Jump to content
docgyver

SSH and Denyhosts updated for v6.1

87 posts in this topic Last Reply

Recommended Posts

I am still running 6.2.4 because my last jump broke my Owncloud (now NextCloud) docker image. I haven't read the readme on what changes from 6.2 to 6.3 but I'd be surprised if it breaks the plugin.  Do you have the files in the right folder on /boot?  SSH files on my machine are like the following (with noise files removed). Note the dot (.) in .../user/.ssh/...

 

$find /boot/config/plugins/ssh ! -type d
/boot/config/plugins/ssh/ssh.cfg
/boot/config/plugins/ssh/root/.ssh/authorized_keys
/boot/config/plugins/ssh/otheruser/.ssh/authorized_keys
 

Share this post


Link to post
On 7/8/2017 at 9:24 AM, zin105 said:

Just wanted to report that everything works in 6.4 rc6. (Key based login only, passwords disabled, root login disabled).

 

Only "problem" is that the plugin doesn't have an icon.

This and I am now seeing the below error in the syslog:

Aug 16 16:10:44 Node sshd[12542]: rexec line 110: Deprecated option UsePrivilegeSeparation

 

Share this post


Link to post

I have a single user defined that I want to provide ssh access too.  However, I have to have "allow root" set to yes for it to work even for the non-root user.

 

How can I disallow root ssh access, but still allow my chosen user?

 

My ssh.cfg

Quote

# ssh configuration
SERVICE="enable"
PORT="22"
USERLIST="wimp"
PERMITROOTLOGIN="no"
MAXAUTHTRIES="6"
PASSWORDAUTHENTICATION="no"
PERMITEMPTYPASSWORDS="no"
GATEWAYPORTS="no"

 

If I set PERMITROOTLOGIN="yes" then I can log in as user wimp.

 

thanks

david

Share this post


Link to post

Odd.  I don't normally use another user but do have a couple defined.  I will try to reproduce what you are seeing and fix it.

Share this post


Link to post

Hello :)
How is this plugin suposed to work?
No matter what I do, unless I turn SSH off, every user on the server can log in.

Or is it not meant to work from the LAN side?

Share this post


Link to post

Depends on on which plugin you are asking about. The DenyHosts plugin is intended to detect unwanted connections and block the source IP. The SSH plugin is intended to enable persisting various settings.

Which of the two are you running?

Share this post


Link to post

I'm totally confused as well.

 

All I want to do is setup a couple of my users for SFTP access (SSH access). 

 

How do I do this? Is there a user manual somewhere? No matter what settings I make, I can only log in as root (provided I've left the "Permit Root Login" setting as "yes").

 

When I pick my user "joe" in the list and allow password access, when I try to ssh with "joe," as soon as I enter my password, connection to unRAID is closed. The user can't log in. root does not have this problem and can log in just fine.

Edited by ksignorini

Share this post


Link to post

Been a long time since I've configured this (6.1 days), but if you guys read the info on github and the readme located in the plugin folder I'm sure you'll be able to figure it out. I'm using key based login only and it works like a charm.

 

Github: https://github.com/docgyver/unraid-v6-plugins

Readme located on your flashdrive in /boot/config/plugins/ssh

Share this post


Link to post
2 minutes ago, strike said:

Been a long time since I've configured this (6.1 days), but if you guys read the info on github and the readme located in the plugin folder I'm sure you'll be able to figure it out. I'm using key based login only and it works like a charm.

 

Github: https://github.com/docgyver/unraid-v6-plugins

Readme located on your flashdrive in /boot/config/plugins/ssh

 

I got it working. With passwords.

 

But you know what was getting me? I hadn't rebooted my unRAID server. I didn't see anywhere in the readme or github where it was clear that you had to restart unRAID to get this to work. I figured restarting the SSH daemon should be enough. I guess it wasn't.

 

NOTE: You must restart unRAID to get changes made in the plugin settings to stick. At least, I had to.

Edited by ksignorini

Share this post


Link to post
On 04/09/2017 at 2:31 AM, docgyver said:

Depends on on which plugin you are asking about. The DenyHosts plugin is intended to detect unwanted connections and block the source IP. The SSH plugin is intended to enable persisting various settings.

Which of the two are you running?

I have both installed, but I was wondering about the SSH plugin.
I get a list of the users that is on the server, I can click on them, but what is that for because nothing seems to happen when I do.

Share this post


Link to post
5 hours ago, isvein said:

I have both installed, but I was wondering about the SSH plugin.
I get a list of the users that is on the server, I can click on them, but what is that for because nothing seems to happen when I do.

 

I found the instructions over on docgyver's github page here: https://github.com/docgyver/unraid-v6-plugins/blob/master/README.md.

 

Basically do this:

 

1. Stop the SSH server (turn "Enable SSH Service" to No and hit Apply.)

 

2. To allow SSH access for a list of users, multi-select their names in the list and make sure "Password Authentication" is set to Yes. (ctrl-click or cmd-click to select multiple users). This turns password authentication on for all the users you've picked (instead of having to generate keys).

 

3. Hit Apply again. This should save the settings and restart the ssh daemon but you still won't be able to ssh from those users yet; at least, I couldn't.

 

4. In order for the settings change to work, you have to reboot unRAID!

 

Yes, reboot!

 

You should now be able to ssh in with the users you picked in the list. At least, now I can on my server.

 

 

Edited by ksignorini
Clarity and more information.

Share this post


Link to post

I recently upgraded unraid to the latest release candidate 6.4.0_rc11i.  I noticed that every time I open the plugins page, I get the following error in the log.

Nov 16 14:17:10 Tower nginx: 2017/11/16 14:17:10 [crit] 20451#20451: *135500 stat() "/usr/local/emhttp/plugins/ssh/ssh.png" failed (13: Permission denied), client: 192.168.1.11, server: 7919ac795bff0d483d3f219c6b4dfeff9abcbeae.unraid.net, request: "GET /plugins/ssh/ssh.png HTTP/2.0", host: "7919ac795bff0d483d3f219c6b4dfeff9abcbeae.unraid.net", referrer: "https://7919ac795bff0d483d3f219c6b4dfeff9abcbeae.unraid.net/Plugins"

It doesnt seem to affect the plugin working in any way, but the icon for the plugin doesnt show on the plugin page.

 

Edit: I noticed that the /usr/local/emhttp/plugins/ssh folder has different permissions that all of the other plugin folders there.  The ssh folder permissions looks like:

drwxrwx---  4 root root   200 Nov 15 12:27 ssh

while all of the others look like:

drwxr-xr-x  7 root root   260 Nov 15 12:27 preclear.disk

 

manually changing it stops the error from showing up.  Are there security implications to changing the folder permissions?

 

Edited by mattekure

Share this post


Link to post

No significant implications. Group has no need for write access. Giving "other" read and execute is a bit more pemissive but it isn't like what that folder holds can't be known. It's on github ;)

I'll see what I need to change to get the permissions right on create. IIRC there was a mask involved.

Been too lazy to pick an Icon. Wish there was a standard one. I'll take a look to see if there is one now.

Share this post


Link to post

I also noticed that whenever I log in I get the following error on the log:

 

Tower sshd: rexec line 110: Deprecated option UsePrivilegeSeparation  

 

In the settings I have Permit Root Login set to No.  the log in is still successful though, so its not affecting anything yet.

Edited by mattekure

Share this post


Link to post
On 11/16/2017 at 4:41 PM, mattekure said:

I noticed that the /usr/local/emhttp/plugins/ssh folder has different permissions that all of the other plugin folders there. 

....

manually changing it stops the error from showing up.  

 

 

For anyone wondering how:

 

Do chmod 755 /usr/local/emhttp/plugins/ssh to fix it for your current session.

 

Or add to `/boot/config/go` to make it fixed each time you start:

 

# Fix ssh plugin icon:
chmod 755 /usr/local/emhttp/plugins/ssh

 

Share this post


Link to post
On 12/31/2017 at 1:36 PM, JustinAiken said:

 

For anyone wondering how:

 

Do chmod 755 /usr/local/emhttp/plugins/ssh to fix it for your current session.

 

Or add to `/boot/config/go` to make it fixed each time you start:

 


# Fix ssh plugin icon:
chmod 755 /usr/local/emhttp/plugins/ssh

 

 

Thanks, this fixed everything after upgrading to 6.4!

Share this post


Link to post

Thanks so much. I opened up the file to change on Monday and hadn't even looked at the browser tab since.

 

I also update the version so that someone checking for update will have a new version number.

 

Maybe someday I'll get some icons in there too. I did find a couple that made sense and were CC license.

 

 

Share this post


Link to post
On 1/17/2018 at 8:36 AM, docgyver said:

Thanks so much. I opened up the file to change on Monday and hadn't even looked at the browser tab since.

 

I also update the version so that someone checking for update will have a new version number.

 

Maybe someday I'll get some icons in there too. I did find a couple that made sense and were CC license.

 

 

Interesting, its still setting the directory as 770?, just performed uninstall and reinstall :/ 
I even went back and removed cache to make sure it wasn't using an old script. I've updated the plg again with a few lines to automagically change the folder perms  after install so no additional script-fu is needed. I noticed other plugins were using this method so I'm trying the same.

 

https://github.com/docgyver/unraid-v6-plugins/pull/3

https://github.com/docgyver/unraid-v6-plugins/pull/4

Edited by Darksurf

Share this post


Link to post

Fails to install after the latest update (2018.01.18) on unRaid 6.4.0 for me.

 

plugin: installing: https://raw.githubusercontent.com/docgyver/unraid-v6-plugins/master/ssh.plg
plugin: downloading https://raw.githubusercontent.com/docgyver/unraid-v6-plugins/master/ssh.plg
plugin: downloading: https://raw.githubusercontent.com/docgyver/unraid-v6-plugins/master/ssh.plg ... done

+==============================================================================
| Skipping package putty-0.64-x86_64-1rj (already installed)
+==============================================================================


plugin: run failed: /bin/bash retval: 1

 

Share this post


Link to post

Yeah me too. Been working on a broken Nextcloud docker from 443 being part of the management interface. Let me see what is wrong with the new code.

Share this post


Link to post

As near as I can tell from the .plg file for 2018.01.18, the install section removes the /usr/local/emhttp/plugins/ssh directory but doesn't recreate it because the error seems to occur in the post-install section where it tries to change the permissions but there aren't any files to change:

 

ls -la /usr/local/emhttp/plugins/ssh
/bin/ls: cannot access '/usr/local/emhttp/plugins/ssh': No such file or directory

 

Share this post


Link to post

Quite correct Shaun. I didn't check the location of the "Post Install" script in the plg file in relation when I accepted the patch.

 

I moved it to the bottom right above the script which does the "bottonstart" execution kicking off the plugin and things are fine now.

 

If anyone has issues applying the update it may be caused by a rogue /var/log/plugins/ssh.plg file remaining after the failure of 2018.01.18 to load.

 

"Easiest" (i.e. Web UI) fix is a reboot but is not not required if you are comfortable on the command line.

 

Manual fix can be accomplished by running the command "rm /var/log/plugins/ssh.plg" by your preferred method (e.g. ssh and command line, User Scripts plugin...)

Follow that in the UI with a check for updates on the plugins page and then update.

  • Like 2
  • Upvote 1

Share this post


Link to post

Sorry guys, didn't mean to cause you trouble, I evidently caught the flu right not long after that tweak. I had intentions to go back and fix that, but flu hit me pretty hard, I'm at the end of it now. Seems like you guys got it under control! Thanks for the fix and sorry for the trouble.

Share this post


Link to post
5 hours ago, Darksurf said:

Sorry guys, didn't mean to cause you trouble, I evidently caught the flu right not long after that tweak. I had intentions to go back and fix that, but flu hit me pretty hard, I'm at the end of it now. Seems like you guys got it under control! Thanks for the fix and sorry for the trouble.

NO worries. I should have looked closer when I did the commit.

 

Thanks for your effort as well. Helps to work together.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.