SSH key authentication

Anything regarding SSL/SSH and other security questions may go here
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
phoerious
I'm New!
I'm New!
Posts: 2
Joined: Fri Sep 12, 2014 7:43 pm

SSH key authentication

Unread post by phoerious » Fri Sep 12, 2014 8:04 pm

Hi,

I know there are about a thousand threads already about this topic, but I searched them all, tried all suggestions (which were always the same), still no success.
My Diskstation is running DSM 5.0-4493 Update 5 with OpenSSH_5.8p1-hpn13v11. I'm trying to get public key authentication to work, but unfortunately it refuses to do so.

I enabled the following two lines in /etc/ssh/sshd_config:

Code: Select all

PubkeyAuthentication yes            
AuthorizedKeysFile      .ssh/authorized_keys
Then I copied over my public key using

Code: Select all

ssh-copy-id sysadm@bellatrix
(bellatrix is the Diskstation host name). Yes, I double and triple checked that it's installed in /volume1/sysadm/.ssh/authorized_keys and that it's the right key, too.

Next I corrected all the file permissions. I set /volume1/sysadm and /volume1/sysadm/.ssh to 0700 and /volume1/sysadm/.ssh/autorized_keys to 0644 (it works, OpenSSH accepts these permissions).

Finally I tried to connect:

Code: Select all

ssh sysadm@bellatrix -vvv
result (shortened):

Code: Select all

debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/xxx/.ssh/id_rsa (0xc4f2c0),
debug2: key: /home/xxx/.ssh/id_dsa ((nil)),
debug2: key: /home/xxx/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/xxx/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/xxx/.ssh/id_dsa
debug3: no such identity: /home/xxx/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/xxx/.ssh/id_ecdsa
debug3: no such identity: /home/xxx/.ssh/id_ecdsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
as you can see, I still get the password prompt because the server somehow rejected my public key.

So, what does the server say to this? I started OpenSSH from the console in debug mode and here is the output:

Code: Select all

debug1: PAM: initializing for "sysadm"
debug1: userauth-request for user sysadm service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: PAM: setting PAM_RHOST to "2001:4dd0:ff00:98ea:xxxx:xxxx:xxxx:xxxx"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/sysadm/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/volume1/homes/admin/.ssh'
debug3: secure_filename: checking '/volume1/homes/admin'
debug3: secure_filename: terminating check at '/volume1/homes/admin'
debug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/sysadm/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/volume1/homes/admin/.ssh'
debug3: secure_filename: checking '/volume1/homes/admin'
debug3: secure_filename: terminating check at '/volume1/homes/admin'
debug1: restore_uid: 0/0
debug2: key not found
Failed publickey for sysadm from 2001:4dd0:ff00:98ea:xxxx:xxxx:xxxx:xxxx port 39328 ssh2
That means file permissions are okay, paths are okay, too (OpenSSH knows where to look for accepted public keys), but it still doesn't find any matches. It just acts as if no key was in there. It definitely is (and yes, it's also on just one line in case you ask).

I have no idea what's wrong. Can you help me? I've set up about a thousand SSH servers in my life and never experienced this. No error message, just pure ignorance.

phoerious
I'm New!
I'm New!
Posts: 2
Joined: Fri Sep 12, 2014 7:43 pm

Re: SSH key authentication

Unread post by phoerious » Sat Sep 13, 2014 4:30 pm

No idea why, but generating a new key pair and using that instead works. The old key was a 2084bit RSA key which should work, but somehow it didn't.
I generated a new 2048bit RSA key which OpenSSH seems to accept. I'm using a 4096bit key now.

tmuxr
I'm New!
I'm New!
Posts: 1
Joined: Sun May 31, 2015 5:15 am

Re: SSH key authentication

Unread post by tmuxr » Sun May 31, 2015 5:29 am

@phoerious: I just ran up against the same issue for the first time today.

Same story:

Created a user

mkdir ~/.ssh
chown username:users ~/.ssh
chmod 700 ~/.ssh
echo "my rsa 4096 pubkey" > ~/.ssh/authorized_keys
chown username:users ~/.ssh/authorized_keys
chmod 644 ~/.ssh/authorized_keys

Attempted ssh login. Received password prompt.

Root cause of problem: Default permissions on new user's home directory are too permissive.

Solution:

chmod o-rwx ~

gonzalo.cao
I'm New!
I'm New!
Posts: 1
Joined: Tue Jun 07, 2016 11:46 am

Re: SSH key authentication

Unread post by gonzalo.cao » Tue Jun 07, 2016 11:49 am

Same problem here

correct configuration but unable to access via ssh key to my DSM 6.0 synology server. It seems that id_rsa.pub war rejected

Last solution solved it for me, user directory permissions seems to be too much "permsive" ??¿?¿?¿??

chmod 755 /var/services/homes/[my_user_name]

...and now it works

angrychipmunks
I'm New!
I'm New!
Posts: 1
Joined: Fri Oct 28, 2016 5:41 pm

Re: SSH key authentication

Unread post by angrychipmunks » Fri Oct 28, 2016 5:46 pm

Just a note in DSM 6 to use:

Code: Select all

chmod -R 755 /volume1/homes/[username]
The -R is to make it recursive, in case you already created the keys before running the chmod.

mocarela
I'm New!
I'm New!
Posts: 3
Joined: Wed Dec 14, 2016 11:26 am

Re: SSH key authentication

Unread post by mocarela » Mon Dec 19, 2016 9:05 pm

Hello!

Is there also a way to disable password authentication in order to have only publickey in DSM 6? I tried to change /etc/sshd/sshd_config and /etc.defaults/sshd/sshd_config, but this has no effect. Where is actually stored the sshd config file?

From security point of view I don't see any benefit having publickey together with password authentication.

I would really appreciate the solution.

Thanks and best regards,

Alen

Locked

Return to “Security/Secured Mods”