Openssh
From OpenFSG
Contents |
Why would you want to replace the default SSH?
- You get scp (secure copy) for transferring files as well
- It's a standard build choice for SSH so there is a lot of documentation out there for it
- Easy to create pre-shared keys for passwordless logins
Installation instructions
This uses the ipkg installer .
- Connect to the FSG using SSH.
- Update the list of packages.
~ # ipkg update Downloading http://ipkg.nslu2-linux.org/feeds/optware/fsg3/cross/stable/Packages.gz Inflating http://ipkg.nslu2-linux.org/feeds/optware/fsg3/cross/stable/Packages.gz Updated list of available packages in /opt/lib/ipkg/lists/optware Successfully terminated.
- Install OpenSSH.
~ # ipkg install openssh Installing openssh (4.5p1-1) to /opt/... Downloading http://ipkg.nslu2-linux.org/feeds/optware/fsg3/cross/stable/openssh_4.5p1-1_armeb.ipk Installing zlib (1.2.3-2) to /opt/... Downloading http://ipkg.nslu2-linux.org/feeds/optware/fsg3/cross/stable/zlib_1.2.3-2_armeb.ipk Configuring openssh Generating RSA Key... Generating public/private rsa1 key pair. Your identification has been saved in /opt/etc/openssh/ssh_host_key. Your public key has been saved in /opt/etc/openssh/ssh_host_key.pub. The key fingerprint is: bb:c4:d0:11:4a:50:93:96:3d:2a:bd:bc:de:f9:2d:28 Generating RSA Key... Generating public/private rsa key pair. Your identification has been saved in /opt/etc/openssh/ssh_host_rsa_key. Your public key has been saved in /opt/etc/openssh/ssh_host_rsa_key.pub. The key fingerprint is: 08:4d:88:5b:33:9a:cc:20:12:6c:26:9a:a0:fe:a9:40 Generating DSA Key... Generating public/private dsa key pair. Your identification has been saved in /opt/etc/openssh/ssh_host_dsa_key. Your public key has been saved in /opt/etc/openssh/ssh_host_dsa_key.pub. The key fingerprint is: 4b:c9:10:0f:ee:19:22:ce:0c:82:f7:a1:d6:c2:89:78 Fixing permissions on the /tmp directory...
(your ssh connection will close at this point)
- Reboot your FSG3 via the web interface (to enable the new Optware ssh server)
You should now be able to log in directly as root, using the root password you set earlier.
$ ssh root@192.168.1.254 The authenticity of host '192.168.1.254 (192.168.1.254)' can't be established. RSA key fingerprint is 08:4d:88:5b:33:9a:cc:20:12:6c:26:9a:a0:fe:a9:40. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.254' (RSA) to the list of known hosts. root@192.168.1.254's password: ~ #
After this it should automatically replace the default ssh.
troubleshooting
There are problems with the old startup file /etc/rc/S35ssh during reboot which starts up the default ssh, thus stealing port 22.
A workaround is to copy /etc/rc/S35ssh to /etc/rc/S34ssh and edit S34ssh to start up /opt/sbin/sshd instead of the default /usr/local/sbin/sshd.
My copy is here:
#! /bin/sh
case "$1" in
start)
# start only if specified in configuration
grep -q ^ssh_server=checked /etc/master.conf
if [ $? = "0" ]; then
echo "Starting openSSH server."
/opt/sbin/sshd
fi
;;
stop)
echo "Shutting down SSH server."
killall sshd
;;
reconfig)
WAN_TYPE=$(grep wan_type /etc/master.conf | cut -d= -f2)
if [ $WAN_TYPE = "pppoe" -o $WAN_TYPE = "pptp" ]; then
EXIF=ppp0
else
EXIF=eth1
fi
/sbin/iptables -D INPUT -i $EXIF -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
# reachable to the oudside
grep -q ^ssh_extern=checked /etc/master.conf
if [ $? = "0" ]; then
/sbin/iptables -I INPUT -i $EXIF -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
fi
;;
*)
echo "Usage: $0 {start|stop|reconfig}"
exit 1
esac
exit 0
As a consequence of this, if the openSSH refuses to start (if you've broken the config file, for instance) then the default ssh will be able to start which means at least you can log in and fix the problem.
Update concerning Firmware 4.3.8 and optware openSSH 4.7p1-2
With Firmware 4.3.8 (3.3.14 too, i guess other as well) and optware openSSH 4.7p1-2, the above text concerning the startup file is not 100% valid anymore. Firmware 4.3.8 comes with built-in support for optware that is initialised using the startup file /etc/rc/S96optware. Hence, during the startup phase, the /opt folder is not be mounted until S96optware is executed. Thus trying to start openssh with /etc/rc/S34ssh as suggested above will fail!
Therefore, the startup file for openssh must be executed after S96optware, e.g. as /etc/rc/S97openssh. However, in this case port 22 on which openssh will listen is already blocked by /etc/rc/S35ssh. To obtain the fallback solution described above, /etc/rc/S35ssh must be renamed to e.g. /etc/rc/S98ssh.
Furthermore, the copy of /etc/rc/S35ssh provided above, is outdated. Instead copy /etc/init.d/ssh to /etc/init.d/openssh, replace in that file the path /usr/local/sbin/sshd by /opt/sbin/sshd and the paths /usr/local/etc/sshd_config by /opt/etc/openssh/sshd_config, and create a symbolic link from /etc/rc/S97openssh to /etc/init.d/openssh. If you like, you can add a line AllowUsers admin to /opt/etc/openssh/sshd_config to be able to control from the web interface whether all users or only admin may login.
If it 'seems' to work and your rsa key changes from time to time, it is because on the one hand, S??Optware kills any launched ssh (cf /opt/etc/init.d) and starts the openssh, while any new configuration through the web interface reloads the /etc/init.d/ssh, the old ssh. this trigger the key change because you dont use the same ssh.
Update concerning Firmware 4.4.8 and optware openSSH 5.1p1-1 on the NDP
NDP users need only rename the S35ssh to S98ssh once openshh has been installed
/etc/rc # ls S01logs S25http S80mysql S97croninit S05networking S30ftp S85inet S98optware S17dhcp S35ssh S95harddrive S98torrent S20samba S65fan S96optware S99twonky /etc/rc # mv S35ssh S98ssh /etc/rc # /etc/rc # reboot
You will now be able to login as root.
Update concerning Firmware 4.4.5
Looking in 4.4.5, in /etc/rc some new entrys:
S97croninit S98torrent S99twonky
Question: now i can't get openssh to start after S96optware as suggested "Update concerning Firmware 4.3.8...". any suggestions?
Answer:Starting Openssh and Cron at the same time is not a problem. So creating S97openssh will do the trick, start openssh just after optware (S96optware)
Further configuration (shared keys)
I you like, you can configure sshd to use pre-shared keys.
