Difference between revisions of "OpenSSH (including daemon) for OpenLink"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
m (OpenLink (PowerPC))
m (corrected invalid URL)
 
(29 intermediate revisions by 11 users not shown)
Line 7: Line 7:
 
</td></tr></table>
 
</td></tr></table>
 
==Background==
 
==Background==
This project offers [[w:OpenSSH|OpenSSH]] (including daemon), precompiled and packaged for the PPC LinkStation. The OpenSSH<ref>[http://www.openssh.com/ http://www.openssh.com/] - OpenSSH a FREE version of the SSH connectivity tools</ref> package is intended for people who want to upgrade from [[w:Dropbear|Dropbear]]<ref>[[Dropbear package designed specifically for the MIPSel LinkStation]]</ref><ref>[[Dropbear package for the PPC LinkStation]]</ref> to a more full-featured [[w:SSH|SSH]] daemon. This way you can use a client like [[w:puTTY|PuTTY]] or [[w:FileZilla|FileZilla]] for terminal and file transfer. You can even tunnel<ref>http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html - Tunneling Explained</ref> other protocols like [[w:VNC|VNC]]<ref>http://martybugs.net/smoothwall/puttyvnc.cgi - Tunneling VNC over SSH with PuTTY</ref> and [[w:Samba_software|Samba]]<ref>http://souptonuts.sourceforge.net/sshtips.htm - Breaking Firewalls with OpenSSH and PuTTY</ref> through [[w:SSH|SSH]] to make them secure.  This package requires that you have installed the [[OpenLink]] or [[FreeLink]] firmware. You may download the latest version from the downloads area [http://downloads.linkstationwiki.net/powerpc-hdhlan/ppc-openssh-3.9p1-05b.tgz here].  Or, use this version<ref>[http://www.qumran.org/ftp/local/linux/lsppc/openssh-3.9p1-05b.tgz openssh-3.9p1-05b.tgz] - from [http://www.qumran.org/ftp/local/linux/lsppc/files.php Qumran Cave FileBase]</ref> "it contains the original tarball plus an installation script (not yet widely tested, but at least from that you can see the requirements)" referred to by Izzy in this forum <ref>[http://forum.linkstationwiki.net/index.php?action=vthread&forum=4&topic=1032&page=0#msg8524 The Linkstation Community Forum / Everything else / www.linkstationwiki.net - Mediawiki is online]</ref>
+
This project offers [[w:OpenSSH|OpenSSH]] (including daemon), precompiled and packaged for the PPC LinkStation. The OpenSSH<ref>[http://www.openssh.com/ http://www.openssh.com/] - OpenSSH a FREE version of the SSH connectivity tools</ref> package is intended for people who want to upgrade from [[w:Dropbear|Dropbear]]<ref>[[Dropbear package designed specifically for the MIPSel LinkStation]]</ref><ref>[[Dropbear package for the PPC LinkStation]]</ref> to a more full-featured [[w:SSH|SSH]] daemon. This way you can use a client like [[w:puTTY|PuTTY]] or [[w:FileZilla|FileZilla]] for terminal and file transfer. You can even tunnel<ref>http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html - Tunneling Explained</ref> other protocols like [[w:VNC|VNC]]<ref>http://martybugs.net/smoothwall/puttyvnc.cgi - Tunneling VNC over SSH with PuTTY</ref> and [[w:Samba_software|Samba]]<ref>http://souptonuts.sourceforge.net/sshtips.htm - Breaking Firewalls with OpenSSH and PuTTY</ref> through [[w:SSH|SSH]] to make them secure.  This package requires that you have installed the [[OpenLink]] or [[FreeLink]] firmware. You may download version 3.9p1 from the downloads area [http://downloads.nas-central.org/powerpc-hdhlan/ppc-openssh-3.9p1-05b.tgz here].  You may want to use this version<ref>[http://www.qumran.org/ftp/local/linux/lsppc/openssh-3.9p1-05b.tgz openssh-3.9p1-05b.tgz] - from [http://www.qumran.org/ftp/local/linux/lsppc/files.php Qumran Cave FileBase]</ref> "it contains the original tarball plus an installation script (not yet widely tested, but at least from that you can see the requirements)" referred to by Izzy in this forum <ref>[http://forum.nas-central.org/index.php?action=vthread&forum=4&topic=1032&page=0#msg8524 The NAS-Central Community Forum / Everything else / www.nas-central.org - Mediawiki is online]</ref>.  Or, get version 4.3p2 from [http://www.unet.univie.ac.at/~a0025690/ppc-binaries/OpenSSH-4.3p2_ppc.tar.gz here].
 +
 
 +
== Programs included ==
 +
 
 +
The OpenSSH suite includes the following tools:<ref>[[w:OpenSSH|OpenSSH]] - From the [[w:|WikiPedia]]</ref>
 +
* ssh, a replacement for [[w:rlogin|rlogin]] and [[w:telnet|telnet]]:
 +
:<code>ssh user@example.com</code>
 +
* [[w:Secure Copy|scp]], a replacement for [[w:rcp|rcp]]:
 +
:<code>scp user@example.com:somefile .</code>
 +
* [[w:secure file transfer program|sftp]], a replacement for [[w:ftp|ftp]]:
 +
:<code>sftp user@example.com</code>
 +
* sshd, the SSH [[w:daemon (computer software)|daemon]]:
 +
:<code>sshd</code>
 +
* ssh-keygen, a tool to generate the [[w:RSA|RSA]] and [[w:Digital Signature Algorithm|DSA]] keys that are used for user and host [[w:authentication|authentication]]:
 +
:<code>ssh-keygen -t rsa</code>
 +
* ssh-agent, a small daemon that can hold copies of public keys and use them to sign authentication challenges, avoiding the need to enter passphrases every time they are used:
 +
:<code>eval `ssh-agent`</code>
 +
* ssh-add, a tool to load keys into, or delete keys from a running ssh-agent:
 +
:<code>ssh-add</code>
 +
* ssh-keyscan, which scans a list of hosts and collects their public keys:
 +
:<code>ssh-keyscan -t rsa 192.2.0.33 192.2.0.34 www.example.com</code>
 +
* sftp-server, the [[w:secure file transfer program|sftp]] server subsystem (normally run directly by sshd)
 +
* ssh-keysign, a [[w:setuid|setuid]] helper program that signs "hostbased" authentication challenges using the host's private keys (normally executed directly by ssh)
  
 
==Installation Instructions==
 
==Installation Instructions==
Line 17: Line 39:
 
* You can configure SSH through Webmin (see [[Webmin to remotely administer your LinkStation]])
 
* You can configure SSH through Webmin (see [[Webmin to remotely administer your LinkStation]])
 
===OpenLink (PowerPC)===
 
===OpenLink (PowerPC)===
: <big>OpenSSH-4.3p2</big>
+
A complete OpenSSH-4.3p2-package was available at mindbenders-page, but the link is unvalid at the moment:
  
A complete OpenSSH-4.3p2-package is available at mindbenders-page:
 
[http://www.unet.univie.ac.at/~a0025690/ppc-binaries/OpenSSH-4.3p2_ppc.tar.gz OpenSSH-4.3p2_ppc.tar.gz]
 
Install it by
 
 
  cd /
 
  cd /
 +
 
  wget http://www.unet.univie.ac.at/~a0025690/ppc-binaries/OpenSSH-4.3p2_ppc.tar.gz
 
  wget http://www.unet.univie.ac.at/~a0025690/ppc-binaries/OpenSSH-4.3p2_ppc.tar.gz
 
  tar xzvf OpenSSH-4.3p2_ppc.tar.gz
 
  tar xzvf OpenSSH-4.3p2_ppc.tar.gz
 
  /usr/local/etc/create_keys.sh
 
  /usr/local/etc/create_keys.sh
you should be able to connect via ssh after reboot or if you start
 
/etc/init.d/sshd start
 
manually.
 
  
Also, the sshd needs to be modified by adding the following lines to startup block.  
+
====Startscript (/etc/init.d/sshd)====
 +
1) The <tt>/etc/init.d/sshd</tt> needs to be modified by adding the following lines to startup block.  
 
  if [ ! -d /var/empty ]; then
 
  if [ ! -d /var/empty ]; then
 
  mkdir /var/empty
 
  mkdir /var/empty
 
  fi   
 
  fi   
If the modification is not done, every time SSH is stopped and restarted, it will complain the the /var/empty directory already exists.  One must also remember to create user named "sshd".
+
If the modification is not done, every time SSH is stopped and restarted, it will complain the the /var/empty directory already exists.   
 +
 
 +
2) One must also remember to create user named "sshd".
 +
mkdir /var/empty
 +
chown root:sys /var/empty
 +
chmod 755 /var/empty
 +
groupadd sshd
 +
useradd sshd -g sshd -c 'sshd privsep' -d /var/empty
 +
chown root:root /usr/local/sbin/sshd
 +
ln -s /etc/init.d/sshd /etc/rc.d/rc2.d/S07sshd
 +
3) You should be able to connect via ssh after reboot or if you start
 +
/etc/init.d/sshd "start"
 +
manually.
  
 
===OpenLink (MIPSel)===
 
===OpenLink (MIPSel)===
''This is generic and probably would work for any flavor LinkStation''<ref>[http://forum.linkstationwiki.net/index.php?action=vthread&forum=3&topic=1241#msg10720 The Linkstation Community Forum / Linkstation 2 (mips) / Secure FTP for a Noob]</ref>
+
''This is generic and probably would work for any flavor LinkStation''<ref>[http://forum.nas-central.org/index.php?action=vthread&forum=3&topic=1241#msg10720 The NAS-Central Community Forum / Linkstation 2 (mips) / Secure FTP for a Noob]</ref>
  
 
to be able to compile you have to meet the following prerequisites:
 
to be able to compile you have to meet the following prerequisites:
 
# Flashed your LinkStation with [[OpenLink]]
 
# Flashed your LinkStation with [[OpenLink]]
# [[DevelopmentToolsInstallation|Installed]] the [http://downloads.linkstationwiki.net/development_tools/mipsel-tools-2_1.tgz mipsel-development-tools] (for the MIPSel LinkStation)
+
# [[DevelopmentToolsInstallation|Installed]] the [http://downloads.nas-central.org/development_tools/mipsel-tools-2_1.tgz mipsel-development-tools] (for the MIPSel LinkStation)
  
 
then compiling works that way:
 
then compiling works that way:
Line 47: Line 77:
 
download the source of OpenSSH to a seperate folder that you will use for compiling
 
download the source of OpenSSH to a seperate folder that you will use for compiling
  
 +
<i>the ftp site below seems unreliable, another is here: ftp://ftp.plig.org/pub/OpenBSD/OpenSSH/portable/ </i>
 +
 +
useradd sshd
 
  cd <folder_for_compiling>  
 
  cd <folder_for_compiling>  
 
  wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.3p2.tar.gz  
 
  wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.3p2.tar.gz  
 
  tar xzvf openssh-4.3p2.tar.gz  
 
  tar xzvf openssh-4.3p2.tar.gz  
 
  cd openssh-4.3p2  
 
  cd openssh-4.3p2  
  ./configure  
+
  ./configure --without-zlib-version-check
 
  make  
 
  make  
 
  make install
 
  make install
  
 
the ssh-keys are generated automatically in the installation process.
 
the ssh-keys are generated automatically in the installation process.
there are two things that have to done additionally.
 
  
1) you have to create a startscript for OpenSSH which is stored at     
+
If you run into problems with not having the sort command available, see here: http://buffalo.nas-central.org/wiki/Sort_is_missing_in_OpenLink-mipsel
  
 +
there are two things that have to done additionally.
 +
====Startscript (/etc/init.d/sshd)====
 +
1) you have to manually create a startscript for OpenSSH which is stored at     
 
  /etc/init.d/sshd
 
  /etc/init.d/sshd
 
+
or you use this one (/var/empty has to be created each time at start):
or you use this one:
+
 
+
 
  #! /bin/sh
 
  #! /bin/sh
 
  export USER="root"
 
  export USER="root"
Line 69: Line 102:
 
  start()
 
  start()
 
  {
 
  {
     mkdir /var/empty
+
     if [ ! -d /var/empty ]; then
 +
        mkdir /var/empty
 +
    fi 
 
     su - $USER -c"/usr/local/sbin/sshd"
 
     su - $USER -c"/usr/local/sbin/sshd"
 
  }
 
  }
Line 100: Line 135:
 
do this by executing
 
do this by executing
  
  ln -s /etc/init.d/sshd /etc/init.d/rc.d/rc2.d/S07sshd
+
  ln -s /etc/init.d/sshd /etc/rc.d/rc2.d/S07sshd
  
 
afterwards OpenSSH is ready for action.
 
afterwards OpenSSH is ready for action.
== Programs included ==
 
  
The OpenSSH suite includes the following tools:<ref>[[w:OpenSSH|OpenSSH]] - From the [[w:|WikiPedia]]</ref>
+
===TeraStation (PowerPC)===
* ssh, a replacement for [[w:rlogin|rlogin]] and [[w:telnet|telnet]]:
+
A complete OpenSSH-4.3p2-package is available at mindbenders-page, install it by:
:<code>ssh user@example.com</code>
+
cd /
* [[w:Secure Copy|scp]], a replacement for [[w:rcp|rcp]]:
+
wget http://www.unet.univie.ac.at/~a0025690/ppc-binaries/OpenSSH-4.3p2_ppc.tar.gz
:<code>scp user@example.com:somefile .</code>
+
tar xzvf OpenSSH-4.3p2_ppc.tar.gz
* [[w:secure file transfer program|sftp]], a replacement for [[w:ftp|ftp]]:
+
/usr/local/etc/create_keys.sh
:<code>sftp user@example.com</code>
+
 
* sshd, the SSH [[w:daemon (computer software)|daemon]]:
+
====Check for missing 'groups' file====
:<code>sshd</code>
+
Check to see if you have the ''groups'' command available as it is needed. It will typically be under /usr/local/bin, but the easiest way to check for it is to simply issue the command
* ssh-keygen, a tool to generate the [[w:RSA|RSA]] and [[w:Digital Signature Algorithm|DSA]] keys that are used for user and host [[w:authentication|authentication]]:
+
groups
:<code>ssh-keygen -t rsa</code>
+
bash: groups: command not found
* ssh-agent, a small daemon that can hold copies of public keys and use them to sign authentication challenges, avoiding the need to enter passphrases every time they are used:
+
and see if you get an error as in the above example or not. If it does not exist on your system, then you can extract it from the coreutils package available at http://downloads.nas-central.org/ALL_PPC/ (it is not necessary to install the full coreutils package unless you really want to).
:<code>eval `ssh-agent`</code>
+
 
* ssh-add, a tool to load keys into, or delete keys from a running ssh-agent:
+
====Startscript (/etc/init.d/sshd)====
:<code>ssh-add</code>
+
1) The <tt>/etc/init.d/sshd</tt> needs to be modified by adding the following lines to startup block.
* ssh-keyscan, which scans a list of hosts and collects their public keys:
+
if [ ! -d /var/empty ]; then
:<code>ssh-keyscan -t rsa 192.2.0.33 192.2.0.34 www.example.com</code>
+
  mkdir /var/empty
* sftp-server, the [[w:secure file transfer program|sftp]] server subsystem (normally run directly by sshd)
+
  chown root:sys /var/empty
* ssh-keysign, a [[w:setuid|setuid]] helper program that signs "hostbased" authentication challenges using the host's private keys (normally executed directly by ssh)
+
  chmod 755 /var/empty
 +
fi 
 +
If the modification is not done, every time SSH is stopped and restarted, it will complain the the /var/empty directory already exists. 
 +
 
 +
2) One must do a final step to create the link for auto-starting the sshd daemon on system boot:
 +
ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S07sshd
 +
 
 +
3) You should be able to connect via ssh after reboot or if you start
 +
/etc/init.d/sshd "start"
 +
manually.   At this point you can connect using your favorite ssh client (e.g. putty).
 +
 
 +
====Disabling standard telnet====
 +
Once you are happy that you have ssh working you are likely to want to disable standard telnet.
 +
To do this comment out the the line in /etc/inetd.conf that starts telnet by inserting a # at
 +
the front:
 +
#telnet stream  tcp    nowait  root    /usr/sbin/tcpd in.telnetd
 +
You can then always re-enable standard (unencrypted) telnet by uncommenting this line.
 +
 
 
==References==
 
==References==
 
<references/>
 
<references/>

Latest revision as of 18:11, 6 November 2010

This article based on work done by Frontalot on Linkstationwiki.org

190px-Openssh.gif

Contents

Background

This project offers OpenSSH (including daemon), precompiled and packaged for the PPC LinkStation. The OpenSSH[1] package is intended for people who want to upgrade from Dropbear[2][3] to a more full-featured SSH daemon. This way you can use a client like PuTTY or FileZilla for terminal and file transfer. You can even tunnel[4] other protocols like VNC[5] and Samba[6] through SSH to make them secure. This package requires that you have installed the OpenLink or FreeLink firmware. You may download version 3.9p1 from the downloads area here. You may want to use this version[7] "it contains the original tarball plus an installation script (not yet widely tested, but at least from that you can see the requirements)" referred to by Izzy in this forum [8]. Or, get version 4.3p2 from here.

Programs included

The OpenSSH suite includes the following tools:[9]

ssh user@example.com
scp user@example.com:somefile .
sftp user@example.com
sshd
  • ssh-keygen, a tool to generate the RSA and DSA keys that are used for user and host authentication:
ssh-keygen -t rsa
  • ssh-agent, a small daemon that can hold copies of public keys and use them to sign authentication challenges, avoiding the need to enter passphrases every time they are used:
eval `ssh-agent`
  • ssh-add, a tool to load keys into, or delete keys from a running ssh-agent:
ssh-add
  • ssh-keyscan, which scans a list of hosts and collects their public keys:
ssh-keyscan -t rsa 192.2.0.33 192.2.0.34 www.example.com
  • sftp-server, the sftp server subsystem (normally run directly by sshd)
  • ssh-keysign, a setuid helper program that signs "hostbased" authentication challenges using the host's private keys (normally executed directly by ssh)

Installation Instructions

FreeLink (Debian)

  • Install the OpenSSH package using apt-get. If prompted, select SSH version 2. Use the command:[10]
apt-get install ssh

OpenLink (PowerPC)

A complete OpenSSH-4.3p2-package was available at mindbenders-page, but the link is unvalid at the moment:

cd /

wget http://www.unet.univie.ac.at/~a0025690/ppc-binaries/OpenSSH-4.3p2_ppc.tar.gz
tar xzvf OpenSSH-4.3p2_ppc.tar.gz
/usr/local/etc/create_keys.sh

Startscript (/etc/init.d/sshd)

1) The /etc/init.d/sshd needs to be modified by adding the following lines to startup block.

if [ ! -d /var/empty ]; then
mkdir /var/empty
fi  

If the modification is not done, every time SSH is stopped and restarted, it will complain the the /var/empty directory already exists.

2) One must also remember to create user named "sshd".

mkdir /var/empty
chown root:sys /var/empty
chmod 755 /var/empty
groupadd sshd
useradd sshd -g sshd -c 'sshd privsep' -d /var/empty 
chown root:root /usr/local/sbin/sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc2.d/S07sshd

3) You should be able to connect via ssh after reboot or if you start

/etc/init.d/sshd "start"

manually.

OpenLink (MIPSel)

This is generic and probably would work for any flavor LinkStation[11]

to be able to compile you have to meet the following prerequisites:

  1. Flashed your LinkStation with OpenLink
  2. Installed the mipsel-development-tools (for the MIPSel LinkStation)

then compiling works that way:

download the source of OpenSSH to a seperate folder that you will use for compiling

the ftp site below seems unreliable, another is here: ftp://ftp.plig.org/pub/OpenBSD/OpenSSH/portable/

useradd sshd
cd <folder_for_compiling> 
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.3p2.tar.gz 
tar xzvf openssh-4.3p2.tar.gz 
cd openssh-4.3p2 
./configure --without-zlib-version-check
make 
make install

the ssh-keys are generated automatically in the installation process.

If you run into problems with not having the sort command available, see here: http://buffalo.nas-central.org/wiki/Sort_is_missing_in_OpenLink-mipsel

there are two things that have to done additionally.

Startscript (/etc/init.d/sshd)

1) you have to manually create a startscript for OpenSSH which is stored at

/etc/init.d/sshd

or you use this one (/var/empty has to be created each time at start):

#! /bin/sh
export USER="root"
NAME=ssh
start()
{
    if [ ! -d /var/empty ]; then
        mkdir /var/empty
    fi  
    su - $USER -c"/usr/local/sbin/sshd"
}
stop()
{
    su - $USER -c"killall sshd"
}
case "$1" in
    start)
        echo -n "Starting sshd: "
        start
        ;;
    stop)
        echo -n "Stopping sshd "
        stop
        ;;
    restart)
        echo -n "Restarting sshd "
        stop
        start
        ;;
    *)
        echo "Usage: /etc/init.d/$NAME {start|stop|restart}"
        exit 1
        ;;
esac
exit 0

2) you have to make sshd is started automatically after shutdown/reboot. do this by executing

ln -s /etc/init.d/sshd /etc/rc.d/rc2.d/S07sshd

afterwards OpenSSH is ready for action.

TeraStation (PowerPC)

A complete OpenSSH-4.3p2-package is available at mindbenders-page, install it by:

cd /
wget http://www.unet.univie.ac.at/~a0025690/ppc-binaries/OpenSSH-4.3p2_ppc.tar.gz
tar xzvf OpenSSH-4.3p2_ppc.tar.gz
/usr/local/etc/create_keys.sh

Check for missing 'groups' file

Check to see if you have the groups command available as it is needed. It will typically be under /usr/local/bin, but the easiest way to check for it is to simply issue the command

groups
bash: groups: command not found

and see if you get an error as in the above example or not. If it does not exist on your system, then you can extract it from the coreutils package available at http://downloads.nas-central.org/ALL_PPC/ (it is not necessary to install the full coreutils package unless you really want to).

Startscript (/etc/init.d/sshd)

1) The /etc/init.d/sshd needs to be modified by adding the following lines to startup block.

if [ ! -d /var/empty ]; then
  mkdir /var/empty
  chown root:sys /var/empty
  chmod 755 /var/empty
fi  

If the modification is not done, every time SSH is stopped and restarted, it will complain the the /var/empty directory already exists.

2) One must do a final step to create the link for auto-starting the sshd daemon on system boot:

ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S07sshd

3) You should be able to connect via ssh after reboot or if you start

/etc/init.d/sshd "start"

manually. At this point you can connect using your favorite ssh client (e.g. putty).

Disabling standard telnet

Once you are happy that you have ssh working you are likely to want to disable standard telnet. To do this comment out the the line in /etc/inetd.conf that starts telnet by inserting a # at the front:

#telnet	stream  tcp     nowait  root    /usr/sbin/tcpd	in.telnetd

You can then always re-enable standard (unencrypted) telnet by uncommenting this line.

References

  1. http://www.openssh.com/ - OpenSSH a FREE version of the SSH connectivity tools
  2. Dropbear package designed specifically for the MIPSel LinkStation
  3. Dropbear package for the PPC LinkStation
  4. http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html - Tunneling Explained
  5. http://martybugs.net/smoothwall/puttyvnc.cgi - Tunneling VNC over SSH with PuTTY
  6. http://souptonuts.sourceforge.net/sshtips.htm - Breaking Firewalls with OpenSSH and PuTTY
  7. openssh-3.9p1-05b.tgz - from Qumran Cave FileBase
  8. The NAS-Central Community Forum / Everything else / www.nas-central.org - Mediawiki is online
  9. OpenSSH - From the WikiPedia
  10. Convert from telnet to SSH (both OpenSSH and Dropbear)
  11. The NAS-Central Community Forum / Linkstation 2 (mips) / Secure FTP for a Noob