sshd

QNX SDP8.0Utilities ReferenceUtilities

OpenSSH SSH daemon

Syntax:

  /usr/sbin/sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_certificate_file]
                 [-E log_file] [-f config_file] [-g login_grace_time]
                 [-h host_key_file] [-o option] [-p port] [-u len]
Note:
You must use the absolute path to launch this daemon.

Runs on:

QNX OS

Options:

Go to the OpenSSH documentation: https://man.openbsd.org/sshd

Description:

The sshd (OpenSSH Daemon) is the daemon program for ssh. Together, these programs provide secure encrypted communications between two untrusted hosts over an insecure network.

This program uses the OpenSSL library for cryptography services.

For more information, refer to sshd in the OpenBSD documentation.

Setting up SSH access to a QNX OS target

The following sections cover how you can enable system access via the SSH daemon and the SFTP server.

Configuration for privilege separation

During the authentication phase of a connection, sshd creates an unprivileged process to communicate with the remote user. To allow this, the system requires:
  • a non-writable directory owned by root (to chroot)
  • an entry in /etc/passwd for a privilege separation user called sshd
sshd:x:15:6:sshd:/data/var/chroot/sshd:/bin/false

The x in the second field indicates that the password is contained in /etc/shadow. However, there should not be a password in this file. The user ID and group ID are arbitrary which means you can pick any values. They, however, should be different from other user IDs and group IDs of the system. You use them to configure the credentials of the privilege separation process. The home directory should be the same as the directory chosen above and sshd must not be run as this user. The shell is not used and can be set to anything.

SSH keys

The sshd program requires key pairs for authentication. These keys can either be created on:
  • the host and then put on each target, or
  • the target itself before running sshd for the first time
Unique keys should be created for each system and saved persistently so they do not change on each boot. Keys can be created using the following commands:
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
ssh-keygen -t ecdsa -b 521 -f ssh_host_ecdsa_key -N ''
Note:
The dsa option is not recommended as it provides poor security.

Each command creates two files, one with and one without a .pub extension. The file without the .pub extension, which is sensitive and should not be disclosed, is required on the target. Its location is arbitrary, but it should be in a directory owned by the user ID that sshd runs as. Furthermore, the location should be accessible only to sshd and not to processes with different user.

Configuration for sshd

The sshd daemon requires a configuration file, whose location is arbitrary. The -f command line argument of sshd can locate this file. The directory hierarchy containing it should not be writable by other processes. The following example contains a sample sshd configuration:
 Protocol 2
 HostKey /data/var/ssh/ssh_host_ed25519_key
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com
      hmac-sha2-256-etm@openssh.com
      umac-128-etm@openssh.com
      hmac-sha2-512,hmac-sha2-256
      umac-128@openssh.com
 KexAlgorithms curve25519-sha256@libssh.org
               ecdh-sha2-nistp256
               ecdh-sha2-nistp384
               ecdh-sha2-nistp521
               diffie-hellman-group-exchange-sha256
 AuthorizedKeysFile .ssh/authorized_keys
 UsePAM yes
#Disallow sshd's password checking though passwords might
#still be allowed via pam.
 PasswordAuthentication no
 PermitUserEnvironment yes
 PidFile none
 Subsystem sftp/system/xbin/sftp-server

The HostKey entry configures the locations of the private key files (refer to SSH keys). The Subsystem entry indicates the location of the SFTP server binary if required.

To allow users to login over ssh, it may also be necessary to create entries for them in /etc/passwd and /etc/shadow. A /etc/profile file is required to establish environment variables after the users login. For more information about network access to privileged accounts, refer to Systems without passwords.

Running sshd

To run the sshd service, use the following command:
/system/xbin/sshd -f /system/etc/ssh/sshd_config
This command specifies the location of the configuration file for sshd.
Note:
You must invoke the sshd command by using the binary's absolute path.

Running sshd as non-root

Normally, sshd needs to be run as root. This can be avoided using security policies. As part of its privilege separation feature, sshd runs a child process with minimal privileges. When run without security policies, sshd accomplishes the privilege reduction by switching the process to a non-root user ID; run with security policies, it switches the process's security type instead. The new security type is decided using derived types based on the existing type of the original process. To use this feature, the security policy must have the following line included:
derive_type sshd_type privsep new_type;
Where sshd_type is the security type sshd is running as and new_type is the type the child process should run as, with lowered privilege. If secpolgenerate is in use, everything necessary to use this feature is added to the policy.

Refer to Using Security Policies in the System Security Guide for more information.

Note:
This utility is PAM-aware and supported by the PAM framework. This utility parses its configuration files before PAM does and requires additional configuration to enable PAM. For more information about how the QNX OS uses the OpenPAM framework, refer to PAM in the System Security Guide.

Contributing author:

OpenBSD

Page updated: