Synology Inc. Online Community Forum

[jalex]

It is possible to run rsync over ssh as a non-root user with the built-in sshd. Several people have asked about this, but I haven't seen an answer, so I thought it would be useful to post what worked for me. Note that due to the way that synology has hacked their version of openssh, it is not possible to get a fully tty-enabled shell session, but it is possible to run rsync (for those who might be interested, if you have the GPL sources, take a look at openssh-4.2p1/session.c). If you want to do more than rsync, you'll have to go the ipkg route to install your own ssh, etc.

Disclaimer: I am using a DS207+ with the 0518, so this may not work for other models, or may not work for you at all. I take no responsibility for any data loss or other damage to your NAS.

These steps assume some basic UNIX knowledge.

0) If you have not already done so, add a user via the web interface, and, of course, install the "Enable ssh" patch.

1) Log in as root over ssh.

2) Create a directory somewhere on your NAS volume(s) to be used as a home directory for the desired user. Let's call the username "joe". Change the owner of this directory to be joe, and make sure joe has rwx permissions.

3) Edit /etc/passwd. Find the entry for joe and change the the home directory field (the string between the second-to-last and last colon characters on joe's entry) to match the directory you created in 2. Change the shell field (the string after the last colon) to be the path to a shell that exists on your NAS. On my NAS that's either /bin/sh or /bin/ash. Save the file. [ NOTE: One pitfall you might run into: I've found if you modify this user via the web interface, e.g. change its password, these edits will revert to the default values, so you might need to do this edit again sometime if you forget about this ]

4) Try executing the command "su - joe" (substituting your username for joe, of course). If you've done everything right so far, you should start a new shell without errors, fully logged in as joe. The result of "pwd" should be joe's home directory, and the result of 'id' should return joe's uid and gid. If not, try again. If you're going to create RSA/DSA keys as I recommend in the next step, it will be easier to get the ownership and permissions of the keys right if you're logged in as joe. You can create a .profile for joe with environment settings you like, but be sure to keep /usr/syno/bin in your path, which is where the rsync binary is located. Due to the aforementioned ssh hack, rync's --rsync-path flag will not work. Once you're done with editing joe's files, you can type "exit" to return to your root shell.

5) I recommend installing RSA/DSA keys at this point in joe's home directory - search for "ssh-keygen" on the web to learn more about this. I'm not using password auth myself, so I have not tested this thoroughly, but if you really want to use password authentication, you should be able to do so by creating an entry in /etc/rsyncd.secrets for joe consisting of joe:password. The password can be in cleartext. The entry for root contains two passwords separated by a pipe character. The first is just a cleartext password (really - try it - I really hope that it is different for each system!), and the second is your admin password in obfuscated form (not really encrypted). The cleartext password should work on its own, and the obfuscation method really doesn't provide any greater security.

6) That's it - try rsyncing something to your NAS as joe. If you have trouble, it might help to pass the -v flag to ssh so that you can get an idea where the process is failing. You might also want to use rsync's --dry-run flag until you have all the kinks worked out. Good luck!

[TomG]

I worked this out as explained above, and works fine!

Until now, I used the root account to perform Rsync synchronization using a SSH tunnel with the known insecurity (if you should accidentally perform a rsync synchronization to the / root directory or another system directory...).

So I created the RSA/DSA keys on my local system and transferd it to the diskstation.

For this tasks, I wrote 2 little scripts to make this easier:

createSSHKeys.sh: run this script on your Linux desktop/laptop/server... system (you could execute this script on your diskstation as well, in the case you would grant a diskstation user to access another remote SSH/Rsync system):

Code: Select all

#!/bin/sh
cd ~
hostname=`hostname`
user=`whoami`
ssh-keygen -t rsa
ssh-keygen -t rsa1
cd .ssh
cat *.pub > authorize_key_$hostname-$user


it creates a public RSA/DSA key wich you can later transfer to the diskstation user's home directory and rename it (~/.ssh/authorized_keys).

If you should have a lot of client systems with each a public key, you can put them all together on the diskstation, for example in ~/.ssh/SSH/ together with this script:

addKeys.sh

Code: Select all

#!/bin/sh

keys=`ls | grep authorize_key`
# remove the previous authorized_keys, if applicable
rm ~/.ssh/authorized_keys
for key in $keys ; do
   cat $key >> ~/.ssh/authorized_keys
done


It adds the content from all public keys of each system to the authorized_keys in ~/.ssh/. Doing this way, you're almost sure that only the public keys in ~/.ssh/SSH/ have access to your diskstation!

Doing so makes it quite easy to grant users performing Rsyn synchronisation from their workstation to the Synology system!

The final result on my diskstation:

Code: Select all

$ pwd
/volume1/users/tom/.ssh
$ ls -lh
drwx------    2 tom      users        4.0k Mar 14 23:27 SSH
-rw-------    1 tom      users        1.0k Mar 14 23:07 authorize_key_DiskStation-tom
-rw-------    1 tom      users        2.0k Mar 14 23:08 authorized_keys
-rw-------    1 tom      users        1.6k Mar 14 23:07 id_rsa
-rw-------    1 tom      users         397 Mar 14 23:07 id_rsa.pub
-rw-------    1 tom      users         978 Mar 14 23:07 identity
-rw-------    1 tom      users         642 Mar 14 23:07 identity.pub
$ ls -lh SSH/
-rwx------    1 tom      users         132 Mar 14 23:03 addKeys.sh
-rwxrwxrwx    1 tom      users        1.0k Mar 14 23:07 authorize_key_laptop-tg-tom
-rwxrwxrwx    1 tom      users        1.0k Mar 14 23:06 authorize_key_pc-tom-tom
-rwxrwxrwx    1 tom      users         136 Mar 14 23:27 createSSHKeys.sh


[JohDut]

Hi, I've been trying to setup unprivileged access as described above.

Unfortunately I've been unsuccessful.
Probably I'm just doing something really dumb.
The problem is suppressing the password-prompt, as I want to run this as a cronjob.

Here's what I've done:
I've created a keypair using ssh-keygen.
Setup a home-directory for a user.
In that directory created a directory .ssh
Put the file id_rsa.pub in it, renaming it to authorized_keys
Setup rights, chmod 700 on directory, chmod 600 on file.

It was my understanding this would suffice to allow to connect over ssh without password-prompt.
This does not work for any created user.
However, if I use this for root, it does.
That is, just creating .ssh in /root and copying/renaming id_rsa.pub->authorized_keys . . .this does work!
I can login as root, both via ssh shell, and perform rsync on root@nameofmyNAS

As a regular user I can also rsync with a password-prompt, providing I put the username/password in rsync.secrets
But this makes it unusable for a cronjob.

If anyone could point me in the right direction.... I would be very greatful

Joost

[klausmedk]

Hello

I have used the above method, but have run into a strange problem.
I can login over ssh with my unprivileged user but i cannot do rsync over ssh. rsync however works fine with that user without ssh.

So basically:
Works: rsync -ab [my_local_files_to_backup] [remote_rsync_user]@[remoter_host]::[module]

Works: ssh [remote_system_unprivileged_user]@[remote_host]

Does not work: rsync -e 'ssh -l [remote_system_unprivileged_user]' -ab rsync -ab [my_local_files_to_backup] [remote_rsync_user]@[remoter_host]::[module]

ssh works, and rsync works, but rsync over ssh does not work.
The error i get is:
---------------
@ERROR: auth failed on module [module]
rsync error: wrong password (code 44) at clientserver.c(199)
---------------
It seems to establish the ssh tunnel correctly because the error is actually reported by rsync.
Trust me the password typed is correct and it is the same as used in the cases where is actually does work (rsync without ssh)
I know there is a difference between system users and rsync users, and i know that if public key auth has not been set up (which is has, and it works with just 'ssh [remote_host]') it will first prompt me for my system user password and then for the rsync password.

any suggestions?

//Klaus

[klausmedk]

Hello

I solved the issue myself and just want to share it.
I had failed to see that when rsyncing over ssh the system will actually start a temporary daemon to execute the rsync command. So the daemon running on the remote system is not used.

If the unprivileged user used for ssh login does not have read permission to the rsyncd.secrets file the temporary daemon cannot verify the rsync user and password, and will thus produce a "wrong password" error.

I solved this by configuring the particular rsync module in question to use a secrets file to which my unprivileged system user does have read access.

//Klaus

[tipsen]

Is this THE procedure to follow if one wishes to use rsync for multiple users with separate directories on the nas?
/Tommy

[LleMikeByw]

SSH Access to the DiskStation as an unprivileged user (with unprivileged rights) and ultimately RSYNC is possible using the methodologies described in my posts here:

http://forum.synology.com/enu/viewtopic.php?f=15&t=31332#p134474

Hope that's helpful - if you need to be able to do this...

Mike