├── images
    ├── icon.jpg
    ├── image-1.png
    ├── image-2.png
    └── image-3.png
├── LICENSE
└── README.md


/images/icon.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/007revad/Synology_SSH_key_setup/HEAD/images/icon.jpg


--------------------------------------------------------------------------------
/images/image-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/007revad/Synology_SSH_key_setup/HEAD/images/image-1.png


--------------------------------------------------------------------------------
/images/image-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/007revad/Synology_SSH_key_setup/HEAD/images/image-2.png


--------------------------------------------------------------------------------
/images/image-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/007revad/Synology_SSH_key_setup/HEAD/images/image-3.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 Dave Russell
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Synology SSH key setup
  2 | 
  3 | <!-- <a href="https://github.com/007revad/Synology_SSH_key_setup/releases"><img src="https://img.shields.io/github/release/007revad/Synology_SSH_key_setup.svg"></a> -->
  4 | ![Badge](https://hitscounter.dev/api/hit?url=https%3A%2F%2Fgithub.com%2F007revad%2FSynology_SSH_key_setup&label=Visitors&icon=github&color=%23198754&message=&style=flat&tz=Australia%2FSydney)
  5 | <!-- [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/paypalme/007revad) -->
  6 | <!-- [![](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&color=%23fe8e86)](https://github.com/sponsors/007revad) -->
  7 | <!-- [![committers.top badge](https://user-badge.committers.top/australia/007revad.svg)](https://user-badge.committers.top/australia/007revad) -->
  8 | <!-- [![committers.top badge](https://user-badge.committers.top/australia_public/007revad.svg)](https://user-badge.committers.top/australia_public/007revad) -->
  9 | <!-- [![committers.top badge](https://user-badge.committers.top/australia_private/007revad.svg)](https://user-badge.committers.top/australia_private/007revad) -->
 10 | <!-- [![Github Releases](https://img.shields.io/github/downloads/007revad/synology_hdd_db/total.svg)](https://github.com/007revad/Synology_HDD_db/releases) -->
 11 | 
 12 | ### Description
 13 | 
 14 | How to setup SSH key authentication for your Synology
 15 | 
 16 | Tommes has an excellent guide [in English here](https://github.com/toafez/Tutorials/blob/main/SynologyNAS/ssh_from_os_to_nas_en.md), and [in German here](https://github.com/toafez/Tutorials/blob/main/SynologyNAS/ssh_from_os_to_nas.md) that goes with their [YouTube video in German here](https://youtu.be/VjoWjX_8E3Q).
 17 | 
 18 | <br>
 19 | 
 20 | Content below from Gudbrand Olimb's now deleted https://blog.golimb.com/2020/10/03/synology-ssh-key-authentication/
 21 | 
 22 | I've updated the commands for restarting the sshd service for DSM 6 and DSM 7
 23 | 
 24 | <p align="left"><img src="/images/icon.jpg" width="467" height="200"></p>
 25 | 
 26 | There is a lot of posts throughout the web on configuring SSH key authentication on Synology NAS many with some confusing and unnecessary steps such as:
 27 | - Modifying the RSAAuthentication and PubkeyAuthentication parameters in /etc/ssh/sshd_config
 28 | - Restarting the sshd service multiple times with:
 29 |     - DSM 7: `sudo systemctl reload sshd`
 30 |     - DSM 6: `sudo synoservicectl --reload sshd`
 31 | - Changing permissions on various folders with chmod both root folders and user folders
 32 | - Unclear creation of ~/.ssh folder ending up under root
 33 | 
 34 | After reading several and many great blog posts and guides on this I've tried to summarise what is actually required to make SSH key authentication work with Synology NAS assuming you are coming from a clean setup without to much changes. Hopefully this summary will help you so you dont need to search google and go through the same x number of guides.
 35 | 
 36 | Now through this whole guide you will be in the **context of a specific user** who is included in the **Administrator group**.
 37 | - _You will_ ***not*** _be sudo or su to root user although sudo will be used to perform some actions_.
 38 | - The reason why you need to have a user specified in the administrator group is because it is only administrators who are allowed to login through SSH by default ref below.
 39 | 
 40 | <p align="center"><img src="/images/image-1.png"></p>
 41 | 
 42 | So lets get started with the basic steps
 43 | 
 44 | ## 1. Prerequisite - Enable SSH on your Synology NAS
 45 | As shown in the picture above to enable SSH for your Synology NAS go to Control Panel -> Terminal & SNMP -> Terminal Tab -> Check Enable SSH Service and enter a port.
 46 | 
 47 | - It is highly recommended to use a custom port and not standard 22 as you then will get a lot of brute force attempts from robots and attackers scanning public IPs against port 22, this is if you are exposing your Synology NAS to the internet.
 48 | 
 49 | ## 2. Prerequisite - Creation of SSH key pair
 50 | To use SSH key authentication we will need to generate a SSH key pair (one privateKey, one publicKey). The publicKey will be shared with and stored in the Synology NAS SSH "authorized keys" while the privateKey will be used to prove our identity as it will correspond to the publicKey.
 51 | 
 52 | - **Windows**
 53 |    - If you are on Windows I recommend downloading puttygen to generate the keys, its very quick and user friendly, see the link below for a guide on creation of RSA key.
 54 | https://www.ssh.com/ssh/putty/windows/puttygen
 55 | 
 56 | - **Mac**
 57 |    - Open a terminal, navigate to a folder and run below to generate a public and private key
 58 |       - `ssh-keygen -t rsa -b 4096 -C "user@domain.com"`
 59 |    - Go here if you want to read up some more: https://www.ssh.com/ssh/keygen/
 60 | 
 61 | ## 3. Prerequisite - Copy the publicKey
 62 | Open the created keyname.pub and copy the content to a text editor or similar. The public key should start on ssh-rsa and look a lot like below, beware there is no new line here, it is all in one line (this is also important for later).
 63 | ```
 64 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com
 65 | ```
 66 | 
 67 | ## 4. SSH into your NAS
 68 | Now that we have a key pair, we have enabled SSH on the Synology NAS lets log in to configure the SSH authorized_keys (= our generated public key)
 69 | 
 70 | Open a terminal and ssh into the server with your admin-user, ip and custom port: 
 71 | 
 72 | ```
 73 | ssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort}
 74 | ```
 75 | 
 76 | Now run `pwd` command to verify your are in the {admin-user} user directory. 
 77 | - The result should be: ***/volume1/homes/{admin-user}***
 78 | 
 79 | ## 5. Creation of .ssh directory and authorized_keys file
 80 | Now in the {admin-user} directory create a directory named **.ssh**
 81 | 
 82 | ```
 83 | mkdir .ssh
 84 | ```
 85 | 
 86 | Now navigate to the .ssh folder
 87 | 
 88 | ```
 89 | cd .ssh
 90 | ```
 91 | 
 92 | Now run the `pwd` command to verify you are in the right location) lets create a authorized_keys file.
 93 |   - The result should be ***/volume1/homes/{admin-user}/.ssh***
 94 | 
 95 | Next create a authorized_keys file.
 96 | 
 97 | ```
 98 | vi authorized_keys
 99 | ```
100 | 
101 | This will take you into the vi program interface for adding content.
102 | 
103 | - Press **i** to enable inserting text.
104 | - Paste your public key from step 3.
105 |    - Ensure you paste your public key on one line only, no new line and remember the spaces.
106 | - Press **esc** to enter the vi program interface.
107 | - Press semicolon **:** key.
108 | - Type **wq!** and press enter to save the file.
109 | 
110 | Now lets verify the file is created with the `ls` command.
111 |   - The result should be ***authorized_keys**
112 | 
113 | Now lets verify the public key in the file with the command `more authorized_keys`
114 | 
115 | The result should look like:
116 | 
117 | ```
118 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com
119 | ```
120 | 
121 | ## 6. Setting correct permissions
122 | Now often at this point this is where a lot of confusion occurs when trying to do SSH authentication with Synology NAS. A lot of this confusion occurs because the {admin-user} home directory by default allows any access which the sshd SSH daemon considers insecure and then prevents SSH key authentication from occurring.
123 | 
124 | **Default permissions of users home folders is 777 / rwxrwxrwx**
125 | - Users home folder = /volume1/homes/{username}
126 | - In this case home folder = /volume1/homes/{admin-user}
127 | 
128 | <p align="center"><img src="/images/image-2.png" width="500" height="266"></p>
129 | 
130 | What we need to do is to change the permissions to below:
131 | 
132 | <p align="center"><img src="/images/image-3.png" width="500" height="266"></p>
133 | 
134 | This can be done by running:
135 | ```
136 | sudo chmod 755 /volume1/homes/{admin-user}
137 | ```
138 | There are some comments that changing the user home permissions might not be the best solution to resolve this due to security or the fact that a Synology update might change this later.
139 | - The first case on security should not be a worry in itself as we are actually reducing security permissions by changing from 777 to 755 permissions
140 | - The second case of Synology updates is something to be aware of and that you might need to set this permission again in future after an update if that update resets the permissions to 777
141 |   - Based on the fact that there is a risk of permissions being reset outside of our control I would discourage the removal of username/pw authentication possibility in sshd_config (/etc/ssh/sshd_config) which some has suggested to do when correctly having SSH key authentication working.
142 |  
143 | Now if you want to be 100% sure you have the correct permissions for the user home and the .ssh directory and authorized_keys you can either
144 | - Run the following chmod commands to set the correct permissions:
145 | ```
146 | sudo chmod 755 /volume1/homes/{admin-user}
147 | sudo chmod 755 /volume1/homes/{admin-user}/.ssh
148 | sudo chmod 644 /volume1/homes/{admin-user}/.ssh/authorized_keys
149 | ```
150 | - Or check the permissions of each of the below folders and files one by one
151 |     - Chmod calculator - https://chmod-calculator.com/
152 | 
153 | Check the permissions of the following Folders and files:
154 | ```
155 | /volume1/homes/{admin-user} | 755
156 | /volume1/homes/{admin-user}/.ssh | 755
157 | /volume1/homes/{admin-user}/.ssh/authorized_keys | 644
158 | ```
159 | 
160 | To check navigate to /volume1/homes/{admin-user}/.ssh and run ls -al
161 | ```
162 | cd /volume1/homes/{admin-user}/.ssh
163 | ls -al
164 | 
165 | drwxr-xr-x  2 {admin-user} users 4096 Oct  3 15:58 .
166 | drwxr-xr-x 16 {admin-user} users 4096 Oct  3 16:08 ..
167 | -rw-r--r--  1 {admin-user} users  747 Oct  3 16:11 authorized_keys
168 | ```
169 | 
170 | . represents /volume1/homes/{admin-user}/.ssh folder <br>.. represents /volume1/homes/{admin-user} folder <br>authorized_keys represents /volume1/homes/{admin-user}/.ssh/authorized_keys file
171 | 
172 | ## 7. Ready to test
173 | 
174 | Now we should be ready to go to connect to the Synology NAS with SSH key authentication. On your PC/Mac whatever go to the folder holding your private key, to test the connection perform the following command from terminal.
175 | ```
176 | ssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort} -o "IdentitiesOnly=yes" -i {privateKey}
177 | ```
178 | 
179 | Now hopefully you are automatically logged in to the Synology NAS over SSH as the key pair exchange and authentication happens in the backend.
180 | 
181 | Now if you want to simply your login so you can do as below for example:
182 | ```
183 | ssh synologyNas
184 | ```
185 | 
186 | Then checkout the following link for setting up a SSH config file with and alias (synologyNas) with preconfigured parameters for ip/host, port, privatekey, user, etc
187 | - https://mediatemple.net/community/products/grid/204644730/using-an-ssh-config-file
188 | 
189 | ## 8. Troubleshooting
190 | 
191 | Log back into the Synology NAS using username/pw as {admin-user} through terminal and run command below, this will start a debug ssh server where you can see the interaction between Synology NAS and your PC/Mac
192 | ```
193 | sudo /bin/sshd -p {debugPort} -d
194 | ```
195 | 
196 | Now from your PC/Mac open another terminal and perform the same key authentication command as before against the debug ssh server
197 | ```
198 | ssh {admin-user}@{nas-ip-or-host} -p {debugPort} -o "IdentitiesOnly=yes" -i {privateKey}
199 | ```
200 | 
201 | Now in the session from step 1 you should be able to see the debug console any any issues such as permission issues etc.
202 | 
203 | ### Common errors
204 | 
205 | **Wrong permissions on user home folder**
206 | 
207 | Error message:
208 | ```
209 | debug1: temporarily_use_uid: 1026/100 (e=0/0)
210 | debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
211 | debug1: fd 4 clearing O_NONBLOCK
212 | Authentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}
213 | debug1: restore_uid: 0/0
214 | ```
215 | 
216 | Resolution: Go back to step 6 and ensure you set the correct permissions on the users home directory
217 | 
218 | <br>
219 | 
220 | **Wrong permissions on .ssh folder**
221 | 
222 | Error message:
223 | ```
224 | debug1: temporarily_use_uid: 1026/100 (e=0/0)
225 | debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
226 | debug1: fd 4 clearing O_NONBLOCK
227 | Authentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}/.ssh
228 | debug1: restore_uid: 0/0
229 | ```
230 | 
231 | Resolution: Go back to step 6 and ensure you set the correct permissions on the .ssh directory
232 | 
233 | <br>
234 | 
235 | **Wrong permissions on authorized_keys file**
236 | 
237 | Error message:
238 | ```
239 | debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
240 | debug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': Permission denied
241 | debug1: restore_uid: 0/0
242 | ```
243 | Resolution: Go back to step 6 and ensure you set the correct permissions on the authorized_keys file in the .ssh directory
244 | 
245 | <br>
246 | 
247 | **Wrongly created .ssh folder (usually under wrong user context like e.g. root and not user)**
248 | 
249 | Error message:
250 | ```
251 | debug1: temporarily_use_uid: 1026/100 (e=0/0)
252 | debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
253 | debug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': No such file or directory
254 | debug1: restore_uid: 0/0
255 | ```
256 | 
257 | Resolution: Go back to step 5 and ensure you create the .ssh directory and authorized_keys under the correct context/user {admin-user}
258 | 
259 | This error can typically happen if you ended up creating the .ssh folder under root as below:
260 | ```
261 | command as root - ash# pwd
262 | result - /root/.ssh
263 | ```
264 | 
265 | What it should be:
266 | ```
267 | command as {admin-user} - {admin-user}# pwd
268 | result - /volume1/homes/{admin-user}/.ssh
269 | ```
270 | 
271 | ### A few extra handy tips
272 | 
273 | If you think/feel that the SSH daemon on the Synology NAS is not taking into effect your changes you can try to restart the daemon by running below command (requires admin access)
274 | 
275 | For DSM 7
276 | ```
277 | sudo systemctl reload sshd
278 | ```
279 | 
280 | For DSM 6
281 | ```
282 | sudo synoservicectl --reload sshd
283 | ```
284 | 
285 | On Mac to set correct permissions on .ssh folder and privateKeys used for SSH key authentication if you get error as below
286 | ```
287 | Permissions 0777 for '/Users/username/.ssh/privateKeys/id_rsa' are too open.
288 | It is recommended that your private key files are NOT accessible by others.
289 | This private key will be ignored.
290 | ```
291 | 
292 | To correct the permissions to be valid run below
293 | ```
294 | sudo chmod -R 755 ~/.ssh
295 | sudo chmod -R 600 ~/.ssh/privateKeys/*
296 | ```
297 | 


--------------------------------------------------------------------------------