Trouble configuring sshd and users for rsync using ssh keys


5 posts in this topic Last Reply

Recommended Posts

I'm currently using rsync on a LAN to backup files from a Windows box to the UNRAID 4.5.6 server. With my current plain setup, only the root user can sync and requires a password typed in.

 

What I want to do is setup a non-root user and use rsync with ssh keys to allow the user to remotely start an instance of ssh and rsync files over the internet to the UNRAID with an automated batch file without typing in a password or passphrase.

 

I guess I don't understand how unraid users and ssh users work. It looks like I need to modify /boot/config/etc/ssh/sshd_config. Does anyone have a great unraid-friendly config example they recommend that I can look at?

 

Thanks in advance!

Link to post
  • 2 weeks later...

Wow, I didn't think I was doing something no one else has ever done...so I went and solved it myself.

Here is my solution for anyone else who wants to do it.(there's probably a more graceful way to do it)

 

UnRaid users you make in the UnRaid web GUI can't ssh or telnet into UnRaid. This is because when UnRaid makes the user they have the default shell set to "

/bin/false

"

You can change this by telneting in as root and typing "

usermod -s/bin/bash <username>

"

To save your changes, copy "

/etc/passwd

" to "

/flash/config/passwd

"

 

But I looked in the default passwd file and saw "

operator::11:0:operator:/root:/bin/bash

"  (that's a colon-separated list of username, password, userID, groupID, description, home dir, default shell)

so I just decided to use operator since it was not the root user, but was still a member of group root.

 

Telnetted in as operator and made the backup folders so I wouldn't have permission trouble later.

 

EDIT: I skipped an important step. Since unRAID defaults the mounted disk shares to "700" permissions, you need to allow Group RWX permissions on whatever disk you use (e.g. disk7)

"

chmod 770 /mnt/disk7

"

 

"

mkdir /mnt/disk7/My_Backups/<each folder for my Windows machines>

"

 

Installed cwrsync client on all my Windows machines.

 

Generated ssh key without passphrase "

ssh-keygen -t rsa -b 2048" naming the keyfile "ssh_operator_key

". (the name required ssh* and *key* for the other scripts)

This made ssh_operator_key and ssh_operator_key.pub. Put the .pub one in "

/flash/custom/etc/ssh/

" and put the other one in "

c:\program files\cwrsync\

"

 

I thought this would be the last step of the keys, but it seems linux also wants all pub key file contents in another file named authorized_keys per frigging user!

Ran "

cat ssh_operator_key.pub >> $HOME/.ssh/authorized_keys

" and copied it to "

/flash/custom/etc/ssh/authorized_keys

" so it's available every boot-time.

 

Then I needed to add this authorized_keys file to the auto_install copying:

Edited file "

/flash/packages/openssh-5.1p1-i486-1.tgz.auto_install

"

Changed the 2nd THEN to be:

"# public key for root

mkdir /root/.ssh

cp /boot/custom/etc/ssh/authorized_keys /root/.ssh

mkdir /etc/ssh 2>/dev/null

cp --preserve=timestamps /boot/custom/etc/ssh/ssh*key* /etc/ssh 2>/dev/null

cp --preserve=timestamps /boot/custom/etc/ssh/sshd_config /etc/ssh 2>/dev/null

chmod 600 /etc/ssh/ssh*key*"

 

Copied sshd_config file to "

/flash/custom/etc/ssh/

" too.

Here are the changes I made to sshd_config :

LoginGraceTime 30

PermitRootLogin no

MaxAuthTries 2

MaxSessions 2

PasswordAuthentication no

PermitEmptyPasswords yes

 

 

Example of my backup.cmd file for backing desktop's d: drive to my unraid server (named UNRAID)

"

rsync -aP --stats -e "ssh -i ssh_operator_key" --delete --exclude "pagefile.sys" /cygdrive/d/ operator@UNRAID:/mnt/disk7/My_Backups/Windows_d_drive/

"

 

For over the Internet, use your router to forward internal port 22 to another port (like 2222). Exposing port22 will get too much attention from hacker bots.(trust me)

"

rsync -zaP --stats -e "ssh -p 2222 -i ssh_operator_key" --delete --exclude "pagefile.sys" /cygdrive/d/ operator@UNRAID.yourIP.net:/mnt/disk7/My_Backups/Windows_d_drive/

"

 

PS I did have to give operator a password for this to work smoothly, but when using the key, it'll never ask for it.

Link to post
  • 5 months later...

Thank you for this.  Wanted to login in with non-root user, without a password, and this is exactly that.

 

However, in this part:

 

Then I needed to add this authorized_keys file to the auto_install copying:

Edited file "/flash/packages/openssh-5.1p1-i486-1.tgz.auto_install"

Changed the 2nd THEN to be:

"# public key for root

mkdir /root/.ssh

cp /boot/custom/etc/ssh/authorized_keys /root/.ssh

mkdir /etc/ssh 2>/dev/null

cp --preserve=timestamps /boot/custom/etc/ssh/ssh*key* /etc/ssh 2>/dev/null

cp --preserve=timestamps /boot/custom/etc/ssh/sshd_config /etc/ssh 2>/dev/null

chmod 600 /etc/ssh/ssh*key*"

 

Wouldn't you make a directory in your $HOME directory (/home/operator/.ssh), and put the authroized_keys file there, and not /root/.ssh)?

 

I'll try it with a /home/user directory and see how it goes.

Link to post

I created a user, defected07, for my shares, and modified the passwd file to change /bin/false to /bin/bash.  Also, I added commands in the sshd_config file to create that home directory and .ssh folder within it, when sshd is started.  So it's very close to your sshd_config file, but I created a home directory for the user logging in and to put the authorized_keys file--not in the /root folder.

 

 

Link to post
  • 11 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.