SOLVED Changing SSH Configuration via CLI (Solution until reboot)

[brutkruemel]

Hi there good people,

i have a remote Truenas system for backups it is reachable via SSH.
And usually also via a VPN for the GUI. But the VPN system seems to have failed. But the SSH is still reachable.
So i thought i could make a dynamic port forward through the ssh connection.
But certain settings in the truenas sshd configuration are blocking this unfortunately.
Changing the sshd_config file in truenas does not survie the reboot and i cannot access the gui to change the configuration.

After googling and searching here the only thread with my problem i found was this one:

Is it possible to restart the sshd service in command line ?

I'm in vacation and I try to activate the ssh tunneling in my FreeNas. So I've uncomment the "AllowTcpForwarding yes" option to the sshd_config file but now I try restart the service to make the changes active. (I don't have access to the WebUI). I've tested "service sshd restart" and I got...

www.truenas.com

But i could not find a solution.

So maybe someone here can help me avoid the drive to the remote location? O
Is there a CLI way to change the sshd configuration?
Or does this not work as the absence of google results suggest :(

 

[Heracles]

Hi,

All you need to do is to change that setting from the WebUI... Using your SSH connection, forward local port 8443 to 127.0.0.1:443. Then you point your browser to your own local port 8443 (https://127.0.0.1:8443) and you will see your WebUI, forwarded and secured by SSH.

ssh -l root your.nas.ip.addr -L 8443:127.0.0.1:443

https://127.0.0.1:8443

 

[brutkruemel]

thank you for your answer! :)

Unfortunately that is exactly what i want to change because this does not work.
When i try what you mentioned, and try to connect via browser, it says in the terminal:
"channel 3: open failed: administratively prohibited: open failed".
That is why i thought i need to add "AllowTcpForwarding yes" to the sshd_config.

 

[brutkruemel]

Since i cannot get to the UI on the remote truenas, even via ssh port forwarding as suggested because of above error.
i wanted to see if the port forwarding works on my local truenas system where i can get to the UI and change the sshd configuration.
Long story short, same error "channel X: open failed: administratively prohibited: open failed".
Even after i add the "AllowTcpForwarding yes" to the sshd configuration on the local truenas via the the GUI.

 

[Heracles]

Hi,

Indeed, you need to activate TCP Port Forwarding once in the config file using CLI.

But once you did it, you forward the socket to reach the WebUI and then you activate it from the WebUI. (Service ; SSH ; Allow TCP Forwardind ; put a check mark there). After that it wlll survive the reboots.

 

[brutkruemel]

Oooh, there is an option in the ServiceGui. Oh my, am i blind. I completely overlooked that one when trying it out on the local system. Thank you! :)

As for the the remote system, i will try as you suggested and report back. Thank you so much!

 

[brutkruemel]

In the sshd_config i commented in the "AllowTcpForwarding yes".

• Then i tried to restart the sshd with "service sshd restart" -> "Cannot 'restart' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onerestart' instead of 'restart'."
• With onerestart -> "Performing sanity check on sshd configuration.No host key files found"
• So i did "ssh-keygen -A". After that the onerestart worked -> "Performing sanity check on sshd configuration.Stopping sshd.
  Waiting for PIDS: 1902.
  Performing sanity check on sshd configuration.
  Starting sshd."
• My current session did not end. And i could not open a new ssh connection. -> "Connection refused".
• Since my old connection was still open, i rebooted the system to reset everything. Now i can connect again, but still am at a loss.

Do you have any thoughts on that? I probably did sth wrong.
Sorry for all the questions!
On the other hand i am learning a lot

 

[Patrick M. Hausen]

@Samuel Tai There must be an API or midclt call to enable TCP port forwarding, right? Can you help from the top of your head?

 

[brutkruemel]

Up?
Last try, before i jump in the car tomorrow and drive there :D
Thanks for all the help one way or the other! :)

 

[fizassist]

Way too late to help you, but here's what I got to work in a similar situation. Note that the service name (in Truenas 12) is openssh, not sshd, which I discovered by trial and error. Also the config file is /usr/local/etc/ssh/sshd_config, not in /etc. So,

1. I changed AllowTcpForwarding from "no" to "yes" in /usr/local/etc/ssh/sshd_config. Removing it probably works as well since "yes' should be the default
2. I reloaded the config with "service openssh reload".
3. Then I started a new ssh session with: "ssh -L 4433:my.truenas.lan.ip:443 my.router.wan.ip". (My router ssh port is forwarded to TrueNAS.)
4. Then I could connect to local port 4433 to get to the truenas GUI and properly change the setting under Services -> SSH so nothing weird happens on a restart.

I was then able to forward any local ports into my LAN.

 

[brutkruemel]

Great, awesome, thank you!
It is too late for me, but i learned something new
And it will help someone when having the same problem :)

 

[benkrejci]

Thank you @fizassist ! May have been too late for @brutkruemel but very on time for me. Worked like a charm.

 

[danb35]

Also the config file is /usr/local/etc/ssh/sshd_config

That's pretty much normal for FreeBSD--anything that isn't part of the base system goes in /usr/local/.