How to setup an sftp-server

From SynologyWiki
Jump to: navigation, search

Below are three methods for installing a SFTP-Server on your NAS.

NOTE: As of DSM 4.1, there is an option to enable SFTP under Control Panel -> FTP -> SFTP. The three methods described below are thus only applicable to older versions of DSM (< 4.1). (it appears that you need to use the "admin" user instead of "root" then)

Method 3 provides a straight-forward procedure by just changing the sshd config. Requires latest DS3.1 firmware and recommended.

Otherwise with older DS software the first is recommended for virtually all users and some more complicated Method 2 exists as well. Both methods require the installation and use of ipkg. Check for method 3 first and consider updating your DS firmware to the latest release.

Contents

What is a SFTP Server

Secure FTP (SFTP) is one of the most secure ways to remotely access files (e.g. on your NAS) across an insecure network (e.g. the web). SFTP uses the client server model, consequently a SFTP Client (usually your PC) makes a connection request to an SFTP Server (usually your NAS). The SFTP Server software must be installed on your NAS to enable the NAS to listen for and respond to SFTP Client requests.

Things to Consider

SFTP provides the user with the same functionality as FTP, however communication between client and server is passed through a secure (SSH) tunnel.

  1. Compared to FTP, SFTP places large processing loads on both the client and server CPU's for the encrypting and decrypting of the data. Most modern PC's will easily cope with this, however the increased processing will have an effect on the data throughput of the NAS, slowing communication compared to FTP.
  2. After installing the SFTP server on your NAS, to be able to use SFTP communication you will also need to have a SFTP Client on your PC. The FTP client (File Explorer) provided with Microsoft Windows (including Windows 7) does not support SFTP. Consequently you will need to install an SFTP client. A popular, free and open source SFTP client is FileZilla
  3. After following this wiki you will be able to access your NAS as you do currently (including via normal FTP and any user accounts you created for FTP). However when accessing by SFTP you will only be able to sign on as user "root" (password is the same as for the admin user). User root (admin) is the highest privileged user on the NAS and any file transfers to the NAS will be saved as owner and group "root" with access permissions of -rw-r--r-. Consequently, depending on your requirements, you may need to increase the access permissions of the files so other users (e.g. those that access via FTP or SAMBA) can manage the files that you placed on the NAS via SFTP. FileZilla and virtually all other SFTP Clients make it easy for you to change file access permissions. However, note that for both FTP and SFTP you cannot change the owner/group of a file, if you wish to do so you need to use a command line environment such as SSH via putty. FileZilla by default displays the access permissions and Owner/Group properties of all files and directories making it easy to see what is what.
  4. After logging in to the NAS via SFTP as user root you will also be able to delete/change any file on the NAS including system files, so this mod is only for use by the NAS administrator/owner.
  5. FTP uses port 21, SFTP (SSH) uses port 22, to be able to access your NAS remotely across the internet (via SFTP) you need to configure your router to forward port 22 to your NAS.

Method 1

  • Install ipkg following the following instructions.
  • reboot
  • ipkg update
  • ipkg install openssh-sftp-server
  • Edit /etc/ssh/sshd_config with the following:
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/sftp-server
Subsystem       sftp    /volume1/@optware/libexec/sftp-server
  • To edit this file use this command: 'vi /etc/ssh/sshd_config'
  • Use pagedown to go to scroll down the file until you see the '#override default of no subsystems' and press Insert on your keyboard to enter edit mode
  • After you changed the settings press Escape and then ':wq' to save and exit the file
  • reboot
  • Finished, using sftp client software on your PC you will now be able to connect to your NAS by sftp.

Method 2

This method is NOT recomended for most users. Only use this method if you have a specific reason for needing to do so.

Taken from the official forum. This method describes how to add sftp-server option to an existing DS with only the stock Synology ssh installed. This does not install the openssh package found in the IPKG repository. First of all, you need to get IPKG, read the guidelines inthere and proceed with the below.

Step 1. Getting sftp-server

mkdir /tmp/sftp_patch
cd /tmp/sftp_patch
ipkg download openssh-sftp-server
tar -xvzf openssh-sftp-server_*.ipk
tar -xvzf data.tar.gz
mv ./opt/libexec /usr

Falsified

Step 2. Getting zlib

mkdir /tmp/zlib_patch
cd /tmp/zlib_patch
ipkg download zlib
tar -xvzf zlib_*.ipk
tar -xvzf data.tar.gz
mv ./opt/lib/libz.so.1.2.5 /lib
cd /lib/
ln -s libz.so.1.2.5 libz.so
ln -s libz.so.1.2.5 libz.so.1


Test

Step 3. Cleanup the temp files

rm -rf /tmp/sftp_patch /tmp/zlib_patch

When having executed the above, you are able to make sftp connections to your DS.

Step 4. Fix missing libs

If sftp does not work try to start the sftp module on the command line like:

/usr/libexec/sftp-server

See if this reports any errors, on a DS207+ running firmware DSM 2.2-0942 it would report a libcrypto.so not found like:

/usr/libexec/sftp-server: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory

Correct this by adding a symbolic link

cd /lib/
ln -s libcrypto.so.0.9.8 libcrypto.so.0.9.7

Step 5. Check sshd_config

In order for the sftp server to start automatically with boot/ssh daemon, this must be viewed as part of the /etc/ssh/sshd_config

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server

Method 2 was tested and found to work on DS106e, DS207+, DS210+, DS408, DS409+ and DS1010+/DX5 combo

Method 3

With latest versions of DS3.1 you can enable the buildin-sftp server by changing the sftp section in the config file /etc/ssh/sshd_config to that shown below. After the config change you must disable/reenable the ssh deamon or reboot your DS, so the config change is loaded by sshd!

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/sftp-server
Subsystem       sftp    internal-sftp

After that you can login with the sftp protocol, no other changes required.

Personal tools
Community Resources