RESOLVED: Logging into Synology SSH using a key instead of a password

Anything regarding SSL/SSH and other security questions may go here
Forum rules
Please note the disclaimer before modifying your Synology Product.
drueter@assyst.com
I'm New!
I'm New!
Posts: 9
Joined: Mon Dec 12, 2016 10:24 am

RESOLVED: Logging into Synology SSH using a key instead of a password

Postby drueter@assyst.com » Mon Dec 26, 2016 7:35 pm

I want to be able to log into the Synology via SSH, using a secure key (instead of providing a password). I want to be able to do this so that I can set up a remote non-Synology NAS (FreeNAS) to run an rsync task to backup files on the Synology to the second NAS.

This should be simple to do, but it took a day of researching and going through dozens of posts and articles on many different sites to assemble the required steps.

I am posting the instructions I compiled here so that everything is documented in one place.

The points in bold are points that are specific to Synology, and are things that arguably DMS should take care of automatically. Why in the world should creating home directories through the Web UI result in improper permissions for that home directory? Why would creating a home directory NOT created a .ssh folder in the new home directory? Why should sshd NOT default to accepting key-based logins? And why are these quirky issues not clearly documented?? I love my Synology, and I think that DSM is great...but setting up SSH and rsync from an external box is a pretty common need. It seems Synology goes out of their way to make this more difficult than needed.

System: Synology DS1815+ running DSM 6

  1. Log into Synology web UI as an administrator user
  2. Enable “User Home”
    • Control Panel / User / Advanced, scroll down to “User Home”
    • Check “Enable user home service”, select an appropriate Location (i.e. volume1)
    • Click “Apply”
  3. Create user account(s) that should access Synology via SSH (or via rsync over SSH), using the Synology web UI as normal.
  4. Enable SSH for the Synology server
    • Control Panel / Terminal & SNMP
    • Check “Enable SSH Service”
    • Click “Apply”
  5. Log into Synology as admin user via SSH
    • Launch SSH application (putty, or other)
    • Specify IP address (or host name) of Synology
    • Provide admin username and password
  6. Fix the permissions on all home directories
    • cd /volume1/homes
      • to change to the directory containing home directories
      • “volume1” was selected when you enabled “User Home” above
    • ls -al
      • to show all home directories
    • The important thing is that home directories for SSH users MUST be writable ONLY by the user. The web UI creates these wrong. For each home directory, change permissions:
    • sudo chmod 755 /volume1/homes/someuser
      • Changes permission to full (read/write/execute) for the user, but to read/execute only for the group and for everyone else
  7. For each user that you want to grant SSH access to, edit their passwd entry to give them sh access
    • NOTE that the changes may here may be reverted upon reboot of the Synology. See https://andidittrich.de/2016/03/howto-r ... users.html
    • sudo vi /etc/passwd
      • move down to the user you want to modify, move to the end of the line
      • press “I” to go into insert mode
      • backspace over “/sbin/nologin” and replace with “/bin/sh”
      • when done editing, press “ESC”, then “qw” (quit, write file)
        • if you make a mistake and want to quit without saving, press “ESC”, then “q!” (quit, without saving changes)
  8. For each user that you want to grant SSH access to, generate SSH keys
    • You could do this while logged in as admin, but you would need to manually mess with changing ownership and permissions of files you create here. It is better / easier to log in as each individual user to perform the following.
    • Re-launch your SSH application (putty, or other) to open a new session with the Synology
    • Log in as the user you want to set up
    • Create folder for SSH keys for the user and set permissions
      • mkdir ~/.ssh
        • creates a hidden .ssh directory to hold the keys
      • chmod 0700 ~/.ssh
        • sets proper permissions for the folder (full rights to user, no rights to anyone else)
      • touch ~/.ssh/authorized_keys
        • Creates a new empty file named authorized_keys. This will hold the public keys of remote users that are allowed to log in here as this Synology user.
      • chmod 0644 ~/.ssh/authorized_keys
        • Set permissions of the new authorized keys file. (read/write to current user, read-only to everyone else)
    • ssh-keygen
      • Generate public and private keys
      • Press “enter” to accept default file location (should be user’s .ssh folder)
      • Press “enter” twice to indicate NOT to create passphrase. (The passphrase would prevent the login from working when used by rsync.)
      • Will add files id_rsa (private key) and id_rsa.pub (public key)
      • These should automatically be created with the correct permission (read/write by user only, i.e. chmod 600). You shouldn’t need to make any changes.
  9. Configure the Synology’s SSH service to allow login by key
    • Go to an SSH session (Either an administrator or an SSH user. You may still have one open.)
    • cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
      • makes a backup copy of the config file, just in case something goes wrong
    • sudo vi /etc/ssh/sshd_config
      • Uncomment line that says: #PubkeyAuthentication yes
      • Uncomment the line that says: #AuthorizedKeyFiles .ssh/authorized_keys
      • Make sure that line is uncommented that says: ChallengeResponseAuthentication no
      • Optionally, if you want to disable password-based logins, add a line: PasswordAuthentication no
      • Save the file and exit the editor
    • Restart the Synology’s SSH service
      • sudo synoservicectl --restart sshd
      • Or use web admin: Control Panel / Terminal & SNMP; uncheck “Enable SSH service”; apply; check “Enable SSH service”; apply
      • If there is an error in the config file, the service may not restart. If this is the case:
        • Enable telnet (Control Panel / Terminal & SNMP / Terminal)
        • Log in to the Synology as an admin user via a Telnet application (telnet, putty, or other)
        • Copy the config backup file you made above, and restart the sshd service again.
        • sudo cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
        • sudo synoservicectl --restart sshd
  10. Create SSH keys for the remote user that will be logging into the Synology (i.e. the FreeNAS user)
    • On the remote / client system that will be logging into the Synology, log in as the user that will need to log into the Synology.
    • ssh-keygen
      • Generate keys as you did on the Synology in #8 above
      • The other steps (creating an .ssh folder, setting permissions, etc.) are already done by FreeNAS. When done though, the permissions on the remote folders and files should match what you did on the Synology.
      • The authorized_keys file not needed at this time (it is only needed on the server-side of the SSH login), but it doesn’t hurt to create the file for future use.
    • Copy the remote/client’s public key to the Synology. This can be done in a number of different ways, but the main thing you need to do is to get the contents of the remote user’s id_rsa.pub file into the Synology user’s authorized_keys file. The entire contents must be on a single line of the authorized_keys file. One way to do this:
    • ssh-copy-id -i ~/.ssh/id_rsa.pub synologyIP
      • Replace “synologyIP” with the actual IP address of your Synology
      • You will be prompted for the Synology username and password that you want the current local user to log into the Synology as.
  11. From the remote/client SSH session, try logging into the Synology using the new key:
    • ssh synologyUser@synologyIP
    • Replace synologyUser with the actual Synology user you want to log in as, and replace synologyIP with the actual Synology IP address.
    • You should NOT be prompted for a password.
    • If the Synology username is the same as the remote/client username, synologyUser@ is optional.
drueter@assyst.com
I'm New!
I'm New!
Posts: 9
Joined: Mon Dec 12, 2016 10:24 am

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby drueter@assyst.com » Tue Dec 27, 2016 8:54 am

One more note on accessing Synology's rsync via SSH from a remote machine:

Even after getting SSH set up and working as per my previous post, my Synology was returning an error when using rsync. (In my case I am connecting to the Synology from a FreeNAS box.)

freenas rsync: Permission denied, please try again.
freenas rsync: rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
freenas rsync: rsync: error in rsync protocol data stream (code 12) at io.c(226) [Receiver=3.1.2]


The "permission" in question isn't related to SSH: SSH login via key is working fine. Nor is the "permission" a file access permission on either the Synology or the FreeNAS. Instead the "permission" has to do with the rsync binary file on the Synology.

Evidently when using rsync from a remote client via SSH you must specify this rsync parameter: --rsync-path=/usr/bin/rsync

If executing rsync from the command line, do so like this:

Code: Select all

rsync -vrtplze ssh --progress --stats --rsync-path=/usr/bin/rsync MySynologyIP/volume1/MySynologySharedVolPath /MyLocalDirectory


(Replace MySynologyIP with the actual IP address of the Synology, replace MySynologySharedVolPath with the actual Synology path you want to synchronize, and replace MyLocalDirectory with the path on the local client to which you want to syncronize.)

If setting up a FreeNAS Rsync Task, add --rsync-path=/usr/bin/rsync to the "Extra Options" field.

(This post helped me figure this out: https://forum.synology.com/enu/viewtopic.php?t=92627 )

This is another Synology quirk that should be documented, or resolved.
soilent green
I'm New!
I'm New!
Posts: 3
Joined: Wed Jan 04, 2017 11:22 am

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby soilent green » Wed Jan 04, 2017 2:55 pm

For backing up data from a RS812 RP to a linux-machine i used the "luckybackup" with rsync and ssh. It works passwordless by a script without any problems until the RS812 RP updated to OS version DSM 6.0.2 - 8451. Since that day the backup fails. I tried different things getting it back again.

The manually started command on the backupserver (as root)

rsync -vvv -avz synology_server:/volume1/homes/ /srv/backup1/volume1/homes/

gives me the following log on the backupmachine:

------------------logging backupserver----------------------------------------------------
ERROR: service disabled
[sender] _exit_cleanup(code=52, file=main.c, line=750): entered
rsync error: service disabled (code 52) at main.c(750) [sender=3.0.9]
[sender] _exit_cleanup(code=52, file=main.c, line=750): about to call exit(52)
rsync: connection unexpectedly closed (9 bytes received so far) [receiver]
_exit_cleanup(code=12, file=io.c, line=600): entered
rsync error: unexplained error (code 52) at io.c(600) [receiver=3.0.6]
_exit_cleanup(code=12, file=io.c, line=600): about to call exit(52)
------------------logging backupserver--------------------------------

a tail -f /var/log/messages on the synology shows me the following

------------------logging synology--------------------------------------
2017-01-04T12:03:56+01:00 synology_server rsync: User uid (0) is disabled
------------------some logging synology--------------------------------------

Can i get root back again copying files by using rsync from the synology to my backupserver?
How do i get permissions using rsync as root?
soilent green
I'm New!
I'm New!
Posts: 3
Joined: Wed Jan 04, 2017 11:22 am

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby soilent green » Thu Jan 05, 2017 3:46 pm

soilent green wrote:For backing up data from a RS812 RP to a linux-machine i used the "luckybackup" with rsync and ssh. It works passwordless by a script without any problems until the RS812 RP updated to OS version DSM 6.0.2 - 8451. Since that day the backup fails. I tried different things getting it back again.

The manually started command on the backupserver (as root)

rsync -vvv -avz synology_server:/volume1/homes/ /srv/backup1/volume1/homes/

gives me the following log on the backupmachine:

------------------logging backupserver----------------------------------------------------
ERROR: service disabled
[sender] _exit_cleanup(code=52, file=main.c, line=750): entered
rsync error: service disabled (code 52) at main.c(750) [sender=3.0.9]
[sender] _exit_cleanup(code=52, file=main.c, line=750): about to call exit(52)
rsync: connection unexpectedly closed (9 bytes received so far) [receiver]
_exit_cleanup(code=12, file=io.c, line=600): entered
rsync error: unexplained error (code 52) at io.c(600) [receiver=3.0.6]
_exit_cleanup(code=12, file=io.c, line=600): about to call exit(52)
------------------logging backupserver--------------------------------

a tail -f /var/log/messages on the synology shows me the following

------------------logging synology--------------------------------------
2017-01-04T12:03:56+01:00 synology_server rsync: User uid (0) is disabled
------------------some logging synology--------------------------------------

Can i get root back again copying files by using rsync from the synology to my backupserver?
How do i get permissions using rsync as root?



Oh, i forgot to say, i already tried the path-option
--rsync-path=/usr/bin/rsync
wicket
I'm New!
I'm New!
Posts: 4
Joined: Tue Jan 03, 2017 4:26 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby wicket » Fri Jan 06, 2017 10:01 am

Hi Everybody!

Thanks to the OP for the very comprehensive summary of SSH/rsync setup on DSM 6.0. This solved my issues. I have been trying for several days now to get rsync over SSH with keys running - the missing bit of information for me was the wrong (not 755) set of permissions on the home directory. Would never have thought of that without you!! :D Most information about Synology/DSM and SSH appears to be quite outdated (DSM 5 and earlier) and not 100% applicable for DSM 6.0.

For the sake of completenes: I do NOT need to supply the

Code: Select all

--rsync-path=/usr/bin/rsync
option for rsync to work. As far as I remember (no access to disk station at the moment...) you can/must give users the right to use rsync through the control panel GUI. I always try to use as many built-in GUI stuff as possible - in hope that future updates will not break my modifications. :roll:

IMHO, Synology really should make the functionality (SSH with keys) accessible through the GUI. Like pasting the key somewhere in the web GUI in control panel --> users or something.

tl;dr: Suggested solution is confirmed working on DS1515+ with DSM 6.0 (most recent version as of 2017-01-06).
spiderlane
I'm New!
I'm New!
Posts: 4
Joined: Mon Jan 09, 2017 2:47 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby spiderlane » Mon Jan 09, 2017 3:00 pm

Hi All,

Hardware : DS916+
DSM Version : DSM 6.0.2-8451 Update 7

Thanks for this excellent summary. I cannot for the life of me get this working and I'm posting here in slight desperation. I have decent command line linux skills and have set up passwordless SSH access to servers dozens of times in the past but I must be missing something silly here.

* I am trying to set up login for the user "mark".
* I have set up the "user home service" and set the shell for this user. I can log in perfectly well with the password over SSH
* I have corrected the permissions on this user's home directories correctly (I believe)

Code: Select all

mark@Diskstation:/var/services/homes$ ls -laht
total 12K
drwxr-xr-x  1 mark              users   24 Jan  9 13:30 mark


I have set the permissions as follows on the .ssh folder

Code: Select all

mark@Diskstation:~$ ls -laht
total 4.0K
drwx------  1 mark users   62 Jan  9 13:41 .ssh


And the permissions of the authorized_keys file like this

Code: Select all

mark@Diskstation:~/.ssh$ ls -laht
total 12K
-rw-r--r-- 1 mark users  398 Jan  9 13:42 authorized_keys


I have edited /etc/ssh/sshd_config and set these directives

Code: Select all

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys


But it does not work (asks me for my password every time). I've even tried generating a fresh pair of (RSA) keys. The only odd thing about that process is that I tried to use ssh-copy-id to update the authorized_keys file but this didn't work; I get "Permission denied, please try again." even though the password is definitely correct. (recall I can log in via SSH with the password no problem)

I'm tearing my hair out here, because it's obviously something simple I've missed so if anyone can help I'd appreciate it a lot!

Cheers
Mark
wicket
I'm New!
I'm New!
Posts: 4
Joined: Tue Jan 03, 2017 4:26 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby wicket » Mon Jan 09, 2017 4:27 pm

Hi Mark,

as far as I know/remember, to login via SSH with keys the user has to be member of the "administrators" group (can be changed/edited through the GUI at Control Panel --> Users) - figured this out only after my most recent post. At least it did not work for me without this. Personally, I think this is stupid (unnecessary, useless, not documented). If somebody figures out why this is (and where/how this can be changed) I would be grateful for a hint. Until then, as a workaround, all my SSH-into-NAS-with-key-users need to be members of the "adminstrators" group... :(

Hope this helps!
Wicket
spiderlane
I'm New!
I'm New!
Posts: 4
Joined: Mon Jan 09, 2017 2:47 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby spiderlane » Mon Jan 09, 2017 5:31 pm

Hi Wicket

Thanks for your reply.

User "mark" is a member of the administrators group according to the command line and the web ui

Code: Select all

mark@Diskstation:~/.ssh$ id
uid=1026(mark) gid=100(users) groups=100(users),101(administrators)


The biggest obstacle to debugging is that I can't get the SSH daemon to log info or debug anywhere to see why it's refusing the key. Any ideas how to get that working? That might give me a leg up.

Cheers again for taking the time to reply. I really like the Diskstation, the features and web ui are excellent, but I really need to get this working to get all of my use cases satisfied.

Mark
spiderlane
I'm New!
I'm New!
Posts: 4
Joined: Mon Jan 09, 2017 2:47 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby spiderlane » Mon Jan 09, 2017 6:19 pm

As I suspected, I'm an idiot.

I've got it working with the help of enabling telnet so I could telnet in and run sshd in debug mode and see what was happening on the server side

Code: Select all

sudo /bin/sshd -d


All my permissions were correct, it wasn't that at all. My authorized_keys was wrong

Here's what I'd done wrong. It was a small perfect storm of idiocy and I post it here in case it helps anyone in the future.

1. I run my ssh service on a non standard port (not 22). Always have done
2. When I generated fresh keys I attempted to use ssh-copy-id to copy the public key over. This failed with a "Permission denied" error. I didn't think too much of this at the time but I've now worked out why it failed. I was incorrectly specifying my custom port in this command. I was using

Code: Select all

ssh-copy-id -i ~/.ssh/id_rsa.pub mark@diskstation -p8333


This is wrong but was failing in a subtle way, because, unbeknownst to me there was another sshd process running on port 22 on the diskstation! The command was ignoring my -p8333 and connecting to the ssh service on port 22 (and failing for some other reason). When I killed that sshd process, I starting getting "Connection refused" which confused me. Checked the docs for ssh-copy-id and the way to specify a custom port is using quotes, as follows :

Code: Select all

ssh-copy-id -i ~/.ssh/id_rsa.pub "mark@diskstation -p8333"


3. Before I had debugged the ssh-copy-id problem, I ignored it and simply pasted my public key into authorized_keys. Fool that I am, I missed a "s" off the beginning

This :

Code: Select all

sh-rsa AA1KFARjAA...


should, of course, have been :

Code: Select all

ssh-rsa AA1KFARjAA...


Added the missing s in and all works perfectly. As another test I ran ssh-copy-id with the port correctly specified and that worked perfectly too.

So there it is. I'm a fool and tripped myself up

I can only hope this helps some other soul in the future
Cheers
Mark
wicket
I'm New!
I'm New!
Posts: 4
Joined: Tue Jan 03, 2017 4:26 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby wicket » Tue Jan 10, 2017 8:21 am

Hi Mark,

thanks for sharing your "stupid trip-ups"! We never stop learing... :D

My guess about the additional SSH port: the port for rsync over SSH can be specified independently from vanilla SSH somewhere in the GUI. Maybe this is it?
spiderlane
I'm New!
I'm New!
Posts: 4
Joined: Mon Jan 09, 2017 2:47 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby spiderlane » Tue Jan 10, 2017 8:51 am

wicket wrote:We never stop learing... :D



Haha you said it.

Thanks again to drueter for the original tutorial; the instructions are spot on.

Happy ssh-ing, all.

Cheers
Mark
jmginer
I'm New!
I'm New!
Posts: 4
Joined: Tue May 10, 2016 6:39 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby jmginer » Sun Jan 22, 2017 8:24 pm

I can't rsync:

with 777 folder permision: Allways ask for password

with 755 folder permision: I get this error:

Code: Select all

rsync: mkstemp "/volume1/xxx/.file.ax3Dle" failed: Permission denied (13)


Any idea?

Thanks!
owne
I'm New!
I'm New!
Posts: 1
Joined: Fri Feb 17, 2017 2:20 am

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby owne » Fri Feb 17, 2017 2:30 am

Thanks again to the OP for a really detailed post. I have been trying SSH with keys for almost a year - first with an older DS212j and now with a newer DS916+.

I had followed all the permissions fastidiously and yet was not able to get it to accept the key. I also found that default sshd logging doesn't seem to yield enough information (and i couldn't see how to improve it - even after changing /etc/ssh/sshd_config settings).

I ended up spawning a new sshd daemon on another arbitrary port, e.g. (220):

Code: Select all

/bin/sshd -d -p 220


Then tried connecting with my client to see what the server was doing with the request. Turns out it was fine opening the file..

Code: Select all

trying public key file /var/services/homes/admin/.ssh/authorized_keys


but failed a few lines later ...

Code: Select all

Failed publickey for admin from <ip> port 7474 ssh2: RSA SHA256:<somekey>


Anyway, turns out a huge rookie error on my part. I copy+pasted the pub key from my mac, but in pasting it to the authorized_keys file it converted <space> to <newline> ......

Fixed that up and finally have keyed ssh access!
DrTeeth
I'm New!
I'm New!
Posts: 5
Joined: Tue Apr 22, 2014 4:54 am

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby DrTeeth » Wed Feb 22, 2017 2:25 pm

Hey just wanted to say thanks for the post. It was incredibly helpful. Two thumbs up!
maraja
I'm New!
I'm New!
Posts: 4
Joined: Sat Oct 06, 2012 4:13 pm

Re: RESOLVED: Logging into Synology SSH using a key instead of a password

Postby maraja » Thu Mar 30, 2017 3:28 pm

drueter@assyst.com wrote:I want to be able to log into the Synology via SSH, using a secure key (instead of providing a password). I want to be able to do this so that I can set up a remote non-Synology NAS (FreeNAS) to run an rsync task to backup files on the Synology to the second NAS.

This should be simple to do, but it took a day of researching and going through dozens of posts and articles on many different sites to assemble the required steps.

I am posting the instructions I compiled here so that everything is documented in one place.


Thank you so much! :D

I can confirm it also works on a DS116 with DSM 6.1

Return to “Security/Secured Mods”

Who is online

Users browsing this forum: No registered users and 0 guests