Jump to content
docgyver

SSH and Denyhosts updated for v6.1

89 posts in this topic Last Reply

Recommended Posts

Hopefully this is the right place for posting new/updated plugins.

 

For a long time I have been used the ssh plugin for installing (and now just persisting settings for) ssh.  By shear luck (not sure good or bad) I jumped from v5 straight to v6.1.  Due to the security improvements in v6.1 the current copy of the only ssh plugin I was aware of did not work.

 

I saw both in the support thread and github repo that people were asking about updates and so I decided to fix the plugin for myself and post a patch.  Since then I learned that the maintainer seems to have either taken a break or been otherwise busy.  I'm studiously avoiding naming the person since I don't know if there are political mines that I'm stepping around but will say I am very grateful for his initial work on creating the plugin.  Without that effort I am sure I would not have forked the copy and started maintaining it.

 

You can find my version of both the SSH and DenyHosts plugins here.

 

Note the other plugins by the previous author are also there but HAVE NOT BEEN UPDATED IN ANY WAY.  Indeed the support files will still be pulled from the original fork's release/download folders even if you grab the .plg file from my repo.

 

It is my belief that most if not all of the rest should be docker containers and may indeed already be such.  As I learn more about them I will update my main github page to point people in the right direction to find those containers or give my condolences.  I expect that will be the Community Applications plugin and/or CA support page.

 

I'm not new to unRaid but I am new to developing for it so I welcome constructive feedback and will respond as quickly as my time will allow to any issues people have with the plugins I'm maintaining.

Since I think these posts can be edited I will update this list here when and if I update the other items that I forked.

 

Currently maintaining:

  • ssh
  • DenyHosts

 

 

DocGyver..

Share this post


Link to post

Yes, finally! Thanks! Been waiting for this. :) Installed both plugins and testing them now on 6.1.9. One thing tho, puttygen isn't installed with the ssh plugin like it says in the readme at least it wasn't when I tried. So I ended up using puttygen on my windows install to convert the private key to putty format. I guess i could have installed it in unraid cause the putty-0.64-x86_64-1rj.txz is in included but I didn't know how to so windows was the fastest way to solve it.

 

Edit: Also, Denyhosts doesn't show all the "text options" on the dark theme so I don't what the settings are for, have to switch to white theme to see them.

08-03-2016_14-56-23.jpg.c3a6a61c83d418d62e19d3646764636d.jpg

Share this post


Link to post

I'm going to move this to the 6.1 Verified forum, but please send me a PM if anyone discovers an incompatibility that I haven't yet.

Share this post


Link to post

I'm going to move this to the 6.1 Verified forum, but please send me a PM if anyone discovers an incompatibility that I haven't yet.

So did you already test it with the PhAzE plugin mentioned in the link I gave above?

 

I can well remember the bad old days of v5 when syslogs were full of plugins installing one version of something, then another plugin comes in and deletes all that so it can install a different version.

Share this post


Link to post

I'm going to move this to the 6.1 Verified forum, but please send me a PM if anyone discovers an incompatibility that I haven't yet.

So did you already test it with the PhAzE plugin mentioned in the link I gave above?

 

I can well remember the bad old days of v5 when syslogs were full of plugins installing one version of something, then another plugin comes in and deletes all that so it can install a different version.

Nope. Don't care about plugin to plugin compat. Just that it works on 6.1.

Share this post


Link to post

Thank you for upgrading this to v6.1!

 

I'm receiving an error when the deaemon is trying to purge hosts.deny. Do I need to change permissions in my /etc directory to allow DenyHosts to write to the file?

 

The denyhosts.out log is:

2016-04-05 07:57:45,772 - denyhosts   : INFO     new denied hosts: ['113.183.70.101', '113.190.244.206', '193.201.227.175', '185.110.132.54', '14.182.86.235']
2016-04-05 07:58:15,802 - denyfileutil: INFO     purging entries older than: Tue Mar 22 07:58:15 2016
2016-04-05 07:58:15,803 - denyfileutil: WARNING  [Errno 13] Permission denied: '/etc/hosts.deny.purge.bak'
2016-04-05 07:58:15,803 - root        : ERROR    [Errno 13] Permission denied: '/etc/hosts.deny.purge.tmp'
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/DenyHosts/deny_hosts.py", line 241, in sleepAndPurge
    purge_time)
  File "/usr/lib64/python2.7/site-packages/DenyHosts/denyfileutil.py", line 145, in __init__
    purged_hosts = self.create_temp(self.get_data())
  File "/usr/lib64/python2.7/site-packages/DenyHosts/denyfileutil.py", line 218, in create_temp
    raise e
IOError: [Errno 13] Permission denied: '/etc/hosts.deny.purge.tmp'

Share this post


Link to post

I just noticed that myself yesterday.  Been going on in my logs for quite some time too.  Looks like it only happens on start but you will likely see a permissions issue on sync-hosts more regularly.  It looks like I was getting it each time denyhosts detected a new suspicious event.

 

I noticed that denyhosts was running as "sudo -h nobody" and nobody would not have access to /etc files.  Yesterday I removed the sudo which broke things then changed it to just  sudo without the "-h nobody" it has been running fine.

 

As best I can tell the original author's intent behind using sudo is/was two-fold.  I am almost certain he was trying to orphan the daemon.  Without the sudo the web page never returns after you click "start".

 

The second possible reason is to lower the privilege of the daemon.  If that was the intent it must have been that /etc/hosts.deny (et. al.) had different permissions and/or ownership in the past.

 

For my use I'm ok with the daemon running as root so I've updated the plg file.  If you "check for updates" on your plugins you should see the new version now.

Share this post


Link to post

Is this a plugin I need?

 

I don't have the port for SSH forwarded outside my LAN, so like would DenyHosts really do anything for me? I'm asking because I really don't know if it's a good additional measure or a waste given my set up?

Share this post


Link to post

If you don't open up SSH to the outside via a Port Forward, "DMZ Host Forward", or some other means then your risk is fairly low that you would have attackers.

Denyhosts monitoring then becomes, as you imply, one more thing to clean up, monitor, ignore, ... 

 

This may come off a bit "tin-foil hat" but one thing to keep in mind is that our IOT (internet of things) devices are notoriously bad about security.  At some point they will likely become beach-head or bot-net "infected" devices.  If you want to control your light bulbs from your phone you should consider adding them and all other IOT devices to their own network.

</tin-foil>

 

Adding the SSH plugin may be something you want to consider if for no other reason it helps with setting up public-key style auth.  It sucks to have to type a complicated password for my unraid when I'm on my tablet. :-)

 

hth,

 

doc..

Share this post


Link to post

If you don't open up SSH to the outside via a Port Forward, "DMZ Host Forward", or some other means then your risk is fairly low that you would have attackers.

Denyhosts monitoring then becomes, as you imply, one more thing to clean up, monitor, ignore, ... 

 

This may come off a bit "tin-foil hat" but one thing to keep in mind is that our IOT (internet of things) devices are notoriously bad about security.  At some point they will likely become beach-head or bot-net "infected" devices.  If you want to control your light bulbs from your phone you should consider adding them and all other IOT devices to their own network.

</tin-foil>

 

Adding the SSH plugin may be something you want to consider if for no other reason it helps with setting up public-key style auth.  It sucks to have to type a complicated password for my unraid when I'm on my tablet. :-)

 

hth,

 

doc..

 

these are good points, which is why I asked. I'm typically the kind of guy who many would call overly cautious... so this might be a good plugin anyway.

 

Also good point about the SSH plugin.

Share this post


Link to post

I can't get the SSH daemon to start.

 

I've reinstalled it for good measure, same thing. Just says that SSH is not running. When I try and connect via SSH, it tells me connection refused.

 

This is all that pops up in the log when I click start:

 

Apr 29 12:26:49 Tower emhttp: cmd: /usr/local/emhttp/plugins/ssh/scripts/rc.ssh buttonstart

 

I'm on 6.1.9 currently.

 

Is there any log or information I can provide to help figure this out? Or some critical setup step I missed? I've perused the github documentation, and couldn't find anything. Thank you!

 

 

Share this post


Link to post

I'm studiously avoiding naming the person since I don't know if there are political mines that I'm stepping around but will say I am very grateful for his initial work on creating the plugin.  Without that effort I am sure I would not have forked the copy and started maintaining it.

 

It's okay, you can name the original person. He won't mind ;)

 

I'm glad someone took up the mantle to make the plugins work for later unRAID versions.  Good job!

Share this post


Link to post

I can't get the SSH daemon to start.

 

I've reinstalled it for good measure, same thing. Just says that SSH is not running. When I try and connect via SSH, it tells me connection refused.

 

This is all that pops up in the log when I click start:

 

Apr 29 12:26:49 Tower emhttp: cmd: /usr/local/emhttp/plugins/ssh/scripts/rc.ssh buttonstart

 

I'm on 6.1.9 currently.

 

Is there any log or information I can provide to help figure this out? Or some critical setup step I missed? I've perused the github documentation, and couldn't find anything. Thank you!

 

I'm in the same boat on 6.1.9 as well. Unistalled, re-installed and SSH damon won't start. Oddly it was working before. Any solutions? Thanks!

Share this post


Link to post

Same here. This plugin only adds some settings, ssh can not be started, no error messages, nothing. Seems like it is not maintained any more (since months)?

 

P.S.: Asking questions that only native english speakers tha watch a lot of movies can know is the MOST SILLY verification method I ever seen since the beginning of the internet!

Share this post


Link to post

Hi everyone!

 

I think I found the error

 

Check your files in /etc/ssh

 

ls -la /etc/ssh

 

You may get something like this:

 

-rw-------  1 root root 246880 Aug  5 09:34 moduli
-rw-------  1 root root   1642 Aug  5 09:34 ssh_config
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_dsa_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_dsa_key.pub
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ecdsa_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ecdsa_key.pub
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ed25519_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ed25519_key.pub
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_rsa_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_rsa_key.pub
-rw-------  1 root root   3522 Sep 21 01:41 sshd_config

 

As you can see, the keys have size 0.

 

I deleted all the keys with:

rm ssh_host_*

 

Then generated my own with:

ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa
ssh-keygen -t ed25519

 

Specifying the destination of the file as

/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key

 

 

Just after this, everything works as expected. I don't know which component has generated this keys so I don't know where to fix it...

 

 

I am running unRAID v6.2

 

Regards

Share this post


Link to post

Instead of generating:

 

Cleaning /boot/config/ssh and /config/ssh and rebooting helps. Uninstalled the plugin as ssh is available without it (if the keys are not 0).

Share this post


Link to post

Having some trouble trying to get this ssh plugin to install

 

 

I'm on the latest version of unraid 6.2, I've tried installing it via the Community Apps plugin, and manually.  Any ideas?

Share this post


Link to post

Does anyone have this working?

 

I am wondering if it is even supported anymore.

 

Since I installed this plugin, I have lost ssh access for all of my users.

Share this post


Link to post

I have it running on 6.2.4. I installed it on 6.1, have been working since. Be sure to read the readme file, I think the info is on the github page too.

What sort of problems do you have?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.