sshd

OpenSSH SSH daemon

Syntax:

/usr/sbin/sshd [-46Ddeiqt] [-b bits] [-f config_file]
               [-g login_grace_time] [-h host_key_file]
               [-k key_gen_time] [-o option] [-p port]
               [-u len]

Note: You must use the absolute path to launch this daemon.

Runs on:

QNX Neutrino

Options:

See sshd in the NetBSD documentation.

Description:

The sshd (OpenSSH Daemon) is the daemon program for ssh. Together, these programs provide secure encrypted communications between two untrusted hosts over an insecure network.

This program uses the OpenSSL library for cryptography services.

For more information, see sshd in the NetBSD documentation.

Setting up SSH access to a QNX Neutrino target

Here's how you can enable access via SSH and SFTP on a “plain” system that doesn't have telnet or similar configured. A writable POSIX filesystem is a requirement (fs-qnx6, devf*, or fs-etfs*), and it must be mounted under /.

Add the following lines to your mkifs buildfile (if they aren't there already):

In the boot script, start random before you launch io-pkt:
```
random -p
```
In the library section:
```
libcrypto.so.2
libz.so.2
```

In the binary section:

mkdir
passwd

/usr/sbin/sshd=sshd
ssh-keygen
/usr/libexec/sftp-server=${QNX_TARGET}/${PROCESSOR}/usr/libexec/sftp-server

# These env vars will be set when you log in via ssh; adjust as needed:

/etc/profile = {
    PATH=/proc/boot:/bin:/usr/bin:/sbin:/usr/sbin
    LD_LIBRARY_PATH=/proc/boot:/lib:/usr/lib:/lib/dll
}

You can also define your own versions of /etc/services and etc/ssh/sshd_config if the default versions aren't suitable.

Generate a new OS image.
Boot your QNX Neutrino target with the new boot image, and then do the following:
1. If they don't already exist, create a writeable /etc directory for /etc/passwd, and /etc/ssh/ for the keys to be generated:
```
mkdir -p /etc/ssh
```
2. Make sure that /etc/passwd exists and contains an entry for root (so you can create keys), and an entry for the privilege separation user, sshd:
```
sshd:x:15:6:sshd:/var/chroot/sshd:/bin/false
```
3. Generate the authentication keys. For example:
```
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
ssh-keygen -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ''
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
```
4. Create the required directories:
```
mkdir -p /var/chroot/sshd
chmod 700 /var/chroot/sshd
```
Start sshd:
```
/usr/sbin/sshd
```

You should now be able to access the target with an SSH client and via SFTP.

Running sshd as non-root

Normally, sshd needs to be run as root. This can be avoided using security policies. As part of its privilege separation feature, sshd runs a child process with minimal privileges. When run without security policies, sshd accomplishes the privilege reduction by switching the process to a non-root UID; run with security policies, it switches the process's security type instead. The new security type is decided using derived types based on the existing type of the original process. To use this feature, the security policy must have the following line included:

derive_type sshd_type privsep new_type;

Where sshd_type is the security type sshd is running as and new_type is the type the child process should run as, with lowered privilege. If secpolgenerate is in use, everything necessary to use this feature will be added to the policy.

See “Using Security Policies” in the System Security Guide for more information.

Note:

This utility is PAM-aware and supported by the PAM framework. This utility parses its configuration files before PAM does and requires additional configuration to enable PAM. For more information about how QNX Neutrino uses the OpenPAM framework, see “PAM” in the System Security Guide.
If you start sshd via inetd, it changes the default configuration that PAM requires and PAM initialization fails. QNX recommends that you avoid this problem by not using inetd to launch sshd.
Alternatively, because sshd searches for its PAM configuration based on its program name (passed as argv[0]), you can edit either the inetd configuration file, or the PAM configuration file for sshd, so that the program name and configuration file match. For more information, see the entry for /etc/inetd.conf and the “PAM” chapter in the System Security Guide.

Contributing author:

NetBSD