.txz. It works now Adam, thank you for reporting this as I would not have noticed this for some time. The openssh package is the only one I don't host on Dropbox as I want users to have the peace of mind that it's being pulled from a known package repository. Looks like the package patch revision incremented around Mar 27. I have updated my plugin to reference the correct path. As a result, the plugin will show there's an update to itself from within the unRAID webgui settings page. Thanks, overbyrn
May 19, 201412 yr Author Rich, Thx a lot for this plugin. Getting pubkey login to work has been quite a stuborn challenge for me, but this plugin helped a lot. In the process I a small bug in the plugin, causing the .ssh dir to not be created on enable. I have attached a simple patch. The plugin modified my users home dir. I had chosen /admin as home dir for my user, and the plugin redefined this to /home/admin. This threw me off course for some time. I would prefer if it would just use ~user if that dir exists. I havn't made a patch for that modification, because that's definitely a choice. It turns out that the cause of my headache getting pubkey login to work, is that NONE of the directories ~user, ~user/.ssh may be group+world writable. My ~user dir was world writable because it was copied directly from flash-key. The guides I found only mentioned .ssh and authorized_keys has to be 755 or less, probably because almost nobody runs with world writable home directories Your plugin set the correct permissions if it created the home dir, with the patch it always sets the permissions. ps: is there a better way for me to send patches? I still havn't quite learned the git/github way of things. pps: /etc/rc.d/rc.ssh enable and /etc/rc.d/rc.ssh disable will clear the ssh.cfg config file (when executed from shell), and cause the webgui not to start the script again, without error in syslog. Not too nice, but heck, I'm not complaining, I'm grateful for the help your plugin gave me. pps: During my debugging I thought the cause was might be wrong versions of openssl. However now that it works, I have tested it with openssl versions 0.9.8n (default unRaid), 0.9.8r (slack 13.37), 0.9.8y (dynamix' choice), solibs-1.0.1e, and all work. Alex, this may well be one of most delayed replies I've ever done, but I'm in the process of updating my ssh plugin to make it compatible with v6 unRAID and for completeness I remembered you had found an issue with the plugin so thought I'd seek it out and incorporate. I get what you mean I think about your pubkey login headache and viewing the patch you're basically taking out the check for existence of a home dir so that it indiscriminately sets the correct permissions. What I've done is re-work it so that only the chown and chmod are outside of the conditional. This way a check will still be made and only if the users home dir is missing will it create, but regardless it will set the necessary permissions on the users home directory and sub-directories. With regard to the enable / disable clearing the ssh.cfg file. That's because neither of these functions is expected to be run from command line. Or rather, they can, but they must be fed ALL of the parameters. These functions are what gets called from the webgui page when hitting apply with enable or disable set. The web page passes all arguments from the fields on the webgui, so if you had run the same from command line, you'd need to emulate this activity. If you're running version 6 of unRAID, I will shortly post a version that is compatible and plays nicely with the default plugin / extensions manager that Tom has included for use during install and checking for plugin updates. Thanks once again and sorry for the delay in replying
May 19, 201412 yr Hi Overbyrn, I believe I was also half a year about testing/checking your squeezeserver plugin, so I guess that makes us equal What I've done is re-work it so that only the chown and chmod are outside of the conditional. This way a check will still be made and only if the users home dir is missing will it create, but regardless it will set the necessary permissions on the users home directory and sub-directories. v1.6 does not contain this patch, but I guess its underway. Sounds like to me you are have the following if-statement: if [ ! -d /home/$USERTEMP/.ssh ]; then mkdir -p /home/$USERTEMP/.ssh fi This is identical in function to leaving out the if-statement if I'm not mistaken, and shorter is better in my preferred coding style (which I shall not dictate for you though ). In version 1.6 the if-statement actually just checks -d /home/$USERTEMP/, which looks like a bug to me, as the following cp command will fail if .ssh does not exist. If you're running version 6 of unRAID, I will shortly post a version that is compatible and plays nicely with the default plugin / extensions manager that Tom has included for use during install and checking for plugin updates. Sounds like a good idea to just focus on version 6 (which I havn't yet updated to).
May 20, 201412 yr Author v1.6 does not contain this patch, but I guess its underway. Sounds like to me you are have the following if-statement: if [ ! -d /home/$USERTEMP/.ssh ]; then mkdir -p /home/$USERTEMP/.ssh fi This is identical in function to leaving out the if-statement if I'm not mistaken, and shorter is better in my preferred coding style (which I shall not dictate for you though ). In version 1.6 the if-statement actually just checks -d /home/$USERTEMP/, which looks like a bug to me, as the following cp command will fail if .ssh does not exist. I must remember to update v5 plugin with your changes. As I type this I'm barely awake and the first coffee hasn't kicked in, not to mention re-reading my old code is less than desirable, but let's use the old Rubber duck debugging process of talking this through... That part of the code sets up the whole /home/<user> part when the plugin config changes, is first started etc. So that if statement is there to check for each user that's selected as an ssh user in the plugin. On the assumption this is a first boot with plugin already installed, then that IF is responsible for checking if /home/$USERTEMP/ is present. If missing, then it creates /home/$USERTEMP/.ssh including parent path. In the v1.6 plugin, it then went on to chmod and chown the necessary dirs. Ahh! Semi-Eureka moment. I think I see. So re-reading your first message with the patch, you're saying you already had a user /Admin setup and presumably already in /boot/config/passwd & /boot/config/shadow ? And the first part of your problem is that the plugin doesn't expect a user outside of /home. To be honest, I'd not want to change that logic as wouldn't that generally be non-standard user home behavior? But then I'm assuming you accepted /home/Admin instead and that's when you hit the permission issues. So are you still using some other scripted method to re-establish /home/Admin without letting the ssh plugin do it for you? Assuming your Admin user has a UID over 1000, then the plugin should pick it up and let it be a valid ssh user choice. Which takes us back to the part where the IF statement tests for the presence of /home/$USERTEMP, creates if needed and now - in the case of v6 plugin version - does no more but immediately sets the permissions regardless. I assume this would now take account of a scenario where something outside of the plugin sets up /home/someuser and so the plugin just sets the perms. Ahh. Second Eureka moment. That would mean /home/someuser existed, so the conditional would never be met and the creation of .ssh sub-dir is never made. Right, so then to do this properly it then becomes a case of either remove the conditional or to embed a second to perform a second test for just .ssh sub-dir. Okay, makes sense now. Gotta love rubber ducking. Works every time!
May 21, 201412 yr Yeah rubber ducking is awesome. I like Jeff Atwoods message here which can be summed up as When in doubt, go with brevity: http://blog.codinghorror.com/the-best-code-is-no-code-at-all/ A second advise is the following (though giving advice is perhaps ridiculous on a forum thread): Watch your assumptions. It might have been true that due to some complicated interactions of code it was true that .ssh dir would exist if and only if the parent user-dir. To actually perform a test where it fails we will of cause have to think such situations through. However from the standpoint of reviewing code, the less assumptions we can make and the less code we have to read to conclude the code is sound, the better it is. So what I'm trying to say here is, even if the if-statement was correct, then I would not include it because its shorter to leave it out and leaving it out requires less assumptions of previous code to verify soundness. By sound I mean the code does what I intend it to do. Best Alex, and thanks for taking the time to updating your scripts, its part of what keeps unRaid alive for me.
August 27, 201411 yr Hi thank you so much for these plugins. I've since updated to 64 bit unraid, and am having some troubles getting the denyHosts plugin to work. It literally just wont do anything. The config page doesn't seem to do anything for me. If i hit 'start' or 'save' or anything, it doesn't change the .cfg file, and i see nothing inside my log file either. This is the only plugin i have installed (besides apcupsd - which works fine), everything else i have running via dockers. so its not conflicting python issues. No idea whats happening! No other issues with any other plugins, its really odd.
September 10, 201411 yr Author Am smack in the middle of rewriting denyhosts and ssh plug-ins for v6. You're correct that denyhosts doesn't have a functioning configuration page. One of the issues is that php in v6 operates slightly differently when it comes to how screen updates work upon submitting a form. Eg when apply button is pressed. I should have denyhosts working within 24hrs. Will post an update here when done.
Archived
This topic is now archived and is closed to further replies.