![]() # Stop the sshd service and kill remaining processes We will telnet to the diskstation, stop and kill all sshd processes, and finally replace and start our new sshd binary. Now comes the dicey part that scared me the most: The sshd heart transplantation. Time to try it out! Start the new sshd on a free port and see if you can connect to it from your machine. Sudo ln -s /etc/ssh/sshd_config /opt/etc/ssh/sshd_config Sudo mv /opt/etc/ssh/sshd_config /opt/etc/ssh/sshd_config.orig Make a link to the real sshd_config at the place where the new sshd will look. Sudo sed -i 's/#HostKey /HostKey /g' /etc/ssh/sshd_config Sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig Add the privilege-separated sshd userĮcho 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinĮcho 'sshd:x:74:' | sudo tee -a /etc/group We need to modify the system’s /etc/passwd, /etc/group, and /etc/ssh/sshd_config files. Now we’re getting into more dangerous territories. My Diskstation’s built-in /bin/sshd has version OpenSSH_7.4p1, OpenSSL 1.0.2u-fips, while opkg installed /opt/sbin/sshd with version OpenSSH_8.3p1, OpenSSL 1.1.1g. Sudo /opt/bin/opkg install openssh-server-pam Log in as admin to opkg update and opkg install openssh-server-pam (we’ll continue to use Synology’s pam modules like autoblock, so the new sshd needs pam support). Open up a new ssh connection to the Diskstation (mine has diskstation as hostname). The Control Panel allows to enable ssh – but only for admins. Next, make sure the ssh and telnet services (we need both!) are enabled in the Control Panel Terminal tab. You can find them at Entware (mipsel), and Optware-ng (mipsel-ng), respectively. To find out what version is offered, find out your Diskstation’s arch and check the respective package index. Choose the one with the more recent OpenSSH. You will have to decide between the Entware and Optware distribution. Add the Community Package Hub to the Package Cetner sources. Don’t forget to hit the reload button to fetch the new source. ![]() Make the Diskstation’s Package Center find EBI by adding as an additional package source. First, let’s install opkg itself via the Easy Bootstrap Installer (EBI). While it’s possible to cross-compile and install OpenSSH from source, we will go the easy route and install it via the Optware opkg package manager. In this post I will go over how to install a vanilla OpenSSH sshd which enables regular users to log in via ssh. In my use case I want to ssh to my diskstation from a server cronjob, so I would have to leave superuser credentials on an public-internet facing server □♂️. I don’t know how anybody at Synology thought that would be a good idea, because this just makes people assign superuser privileges to their regular user accounts. There is no setting or config file for this: Synology ship a custom version of OpenSSH that prevents anybody but root from logging in. Synology’s DSM 6 does support ssh logins – but only for administrator users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |