Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

add ssh user

Featured Replies

Hello :)
How can I add another user than root to be able to use ssh and be able to log in?

I added another user to the ssh config, but this user is not able to log in, get disconnected by server right after successfull login.

 

Unraid 6.3.5

Best option I've seen to date is this:

 

 

Not run it myself, but thought I'd point it out.

  • 4 years later...
On 8/25/2017 at 9:57 AM, Tybio said:

Best option I've seen to date is this:

 

 

Not run it myself, but thought I'd point it out.

Thanks. This is still applicable 4 years later 🙂 

For those not wanting to use a plugin, you can add the user via the root user.

 

Give it a home dir and shell, and then update the saved /boot/config/passwd with the one in /etc/passwd

It seems that when booting, unriad turns off all shells for non root accounts, so you need to add a line in the init script to enable them again...

/boot/config/go

 

No idea how updates/upgrades will work with this... probably will blow it away.

  • 1 month later...

/etc/passwd User Terminal update to /bin/bash

  • 1 year later...

I've no idea why they have made it so hard to do this. I'm the single and only user of my unraid setup and my main mode of transferring data is via rsync & SCP. I *must* be able to have a working user that is not root to have SSH access for this even when the system unexpectedly reboots.

 

So after a bunch of trial and error I've come up with the expanded version of the /boot/config/go script below. Shared here in case it helps somebody else who's been struggling with this omission.

 

The user 'USERNAME' was created and password set using the web GUI.

All you'd need to do is change the word USERNAME to your actual, well... username, and double check the 1000:100 user:group numbers are the same for your situation.

 

If this messes up your unraid config somehow, it's non-destructive. Reverting to default settings, because you just want to or because you messed up, is a matter of opening a terminal via the web gui or on the physical console and removing everything but the first & last line of the /boot/config/go file again.

 

#!/bin/bash

# Make homedir
mkdir /USERNAME
chown USERNAME:users /USERNAME

# Set homedir and assign shell
cat /etc/passwd | sed -e s/USERNAME.*false/"USERNAME:x:1000:100:User description:\/USERNAME:\/bin\/bash"/ > /etc/passwd.1
mv /etc/passwd.1 /etc/passwd

# Ensure user profile doesn't try to send you to the root homedir upon login
cat /etc/profile | sed -e s/"export HOME=\/root"/"export HOME=\/\`whoami\`"/ > /etc/profile.1
mv /etc/profile.1 /etc/profile

# Allow all users to SSH in.
# (Alternatively append your specific desired username after 'root', separated with a space:
# i.e. "AllowUsers root USERNAME")
cat /etc/ssh/sshd_config | sed -e s/"AllowUsers root"/"# AllowUsers root"/ > /etc/ssh/sshd_config.1
mv /etc/ssh/sshd_config.1 /etc/ssh/sshd_config
/etc/rc.d/rc.sshd reload

# Start the Management Utility
/usr/local/sbin/emhttp &

 

11 hours ago, whiter said:

I've no idea why they have made it so hard to do this. I'm the single and only user of my unraid setup and my main mode of transferring data is via rsync & SCP. I *must* be able to have a working user that is not root to have SSH access for this even when the system unexpectedly reboots.

This is unRAID, it does not use linux users for permissions. The ONLY user in the convention linux sense is root. Ideally you should not have other systems SSH directly into unRAID. The better way to handle it would be with a docker container or VM running an SSH server and having access to the specific array folders required. Personally I use an LXC container for this, but that requires the LXC plugin rather than built in functionality. 

3 minutes ago, primeval_god said:

Personally I use an LXC container for this, but that requires the LXC plugin rather than built in functionality. 

Maybe someday it will be included in the base OS. ;)

Not that there is anything wrong with using a plugin like LXC. But the tone of this discussion made me think that built-in options might be preferred. 

Edited by primeval_god

On 8/10/2023 at 1:26 AM, primeval_god said:

This is unRAID, it does not use linux users for permissions. The ONLY user in the convention linux sense is root.

 

Users created in the Unraid user interface are added to /etc/passwd. Files uploaded via an 'official' sharing mechanism like SMB honour the Linux file permissions and create new files using the user ID and group ID as assigned to the logged in user in the /etc/passwd file. Linux users for accounts other than root are very much used.

 

 

Running docker, and a loading a container, is WAY overkill for a built-in core capability of the OS. I've no intention to overcomplicate things, and beef up the CPU and memory of the system hosting nothing but my backup drives, for the sake of running a basic capability that it already has but is just made extra difficult to enable. Keep It Stupid Simple.

 

 

 

4 hours ago, whiter said:

Running docker, and a loading a container, is WAY overkill for a built-in core capability of the OS. I've no intention to overcomplicate things, and beef up the CPU and memory of the system hosting nothing but my backup drives, for the sake of running a basic capability that it already has but is just made extra difficult to enable.

I don't share this opinion but of course that's my opinion. I think it's more overkill what you did above but don't get me wrong that's my opinion. :)

 

It always depends on what you are trying to do and to accomplish. For me it's way enough to log in as root and do stuff as root and I never want to access this from outside and even if I want to do that I can create a tunnel and do that.

I've recently started using tailscale and the unraid plugin for it with SSH enabled. It seems to pretty much solve both the multi-user and the open SSH port issues at once for me anyway. Specifically the multi-user aspect just means letting multiple different users login to SSH as root without giving out a password or managing keys. That might not be what everyone is looking for, but it might solve the needs for some.

 

I also do still use the unraid connect plugin, and I wish it didn't require an open port, but it doesn't bother me enough to not use it.

On 8/12/2023 at 5:20 AM, whiter said:

Users created in the Unraid user interface are added to /etc/passwd. Files uploaded via an 'official' sharing mechanism like SMB honour the Linux file permissions and create new files using the user ID and group ID as assigned to the logged in user in the /etc/passwd file. Linux users for accounts other than root are very much used.

See https://docs.unraid.net/unraid-os/manual/users

 

On 8/12/2023 at 5:20 AM, whiter said:

Running docker, and a loading a container, is WAY overkill for a built-in core capability of the OS.

...and beef up the CPU and memory of the system...

Its really not overkill, its the way the system is meant to be used (in unRAID that is). Containerization really doesnt have that much overhead in terms of cpu and memory usage. Its just tooling over cgroups and namespaces after all. In fact systems exist where every normal linux process is containerized (see Rancher OS) and they manage to stay performant. Admittedly the there is a bit more overhead in terms of disk usage especially with docker. And there is something to be said for the increase in complexity for those less familiar with docker and LXC, however the unRAID webui experience (and LXC plugin experience) help a lot in this area. 

 

Based on Whiter's contribution I have the following manual steps to set up a second user to use SSH from a Mac. I did try the edit for unRaid /boot/config/go but I ended up bricking root access so had to create a new unRaid USB (using the existing USB stick - a good exercise in itself). I to am a one user unRaid (3 day old) user with a Mac. Reason is I have numerous hundreds of Gbs Final Cut Pro projects (which contain zillions of small and large files) to move/copy to (3 day old) MacPro Unraid system. SMB is not useable, to slow, unfortunately (for the many threads on the subject here). FTP cannot get to work using the default FTP server (read_only!?!) and not able to find/setup a FTP from the app store.

Here are my manual steps:

Delete the unRaid user Sid if exists already

root@Tower:~# useradd sid

root@Tower:~# passwd sid

root@Tower:~# mkdir /home/sid

root@Tower:~# chown sid:users /home/sid

root@Tower:~# ls -al /home. <== checking

root@Tower:~# cat /etc/passwd.  <== checking

root@Tower:~# groupadd -r sshusers

root@Tower:~# usermod -a -G sshusers root

root@Tower:~# usermod -a -G sshusers sid

root@Tower:~# vi /etc/ssh/sshd_config

==> add AllowUsers root sid

==> add AllowGroups schusses

root@Tower:~# /usr/sbin/sshd -t.  <== check the config is valid

root@Tower:~# echo $?

0 <== A 0 equal all ok, non zero means fix it

root@Tower:~# /etc/rc.d/rc.sshd reload

Re-add unRaid Sid user

Try rsync using user sid

==> rsync -avhP ssh ~/Downloads/teleport/ [email protected]:/mnt/user/unraid/teleport/

And try root user

rsync -avhP ssh ~/Downloads/teleport/ [email protected]:/mnt/user/unraid/teleport/

 

 

Edited by ChannelD
upper to lower case correction

  • 2 years later...

@ChannelD thanks for sharing. Just one comment:

==> add AllowGroups schusses

^ I think that line has a typo - should it not look like this? -

==> add AllowGroups sshusers

I'm attempting to put together an automated script to enable passwordless normal user SCP with public key authentication for use with WinSCP.

I've not fully tested it yet but I have had it working manually and is based on the scripts above but enabled using the user scripts plugin rather than main /boot/config/go one

One thing I learned was that you must ensure that the directory and file ownership and permissions are correct
i.e. on the user home and subdirectories and key files using chown and chmod commands
( as I think the SSH daemon needs that when reading the users ~/.ssh/authorized_keys file containing the public keys based on its logs )

For SFTP (rather than just scp) transfers via Tailscale I'm already using the excellent TailVault container from @SpaceInvaderOne

but I prefer to have a manual backup option for that with pubkey based auth and have disabled SSH for root.

Here is my draft script:

#!/bin/bash

# EDIT NEXT TWO LINES and change CHANGEME to your SSH username and paste in your SSH public key 
_username=CHANGEME
_sshpublickey='ssh-ed25519 PASTE-YOUR-RANDOM-LONG-SSH-PUBLIC-KEY-STRING-OVER-THIS'

# Rereate user home directory - I tested and this is deleted on a reboot 
mkdir /$_username

# Set home directory and assign shell
cat /etc/passwd | sed -e s/$_username.*false/"$_username:x:1000:100:User description:\/$_username:\/bin\/bash"/ > /etc/passwd.1
mv /etc/passwd.1 /etc/passwd

# Ensure user profile doesn't try to send you to the root homedir upon login
cat /etc/profile | sed -e s/"export HOME=\/root"/"export HOME=\/\`whoami\`"/ > /etc/profile.1
mv /etc/profile.1 /etc/profile

# Comment out AllowUsers line in the SSH daemon config file to allow all users to SSH in
cat /etc/ssh/sshd_config | sed -e s/"AllowUsers root"/"# AllowUsers root"/ > /etc/ssh/sshd_config.1
mv /etc/ssh/sshd_config.1 /etc/ssh/sshd_config
# then restart the SSH daemon
/etc/rc.d/rc.sshd reload

# Setup public key based auth for user - note you may need to uncomment PubkeyAuthentication line in /etc/ssh/sshd_config
mkdir /$_username/.ssh
echo $_sshpublickey > /$_username/.ssh/authorized_keys
chmod 600 /$_username/.ssh/authorized_keys
chmod 700 /$_username/.ssh
chmod 750 /$_username
chown -R $_username:users /$_username/

You can generate a new key pair using the free PuTTYgen tool on Windows and also test logging in using WinSCP but must use SCP mode not SFTP unless you've otherwise enabled that already.

PLEASE NOTE: This is only meant to be used as an emergency backup if root SSH is disabled and not intended for any other purpose but I thought I would share in case anyone else finds it useful.

Edited by manfat
Added draft user script for enabling passwordless SSH using public key authentication.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.