Synology SSH key authentication
Reading Time:
Reading Time:
There is a lot of posts throughout the web on configuring SSH key authentication on Synology NAS many with some confusing and unnecessary steps such as
After reading several and many great blog posts and guides on this I've tried to summarise what is actually required to make SSH key authentication work with Synology NAS assuming you are coming from a clean setup without to much changes. Hopefully this summary will help you so you dont need to search google and go through the same x number of guides.
Now through this whole guide you will be in the context of a specific user who is included in the Administrator group.
You will not be sudo su to root user although sudo will be used to perform some actions.
So lets get started with the basic steps
As shown in the picture above to enable SSH for your Synology NAS go to Control Panel -> Terminal & SNMP -> Terminal Tab -> Check Enable SSH Service and enter a port.
To use SSH key authentication we will need to generate a SSH key pair (one privateKey, one publicKey). The publicKey will be shared with and stored in the Synology NAS SSH "authorized keys" while the privateKey will be used to prove our identity as it will correspond to the publicKey.
Windows
Mac
Open the created keyname.pub and copy the content to a text editor or similar. The public key should start on ssh-rsa and a lot of look like below, beware there is no new line here, it is all in one line (this is also important for later).
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com
Now that we have a key pair, we have enabled SSH on the Synology NAS lets log in to configure the SSH authorized_keys (= our generated public key)
Open a terminal and ssh into the server as below
ssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort}
Now run pwd command to verify your are in the {admin-user} user directory
command = pwd
result = /volume1/homes/{admin-user}
Now in the {admin-user} directory create a directory named *.ssh *
command = mkdir .ssh
Now navigate to the .ssh folder
command = cd .ssh
or
command = cd ~/.ssh (alias path for same folder)
Now in the folder (run below to verify you are in the right location) lets create a authorized_keys file.
command = pwd
result = /volume1/homes/{admin-user}/.ssh
To create file
command = vi authorized_keys
This will take you into the vi program interface for adding content
Now lets verify the file is created
command = ls
result = authorized_keys
Now lets verify the publickey in the file
command = more authorized_keys
result = ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com
Now often at this point this is where a lot of confusion occurs when trying to do SSH authentication with Synology NAS. A lot of this confusion occurs because the {admin-user} home directory by default allows any access which the sshd SSH daemon considers insecure and then prevents SSH key authentication from occurring.
Default permissions of users home folders - 777 / rwxrwxrwx
What we need to do which lvx so nicely explain in the Synology forum (see link here) is to change the permissions to below
This can be done by running
sudo chmod 755 /volume1/homes/{admin-user}
There are some comments that changing the user home permissions might not be the best solution to resolve this due to security or the fact that a Synology update might change this later.
The first case on security should not be a worry in itself as we are actually reducing security permissions by changing from 777 to 755 permissions
The second case of Synology updates is something to be aware of and that you might need to set this permission again in future after an update if that update resets the permissions to 777
Now if you want to be 100% sure you have the correct permissions for the user home and the .ssh directory and authorized_keys you can either
sudo chmod 755 /volume1/homes/{admin-user}
sudo chmod 755 /volume1/homes/{admin-user}/.ssh
sudo chmod 644 /volume1/homes/{admin-user}/.ssh/authorized_keys
OR (if you want to use the alias, remember to be in the {admin-user} context
sudo chmod 755 .
sudo chmod 755 ~/.ssh
sudo chmod 644 ~/.ssh/authorized_keys
Folders and files to check | permission to ensure
/volume1/homes/{admin-user} | 755
/volume1/homes/{admin-user}/.ssh | 755
/volume1/homes/{admin-user}/.ssh/authorized_keys | 644
To check navigate to /volume1/homes/{admin-user}/.ssh and run ls -al
cd /volume1/homes/{admin-user}/.ssh
ls -al
drwxr-xr-x 2 {admin-user} users 4096 Oct 3 15:58 .
drwxr-xr-x 16 {admin-user} users 4096 Oct 3 16:08 ..
-rw-r--r-- 1 {admin-user} users 747 Oct 3 16:11 authorized_keys
. represents /volume1/homes/{admin-user}/.ssh folder
.. represents /volume1/homes/{admin-user} folder
authorized_keys represents /volume1/homes/{admin-user}/.ssh/authorized_keys file
Now we should be ready to go to connect to the Synology NAS with SSH key authentication. On your PC/Mac whatever go to the folder holding your private key, to test the connection perform the following command from terminal
ssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort} -o "IdentitiesOnly=yes" -i {privateKey}
Now hopefully you are automatically logged in to the Synology NAS over SSH as the key pair exchange and authentication happens in the backend.
Now if you want to simply your login so you can do as below for example
ssh synologyNas
Then checkout the following link for setting up a SSH config file with and alias (synologyNas) with preconfigured parameters for ip/host, port, privatekey, user, etc
https://mediatemple.net/community/products/grid/204644730/using-an-ssh-config-file
If it didn't work here is a way to debug
sudo /bin/sshd -p {debugPort} -d
ssh {admin-user}@{nas-ip-or-host} -p {debugPort} -o "IdentitiesOnly=yes" -i {privateKey}
Common errors
Error
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}
debug1: restore_uid: 0/0
Resolution - Go back to step 6 and ensure you set the correct permissions on the users home directory
Error
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}/.ssh
debug1: restore_uid: 0/0
Resolution - Go back to step 6 and ensure you set the correct permissions on the .ssh directory
Error
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': Permission denied
debug1: restore_uid: 0/0
Resolution - Go back to step 6 and ensure you set the correct permissions on the authorized_keys file in the .ssh directory
Error
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Resolution - Go back to step 5 and ensure you create the .ssh directory and authorized_keys under the correct context/user {admin-user}
This error can typically happen if you needed up making .ssh folder under root as below:
command as root - ash# pwd
result - /root/.ssh
what it should be
command as {admin-user} - {admin-user}# pwd
result - /volume1/homes/{admin-user}/.ssh
sudo synoservicectl --reload sshd
Permissions 0777 for '/Users/username/.ssh/privateKeys/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
To correct the permissions to be valid run below
sudo chmod -R 755 ~/.ssh
sudo chmod -R 600 ~/.ssh/privateKeys/*