Configure Synology NAS SSH Key-based authentication
I bought a synology NAS at home to store some stuff. I want to SSH into it using key-based authentication, but that seemed not supported by default. In this post I explain how I made it work.
Normally, setting this up is not a lot of work:
- Make sure you SSH daemon has Public Key Authentication enabled
- Make sure you have an SSH key on your client machine
- Make sure the public key is in ~/.ssh/authorized_keys
Sadly, I kept getting the request for a password. But I was able to solve it.
This is on DSM 6.1.6. DSM is the Operating System that runs on the NAS device.
TL;DR: The Solution
If you already know how to normally set up ssh key authentication, here's the actual problem.
The user's home directory, by default, has full read, write and execute permissions for everyone (777). SSH doesn't allow that and throws an error while evaluating ssh key based login:
Authentication refused: bad ownership or modes for directory /volume1/homes/my-nas-user
The solution is to only allow read and execute to group and everyone:
chmod 755 /volume1/homes/my-nas-user
Setting up Key Based Authentication Normally
Enable SSH Server
Log in to the Synology Desktop and go to "Control Panel > Terminal & SNMP"
Check "Enable SSH Service" and choose a non-default port. If you use the default port of 22 you'll get a security warning later.
Enable Public Key Authentication
Update september 2019: Thanks to "bogd" in the comments to point out Public Key Authentication is enabled by default even if the settings are commented out in sshd_config. So you should be able to skip this and jump to "Generate an SSH Key"
Log in to your NAS using ssh:
ssh -p <port> your-nas-user@your-nas-hostname
Open the SSH server configuration file for editing:
sudo vim /etc/ssh/sshd_config
Find the following lines and uncomment them (remove the #
):
#RSAAuthentication yes
#PubkeyAuthentication yes
It's possible to restart the service using the following command:
sudo synoservicectl --reload sshd
Generate an SSH key
If you have not done this already, you should probably check how to do this with whatever ssh client you are using.
I'm using the Cygwin terminal on Windows, and I can generate a key pair using this command:
ssh-keygen -t rsa -b 4096 -C "Tato e-mailová adresa je chráněna před spamboty. Pro její zobrazení musíte mít povolen Javascript. "
Follow the instructions here, they are for GitHub but they apply to everything that needs an ssh key: Generating a new SSH key
The result, by default, is some files in the folder ~/.shh
. Among which your private (id_rsa
) and public key (id_rsa.pub
).
Add public key to Authorized Keys
Ssh into the NAS again.
On the NAS, you must create a file ~/.ssh/authorized_keys
:
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
In that file, you must add the contents of your local ~/.ssh/id_rsa.pub
. SSH then uses this public key to verify that your client machine is in posession of the private key. Then it lets you in.
On my client I did the following to first copy over my public key:
scp -P <port> ~/.ssh/id_rsa.pub my-nas-user@my-nas-hostname:/var/services/homes/my-nas-user
And then on the NAS SSH session:
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
rm ~/id_rsa.pub
Troubleshooting
Usually, the above steps are enough to make it work. But my NAS still stubornly asked me the password.
I eventually found a forum post which has an interesting tip:
I did a debug on the server side of the sshDaemon; "/bin/sshd -d -p xxx", where xxx is an alternative port and -d is for debug. - Forum Synology
But they also mention the error: Error: Authentication refused: bad ownership or modes for directory /volume1/homes/xxxxxx
which I wasn't seeing.
I decided to try the command:
sudo /bin/sshd -d -p 1234
Then when I ssh'd into my server, the debug session showed the following:
debug1: trying public key file /var/services/homes/my-nas-user/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /volume1/homes/my-nas-user
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/my-nas-user/.ssh/authorized_keys2
debug1: Could not open authorized keys '/var/services/homes/my-nas-user/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for my-nas-user from 192.168.0.170 port 50411 ssh2: RSA SHA256:******
There I could indeed see the error. The forum topic's poster states the actual problem:
The users home folder ~/ is not allowed to be writable to group and other, "chmod 755 /volume1/homes/user: should do the trick.
chmod 755
means:
- owner is allowed to execute (1) + write (2) + read (4) = 7
- group is allowed to execute (1) + read (4) = 5
- everyone is allowed to execute (1) + read (4) = 5
That makes me wonder what the default permissions are for this folder. A check with ls -al ~/..
shows:
drwxrwxrwx+ 4 my-nas-user users 4096 Apr 28 00:04 my-nas-user
Full permissions for everyone.
Solution: chmod 755 /var/services/homes/my-nas-user
And then, as if by magic, everything works correctly and I get logged in using the key.
Thanks to "lvx" for this post: forum.synology.com/enu/viewtopic.php?f=90&t=116726&p=441504#p427355!
Good to Know
Conclusion
Synology's default home folders setup prevents SSH from using Key-based authentication. Reducing the amount of privileges on the home drive solves the issue.
Also, nice to know, you can debug your ssh logins by running the daemon in debug mode:
sudo /bin/sshd -d -p 1234
Good thing there seems to be a lot of users of Synology and the community posts solutions online. Because I don't think this is in the manual.