Synology SSH key authentication

There is a lot of posts throughout the web on configuring SSH key authentication on Synology NAS many with some confusing and unnecessary steps such as

• modifying the RSAAuthentication and PubkeyAuthentication parameters in /etc/ssh/sshd_config
• restarting the sshd service multiple times with sudo synoservicectl --reload sshd
• changing permissions on various folders with chmod both root folders and user folders
• unclear creation of ~/.ssh folder ending up under root

After reading several and many great blog posts and guides on this I've tried to summarise what is actually required to make SSH key authentication work with Synology NAS assuming you are coming from a clean setup without to much changes. Hopefully this summary will help you so you dont need to search google and go through the same x number of guides.

Now through this whole guide you will be in the context of a specific user who is included in the Administrator group.

You will not be sudo su to root user although sudo will be used to perform some actions.

• The reason why you need to have a user specified in the administrator group is because it is only administrators who are allowed to login through SSH by default ref below

So lets get started with the basic steps

1. Prerequisite - Enable SSH on your Synology NAS

As shown in the picture above to enable SSH for your Synology NAS go to Control Panel -> Terminal & SNMP -> Terminal Tab -> Check Enable SSH Service and enter a port.

• It is highly recommended to use a custom port and not standard 22 as you then will get a lot of brute force attempts from robots and attackers scanning public IPs against port 22, this is if you are exposing your Synology NAS to the internet.

2. Prerequisite - Creation of SSH key pair

To use SSH key authentication we will need to generate a SSH key pair (one privateKey, one publicKey). The publicKey will be shared with and stored in the Synology NAS SSH "authorized keys" while the privateKey will be used to prove our identity as it will correspond to the publicKey.

• Windows

  • If you are on Windows I recommend downloading puttygen to generate the keys, its very quick and user friendly, see the link below for a guide on creation of RSA key.
    • https://www.ssh.com/ssh/putty/windows/puttygen

• Mac

  • Open a terminal, navigate to a folder and run below to generate a public and private key
  • ssh-keygen -t rsa -b 4096 -C "user@domain.com"
    • Go here if you want to read up some more: https://www.ssh.com/ssh/keygen/

3. Prerequisite - Copy the publicKey

Open the created keyname.pub and copy the content to a text editor or similar. The public key should start on ssh-rsa and a lot of look like below, beware there is no new line here, it is all in one line (this is also important for later).

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com

4. SSH into your NAS

Now that we have a key pair, we have enabled SSH on the Synology NAS lets log in to configure the SSH authorized_keys (= our generated public key)

Open a terminal and ssh into the server as below

ssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort}

Now run pwd command to verify your are in the {admin-user} user directory

command = pwd
result = /volume1/homes/{admin-user}

5. Creation of .ssh directory and authorized_keys file

Now in the {admin-user} directory create a directory named *.ssh *

command = mkdir .ssh

Now navigate to the .ssh folder

command = cd .ssh 

or

command = cd ~/.ssh (alias path for same folder)

Now in the folder (run below to verify you are in the right location) lets create a authorized_keys file.

command = pwd
result = /volume1/homes/{admin-user}/.ssh

To create file

command = vi authorized_keys

This will take you into the vi program interface for adding content

• Press i - this will allow you to insert text
• Paste the public key from step 3
  • Ensure you paste the public key on one line only, no new line and remember the spaces
• Press esc - to enter vi program interface
• Press semicolon (:)
• write wq! and press enter to save the file

Now lets verify the file is created

command = ls
result = authorized_keys

Now lets verify the publickey in the file

command = more authorized_keys
result = ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com

6. Often confused step - setting correct permissions

Now often at this point this is where a lot of confusion occurs when trying to do SSH authentication with Synology NAS. A lot of this confusion occurs because the {admin-user} home directory by default allows any access which the sshd SSH daemon considers insecure and then prevents SSH key authentication from occurring.

Default permissions of users home folders - 777 / rwxrwxrwx

• Users home folder = /volume1/homes/{username}
• In this case home folder = /volume1/homes/{admin-user}

What we need to do which lvx so nicely explain in the Synology forum (see link here) is to change the permissions to below

This can be done by running

sudo chmod 755 /volume1/homes/{admin-user}

There are some comments that changing the user home permissions might not be the best solution to resolve this due to security or the fact that a Synology update might change this later.

• The first case on security should not be a worry in itself as we are actually reducing security permissions by changing from 777 to 755 permissions

• The second case of Synology updates is something to be aware of and that you might need to set this permission again in future after an update if that update resets the permissions to 777

  • Based on the fact that there is a risk of permissions being reset outside of our control I would discourage the removal of username/pw authentication possibility in sshd_config (/etc/ssh/sshd_config) which some has suggested to do when correctly having SSH key authentication working

Now if you want to be 100% sure you have the correct permissions for the user home and the .ssh directory and authorized_keys you can either

• Run these below chmod commands to set the correct permissions

sudo chmod 755 /volume1/homes/{admin-user}
sudo chmod 755 /volume1/homes/{admin-user}/.ssh
sudo chmod 644 /volume1/homes/{admin-user}/.ssh/authorized_keys

OR (if you want to use the alias, remember to be in the {admin-user} context

sudo chmod 755 .
sudo chmod 755 ~/.ssh
sudo chmod 644 ~/.ssh/authorized_keys

• Or check the permissions of each of the below folders and files one by one
  • Chmod calculator - https://chmod-calculator.com/

Folders and files to check | permission to ensure

/volume1/homes/{admin-user} | 755
/volume1/homes/{admin-user}/.ssh | 755
/volume1/homes/{admin-user}/.ssh/authorized_keys | 644

To check navigate to /volume1/homes/{admin-user}/.ssh and run ls -al

cd /volume1/homes/{admin-user}/.ssh
ls -al

drwxr-xr-x  2 {admin-user} users 4096 Oct  3 15:58 .
drwxr-xr-x 16 {admin-user} users 4096 Oct  3 16:08 ..
-rw-r--r--  1 {admin-user} users  747 Oct  3 16:11 authorized_keys

. represents /volume1/homes/{admin-user}/.ssh folder
.. represents /volume1/homes/{admin-user} folder
authorized_keys represents /volume1/homes/{admin-user}/.ssh/authorized_keys file

7. Ready to test

Now we should be ready to go to connect to the Synology NAS with SSH key authentication. On your PC/Mac whatever go to the folder holding your private key, to test the connection perform the following command from terminal

ssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort} -o "IdentitiesOnly=yes" -i {privateKey}

Now hopefully you are automatically logged in to the Synology NAS over SSH as the key pair exchange and authentication happens in the backend.

Now if you want to simply your login so you can do as below for example

ssh synologyNas

Then checkout the following link for setting up a SSH config file with and alias (synologyNas) with preconfigured parameters for ip/host, port, privatekey, user, etc

https://mediatemple.net/community/products/grid/204644730/using-an-ssh-config-file

If it didn't work here is a way to debug

1. Log back into the Synology NAS using username/pw as {admin-user} through terminal and run command below, this will start a debug ssh server where you can see the interaction between Synology NAS and your PC/Mac

sudo /bin/sshd -p {debugPort} -d

2. Now from your PC/Mac open another terminal and perform the same key authentication command as before against the debug ssh server

ssh {admin-user}@{nas-ip-or-host} -p {debugPort} -o "IdentitiesOnly=yes" -i {privateKey}

3. Now in the session from step 1 you should be able to see the debug console any any issues such as permission issues etc.

Common errors

• Wrong permissions on user home folder

Error
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}
debug1: restore_uid: 0/0

Resolution - Go back to step 6 and ensure you set the correct permissions on the users home directory

• Wrong permissions on .ssh folder

Error
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
Authentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}/.ssh
debug1: restore_uid: 0/0

Resolution - Go back to step 6 and ensure you set the correct permissions on the .ssh directory

• Wrong permissions on authorized_keys file

Error
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': Permission denied
debug1: restore_uid: 0/0

Resolution - Go back to step 6 and ensure you set the correct permissions on the authorized_keys file in the .ssh directory

• Wrongly created .ssh folder (usually under wrong user context like e.g. root and not user)

Error
debug1: temporarily_use_uid: 1026/100 (e=0/0)
debug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys
debug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0

Resolution - Go back to step 5 and ensure you create the .ssh directory and authorized_keys under the correct context/user {admin-user}

This error can typically happen if you needed up making .ssh folder under root as below:

command as root - ash# pwd
result - /root/.ssh

what it should be

command as {admin-user} - {admin-user}# pwd
result - /volume1/homes/{admin-user}/.ssh

A few extra nice to know

1. If you think/feel that the SSH daemon on the Synology NAS is not taking into effect your changes you can try to restart the daemon by running below command (requires admin access)

sudo synoservicectl --reload sshd

2. On Mac to set correct permissions on .ssh folder and privateKeys used for SSH key authentication if you get error as below

Permissions 0777 for '/Users/username/.ssh/privateKeys/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

To correct the permissions to be valid run below

sudo chmod -R 755 ~/.ssh
sudo chmod -R 600 ~/.ssh/privateKeys/*