I bought a synology NAS at home to store some stuff. I want to SSH into it using key-based authentication, but that seemed not supported by default. In this post I explain how I made it work.

Normally, setting this up is not a lot of work:

  • Make sure you SSH daemon has Public Key Authentication enabled
  • Make sure you have an SSH key on your client machine
  • Make sure the public key is in ~/.ssh/authorized_keys

Sadly, I kept getting the request for a password. But I was able to solve it.

This is on DSM 6.1.6. DSM is the Operating System that runs on the NAS device.

TL;DR: The Solution

If you already know how to normally set up ssh key authentication, here's the actual problem.

The user's home directory, by default, has full read, write and execute permissions for everyone (777). SSH doesn't allow that and throws an error while evaluating ssh key based login:

Authentication refused: bad ownership or modes for directory /volume1/homes/my-nas-user

The solution is to only allow read and execute to group and everyone:

chmod 755 /volume1/homes/my-nas-user
Setting up Key Based Authentication Normally

Enable SSH Server

Log in to the Synology Desktop and go to "Control Panel > Terminal & SNMP"

Check "Enable SSH Service" and choose a non-default port. If you use the default port of 22 you'll get a security warning later.

Enable Public Key Authentication

Update september 2019: Thanks to "bogd" in the comments to point out Public Key Authentication is enabled by default even if the settings are commented out in sshd_config. So you should be able to skip this and jump to "Generate an SSH Key"

Log in to your NAS using ssh:

ssh -p <port> your-nas-user@your-nas-hostname

Open the SSH server configuration file for editing:

sudo vim /etc/ssh/sshd_config

Find the following lines and uncomment them (remove the #):

#RSAAuthentication yes
#PubkeyAuthentication yes

It's possible to restart the service using the following command:

sudo synoservicectl --reload sshd

Generate an SSH key

If you have not done this already, you should probably check how to do this with whatever ssh client you are using.

I'm using the Cygwin terminal on Windows, and I can generate a key pair using this command:

ssh-keygen -t rsa -b 4096 -C "Tato e-mailová adresa je chráněna před spamboty. Pro její zobrazení musíte mít povolen Javascript."

Follow the instructions here, they are for GitHub but they apply to everything that needs an ssh key: Generating a new SSH key

The result, by default, is some files in the folder ~/.shh. Among which your private (id_rsa) and public key (id_rsa.pub).

Add public key to Authorized Keys

Ssh into the NAS again.

On the NAS, you must create a file ~/.ssh/authorized_keys:

mkdir ~/.ssh
touch ~/.ssh/authorized_keys

In that file, you must add the contents of your local ~/.ssh/id_rsa.pub. SSH then uses this public key to verify that your client machine is in posession of the private key. Then it lets you in.

On my client I did the following to first copy over my public key:

scp -P <port> ~/.ssh/id_rsa.pub my-nas-user@my-nas-hostname:/var/services/homes/my-nas-user

And then on the NAS SSH session:

cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
rm ~/id_rsa.pub

Troubleshooting

Usually, the above steps are enough to make it work. But my NAS still stubornly asked me the password.

I eventually found a forum post which has an interesting tip:

I did a debug on the server side of the sshDaemon; "/bin/sshd -d -p xxx", where xxx is an alternative port and -d is for debug. - Forum Synology

But they also mention the error: Error: Authentication refused: bad ownership or modes for directory /volume1/homes/xxxxxx which I wasn't seeing.

I decided to try the command:

sudo /bin/sshd -d -p 1234

Then when I ssh'd into my server, the debug session showed the following:

debug1: trying public key file /var/services/homes/my-nas-user/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /volume1/homes/my-nas-user
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/my-nas-user/.ssh/authorized_keys2
debug1: Could not open authorized keys '/var/services/homes/my-nas-user/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for my-nas-user from 192.168.0.170 port 50411 ssh2: RSA SHA256:******

There I could indeed see the error. The forum topic's poster states the actual problem:

The users home folder ~/ is not allowed to be writable to group and other, "chmod 755 /volume1/homes/user: should do the trick.

chmod 755 means:

  • owner is allowed to execute (1) + write (2) + read (4) = 7
  • group is allowed to execute (1) + read (4) = 5
  • everyone is allowed to execute (1) + read (4) = 5

That makes me wonder what the default permissions are for this folder. A check with ls -al ~/.. shows:

drwxrwxrwx+  4 my-nas-user   users 4096 Apr 28 00:04 my-nas-user

Full permissions for everyone.

Solution: chmod 755 /var/services/homes/my-nas-user

And then, as if by magic, everything works correctly and I get logged in using the key.

Thanks to "lvx" for this post: forum.synology.com/enu/viewtopic.php?f=90&t=116726&p=441504#p427355!

Good to Know

Conclusion

Synology's default home folders setup prevents SSH from using Key-based authentication. Reducing the amount of privileges on the home drive solves the issue.

Also, nice to know, you can debug your ssh logins by running the daemon in debug mode:

sudo /bin/sshd -d -p 1234

Good thing there seems to be a lot of users of Synology and the community posts solutions online. Because I don't think this is in the manual.