add ssh user

isvein

By isvein
in Security

Recommended Posts

  • 4 years later...
ddumont Noob

ddumont

Posted
Posted

For those not wanting to use a plugin, you can add the user via the root user.

 

Give it a home dir and shell, and then update the saved /boot/config/passwd with the one in /etc/passwd

It seems that when booting, unriad turns off all shells for non root accounts, so you need to add a line in the init script to enable them again...

/boot/config/go

 

No idea how updates/upgrades will work with this... probably will blow it away.

Link to comment
  • 1 month later...
  • 1 year later...
whiter Noob

whiter

Posted
Posted

I've no idea why they have made it so hard to do this. I'm the single and only user of my unraid setup and my main mode of transferring data is via rsync & SCP. I *must* be able to have a working user that is not root to have SSH access for this even when the system unexpectedly reboots.

 

So after a bunch of trial and error I've come up with the expanded version of the /boot/config/go script below. Shared here in case it helps somebody else who's been struggling with this omission.

 

The user 'USERNAME' was created and password set using the web GUI.

All you'd need to do is change the word USERNAME to your actual, well... username, and double check the 1000:100 user:group numbers are the same for your situation.

 

If this messes up your unraid config somehow, it's non-destructive. Reverting to default settings, because you just want to or because you messed up, is a matter of opening a terminal via the web gui or on the physical console and removing everything but the first & last line of the /boot/config/go file again.

  

#!/bin/bash

# Make homedir
mkdir /USERNAME
chown USERNAME:users /USERNAME

# Set homedir and assign shell
cat /etc/passwd | sed -e s/USERNAME.*false/"USERNAME:x:1000:100:User description:\/USERNAME:\/bin\/bash"/ > /etc/passwd.1
mv /etc/passwd.1 /etc/passwd

# Ensure user profile doesn't try to send you to the root homedir upon login
cat /etc/profile | sed -e s/"export HOME=\/root"/"export HOME=\/\`whoami\`"/ > /etc/profile.1
mv /etc/profile.1 /etc/profile

# Allow all users to SSH in.
# (Alternatively append your specific desired username after 'root', separated with a space:
# i.e. "AllowUsers root USERNAME")
cat /etc/ssh/sshd_config | sed -e s/"AllowUsers root"/"# AllowUsers root"/ > /etc/ssh/sshd_config.1
mv /etc/ssh/sshd_config.1 /etc/ssh/sshd_config
/etc/rc.d/rc.sshd reload

# Start the Management Utility
/usr/local/sbin/emhttp &

 

  • Like 1
Link to comment
primeval_god Collaborator

primeval_god

Posted
Posted
11 hours ago, whiter said:

I've no idea why they have made it so hard to do this. I'm the single and only user of my unraid setup and my main mode of transferring data is via rsync & SCP. I *must* be able to have a working user that is not root to have SSH access for this even when the system unexpectedly reboots.

This is unRAID, it does not use linux users for permissions. The ONLY user in the convention linux sense is root. Ideally you should not have other systems SSH directly into unRAID. The better way to handle it would be with a docker container or VM running an SSH server and having access to the specific array folders required. Personally I use an LXC container for this, but that requires the LXC plugin rather than built in functionality. 

Link to comment
whiter Noob

whiter

Posted
Posted
On 8/10/2023 at 1:26 AM, primeval_god said:

This is unRAID, it does not use linux users for permissions. The ONLY user in the convention linux sense is root.

 

Users created in the Unraid user interface are added to /etc/passwd. Files uploaded via an 'official' sharing mechanism like SMB honour the Linux file permissions and create new files using the user ID and group ID as assigned to the logged in user in the /etc/passwd file. Linux users for accounts other than root are very much used.

 

 

Running docker, and a loading a container, is WAY overkill for a built-in core capability of the OS. I've no intention to overcomplicate things, and beef up the CPU and memory of the system hosting nothing but my backup drives, for the sake of running a basic capability that it already has but is just made extra difficult to enable. Keep It Stupid Simple.

 

 

 

  • Like 1
Link to comment
ich777 Grand Master

ich777

Posted
Posted
4 hours ago, whiter said:

Running docker, and a loading a container, is WAY overkill for a built-in core capability of the OS. I've no intention to overcomplicate things, and beef up the CPU and memory of the system hosting nothing but my backup drives, for the sake of running a basic capability that it already has but is just made extra difficult to enable.

I don't share this opinion but of course that's my opinion. I think it's more overkill what you did above but don't get me wrong that's my opinion. :)

 

It always depends on what you are trying to do and to accomplish. For me it's way enough to log in as root and do stuff as root and I never want to access this from outside and even if I want to do that I can create a tunnel and do that.

Link to comment
iXNyNe Apprentice

iXNyNe

Posted
Posted

I've recently started using tailscale and the unraid plugin for it with SSH enabled. It seems to pretty much solve both the multi-user and the open SSH port issues at once for me anyway. Specifically the multi-user aspect just means letting multiple different users login to SSH as root without giving out a password or managing keys. That might not be what everyone is looking for, but it might solve the needs for some.

 

I also do still use the unraid connect plugin, and I wish it didn't require an open port, but it doesn't bother me enough to not use it.

  • Like 1
Link to comment
primeval_god Collaborator

primeval_god

Posted
Posted
On 8/12/2023 at 5:20 AM, whiter said:

Users created in the Unraid user interface are added to /etc/passwd. Files uploaded via an 'official' sharing mechanism like SMB honour the Linux file permissions and create new files using the user ID and group ID as assigned to the logged in user in the /etc/passwd file. Linux users for accounts other than root are very much used.

See https://docs.unraid.net/unraid-os/manual/users

 

On 8/12/2023 at 5:20 AM, whiter said:

Running docker, and a loading a container, is WAY overkill for a built-in core capability of the OS.

...and beef up the CPU and memory of the system...

Its really not overkill, its the way the system is meant to be used (in unRAID that is). Containerization really doesnt have that much overhead in terms of cpu and memory usage. Its just tooling over cgroups and namespaces after all. In fact systems exist where every normal linux process is containerized (see Rancher OS) and they manage to stay performant. Admittedly the there is a bit more overhead in terms of disk usage especially with docker. And there is something to be said for the increase in complexity for those less familiar with docker and LXC, however the unRAID webui experience (and LXC plugin experience) help a lot in this area. 

 

Link to comment
ChannelD Noob

ChannelD

Posted
Posted (edited)

Based on Whiter's contribution I have the following manual steps to set up a second user to use SSH from a Mac. I did try the edit for unRaid /boot/config/go but I ended up bricking root access so had to create a new unRaid USB (using the existing USB stick - a good exercise in itself). I to am a one user unRaid (3 day old) user with a Mac. Reason is I have numerous hundreds of Gbs Final Cut Pro projects (which contain zillions of small and large files) to move/copy to (3 day old) MacPro Unraid system. SMB is not useable, to slow, unfortunately (for the many threads on the subject here). FTP cannot get to work using the default FTP server (read_only!?!) and not able to find/setup a FTP from the app store.

Here are my manual steps:

Delete the unRaid user Sid if exists already

root@Tower:~# useradd sid

root@Tower:~# passwd sid

root@Tower:~# mkdir /home/sid

root@Tower:~# chown sid:users /home/sid

root@Tower:~# ls -al /home. <== checking

root@Tower:~# cat /etc/passwd.  <== checking

root@Tower:~# groupadd -r sshusers

root@Tower:~# usermod -a -G sshusers root

root@Tower:~# usermod -a -G sshusers sid

root@Tower:~# vi /etc/ssh/sshd_config

==> add AllowUsers root sid

==> add AllowGroups schusses

root@Tower:~# /usr/sbin/sshd -t.  <== check the config is valid

root@Tower:~# echo $?

0 <== A 0 equal all ok, non zero means fix it

root@Tower:~# /etc/rc.d/rc.sshd reload

Re-add unRaid Sid user

Try rsync using user sid

==> rsync -avhP ssh ~/Downloads/teleport/ [email protected]:/mnt/user/unraid/teleport/

And try root user

rsync -avhP ssh ~/Downloads/teleport/ [email protected]:/mnt/user/unraid/teleport/

 

 

Edited by ChannelD
upper to lower case correction
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing