SSH and Denyhosts updated for v6.1


Recommended Posts

Hopefully this is the right place for posting new/updated plugins.

 

For a long time I have been used the ssh plugin for installing (and now just persisting settings for) ssh.  By shear luck (not sure good or bad) I jumped from v5 straight to v6.1.  Due to the security improvements in v6.1 the current copy of the only ssh plugin I was aware of did not work.

 

I saw both in the support thread and github repo that people were asking about updates and so I decided to fix the plugin for myself and post a patch.  Since then I learned that the maintainer seems to have either taken a break or been otherwise busy.  I'm studiously avoiding naming the person since I don't know if there are political mines that I'm stepping around but will say I am very grateful for his initial work on creating the plugin.  Without that effort I am sure I would not have forked the copy and started maintaining it.

 

You can find my version of both the SSH and DenyHosts plugins here.

 

Note the other plugins by the previous author are also there but HAVE NOT BEEN UPDATED IN ANY WAY.  Indeed the support files will still be pulled from the original fork's release/download folders even if you grab the .plg file from my repo.

 

I'm not new to unRaid but I am new to developing for it so I welcome constructive feedback and will respond as quickly as my time will allow to any issues people have with the plugins I'm maintaining.

Since I think these posts can be edited I will update this list here when and if I update the other items that I forked.

 

Currently maintaining:

  • ssh
  • DenyHosts

 

-edit:

Plugins which can now be found as docker containers:

Beets, Dropbox, LogitechMediaServer, NZBGet, Pyload

 

DocGyver..

Edited by docgyver
Refer people to docker containers for deprecated plugins
  • Upvote 2
Link to comment

Yes, finally! Thanks! Been waiting for this. :) Installed both plugins and testing them now on 6.1.9. One thing tho, puttygen isn't installed with the ssh plugin like it says in the readme at least it wasn't when I tried. So I ended up using puttygen on my windows install to convert the private key to putty format. I guess i could have installed it in unraid cause the putty-0.64-x86_64-1rj.txz is in included but I didn't know how to so windows was the fastest way to solve it.

 

Edit: Also, Denyhosts doesn't show all the "text options" on the dark theme so I don't what the settings are for, have to switch to white theme to see them.

08-03-2016_14-56-23.jpg.c3a6a61c83d418d62e19d3646764636d.jpg

Link to comment

I'm going to move this to the 6.1 Verified forum, but please send me a PM if anyone discovers an incompatibility that I haven't yet.

So did you already test it with the PhAzE plugin mentioned in the link I gave above?

 

I can well remember the bad old days of v5 when syslogs were full of plugins installing one version of something, then another plugin comes in and deletes all that so it can install a different version.

Link to comment

I'm going to move this to the 6.1 Verified forum, but please send me a PM if anyone discovers an incompatibility that I haven't yet.

So did you already test it with the PhAzE plugin mentioned in the link I gave above?

 

I can well remember the bad old days of v5 when syslogs were full of plugins installing one version of something, then another plugin comes in and deletes all that so it can install a different version.

Nope. Don't care about plugin to plugin compat. Just that it works on 6.1.

Link to comment
  • 4 weeks later...

Thank you for upgrading this to v6.1!

 

I'm receiving an error when the deaemon is trying to purge hosts.deny. Do I need to change permissions in my /etc directory to allow DenyHosts to write to the file?

 

The denyhosts.out log is:

2016-04-05 07:57:45,772 - denyhosts   : INFO     new denied hosts: ['113.183.70.101', '113.190.244.206', '193.201.227.175', '185.110.132.54', '14.182.86.235']
2016-04-05 07:58:15,802 - denyfileutil: INFO     purging entries older than: Tue Mar 22 07:58:15 2016
2016-04-05 07:58:15,803 - denyfileutil: WARNING  [Errno 13] Permission denied: '/etc/hosts.deny.purge.bak'
2016-04-05 07:58:15,803 - root        : ERROR    [Errno 13] Permission denied: '/etc/hosts.deny.purge.tmp'
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/DenyHosts/deny_hosts.py", line 241, in sleepAndPurge
    purge_time)
  File "/usr/lib64/python2.7/site-packages/DenyHosts/denyfileutil.py", line 145, in __init__
    purged_hosts = self.create_temp(self.get_data())
  File "/usr/lib64/python2.7/site-packages/DenyHosts/denyfileutil.py", line 218, in create_temp
    raise e
IOError: [Errno 13] Permission denied: '/etc/hosts.deny.purge.tmp'

Link to comment

I just noticed that myself yesterday.  Been going on in my logs for quite some time too.  Looks like it only happens on start but you will likely see a permissions issue on sync-hosts more regularly.  It looks like I was getting it each time denyhosts detected a new suspicious event.

 

I noticed that denyhosts was running as "sudo -h nobody" and nobody would not have access to /etc files.  Yesterday I removed the sudo which broke things then changed it to just  sudo without the "-h nobody" it has been running fine.

 

As best I can tell the original author's intent behind using sudo is/was two-fold.  I am almost certain he was trying to orphan the daemon.  Without the sudo the web page never returns after you click "start".

 

The second possible reason is to lower the privilege of the daemon.  If that was the intent it must have been that /etc/hosts.deny (et. al.) had different permissions and/or ownership in the past.

 

For my use I'm ok with the daemon running as root so I've updated the plg file.  If you "check for updates" on your plugins you should see the new version now.

Link to comment

If you don't open up SSH to the outside via a Port Forward, "DMZ Host Forward", or some other means then your risk is fairly low that you would have attackers.

Denyhosts monitoring then becomes, as you imply, one more thing to clean up, monitor, ignore, ... 

 

This may come off a bit "tin-foil hat" but one thing to keep in mind is that our IOT (internet of things) devices are notoriously bad about security.  At some point they will likely become beach-head or bot-net "infected" devices.  If you want to control your light bulbs from your phone you should consider adding them and all other IOT devices to their own network.

</tin-foil>

 

Adding the SSH plugin may be something you want to consider if for no other reason it helps with setting up public-key style auth.  It sucks to have to type a complicated password for my unraid when I'm on my tablet. :-)

 

hth,

 

doc..

Link to comment

If you don't open up SSH to the outside via a Port Forward, "DMZ Host Forward", or some other means then your risk is fairly low that you would have attackers.

Denyhosts monitoring then becomes, as you imply, one more thing to clean up, monitor, ignore, ... 

 

This may come off a bit "tin-foil hat" but one thing to keep in mind is that our IOT (internet of things) devices are notoriously bad about security.  At some point they will likely become beach-head or bot-net "infected" devices.  If you want to control your light bulbs from your phone you should consider adding them and all other IOT devices to their own network.

</tin-foil>

 

Adding the SSH plugin may be something you want to consider if for no other reason it helps with setting up public-key style auth.  It sucks to have to type a complicated password for my unraid when I'm on my tablet. :-)

 

hth,

 

doc..

 

these are good points, which is why I asked. I'm typically the kind of guy who many would call overly cautious... so this might be a good plugin anyway.

 

Also good point about the SSH plugin.

Link to comment
  • 3 weeks later...

I can't get the SSH daemon to start.

 

I've reinstalled it for good measure, same thing. Just says that SSH is not running. When I try and connect via SSH, it tells me connection refused.

 

This is all that pops up in the log when I click start:

 

Apr 29 12:26:49 Tower emhttp: cmd: /usr/local/emhttp/plugins/ssh/scripts/rc.ssh buttonstart

 

I'm on 6.1.9 currently.

 

Is there any log or information I can provide to help figure this out? Or some critical setup step I missed? I've perused the github documentation, and couldn't find anything. Thank you!

 

 

Link to comment

I'm studiously avoiding naming the person since I don't know if there are political mines that I'm stepping around but will say I am very grateful for his initial work on creating the plugin.  Without that effort I am sure I would not have forked the copy and started maintaining it.

 

It's okay, you can name the original person. He won't mind ;)

 

I'm glad someone took up the mantle to make the plugins work for later unRAID versions.  Good job!

Link to comment
  • 2 months later...

I can't get the SSH daemon to start.

 

I've reinstalled it for good measure, same thing. Just says that SSH is not running. When I try and connect via SSH, it tells me connection refused.

 

This is all that pops up in the log when I click start:

 

Apr 29 12:26:49 Tower emhttp: cmd: /usr/local/emhttp/plugins/ssh/scripts/rc.ssh buttonstart

 

I'm on 6.1.9 currently.

 

Is there any log or information I can provide to help figure this out? Or some critical setup step I missed? I've perused the github documentation, and couldn't find anything. Thank you!

 

I'm in the same boat on 6.1.9 as well. Unistalled, re-installed and SSH damon won't start. Oddly it was working before. Any solutions? Thanks!

Link to comment
  • 1 month later...

Same here. This plugin only adds some settings, ssh can not be started, no error messages, nothing. Seems like it is not maintained any more (since months)?

 

P.S.: Asking questions that only native english speakers tha watch a lot of movies can know is the MOST SILLY verification method I ever seen since the beginning of the internet!

Link to comment
  • 2 weeks later...

Hi everyone!

 

I think I found the error

 

Check your files in /etc/ssh

 

ls -la /etc/ssh

 

You may get something like this:

 

-rw-------  1 root root 246880 Aug  5 09:34 moduli
-rw-------  1 root root   1642 Aug  5 09:34 ssh_config
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_dsa_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_dsa_key.pub
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ecdsa_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ecdsa_key.pub
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ed25519_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_ed25519_key.pub
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_rsa_key
-rw-------  1 root root      0 Sep 19 04:18 ssh_host_rsa_key.pub
-rw-------  1 root root   3522 Sep 21 01:41 sshd_config

 

As you can see, the keys have size 0.

 

I deleted all the keys with:

rm ssh_host_*

 

Then generated my own with:

ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa
ssh-keygen -t ed25519

 

Specifying the destination of the file as

/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ed25519_key

 

 

Just after this, everything works as expected. I don't know which component has generated this keys so I don't know where to fix it...

 

 

I am running unRAID v6.2

 

Regards

  • Like 1
Link to comment
  • 2 weeks later...

Having some trouble trying to get this ssh plugin to install

 

 

I'm on the latest version of unraid 6.2, I've tried installing it via the Community Apps plugin, and manually.  Any ideas?

Link to comment
  • 1 month later...
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.