ZachTRice/ssh_keys_synology_dsm_6

## ssh_keys_synology_dsm_6
Full Instructions here: https://forum.synology.com/enu/viewtopic.php?t=126166

System: Synology DS1815+ running DSM 6
Log into Synology web UI as an administrator user
Enable “User Home”
Control Panel / User / Advanced, scroll down to “User Home”
Check “Enable user home service”, select an appropriate Location (i.e. volume1)
Click “Apply”
Create user account(s) that should access Synology via SSH (or via rsync over SSH), using the Synology web UI as normal.
Enable SSH for the Synology server
Control Panel / Terminal & SNMP
Check “Enable SSH Service”
Click “Apply”
Log into Synology as admin user via SSH
Launch SSH application (putty, or other)
Specify IP address (or host name) of Synology
Provide admin username and password
Fix the permissions on all home directories
cd /volume1/homes
to change to the directory containing home directories
“volume1” was selected when you enabled “User Home” above
ls -al
to show all home directories
The important thing is that home directories for SSH users MUST be writable ONLY by the user. The web UI creates these wrong. For each home directory, change permissions:
sudo chmod 755 /volume1/homes/someuser
Changes permission to full (read/write/execute) for the user, but to read/execute only for the group and for everyone else
For each user that you want to grant SSH access to, edit their passwd entry to give them sh access
NOTE that the changes may here may be reverted upon reboot of the Synology. See https://andidittrich.de/2016/03/howto-r ... users.html
sudo vi /etc/passwd
move down to the user you want to modify, move to the end of the line
press “I” to go into insert mode
backspace over “/sbin/nologin” and replace with “/bin/sh”
when done editing, press “ESC”, then “qw” (quit, write file)
if you make a mistake and want to quit without saving, press “ESC”, then “q!” (quit, without saving changes)
For each user that you want to grant SSH access to, generate SSH keys
You could do this while logged in as admin, but you would need to manually mess with changing ownership and permissions of files you create here. It is better / easier to log in as each individual user to perform the following.
Re-launch your SSH application (putty, or other) to open a new session with the Synology
Log in as the user you want to set up
Create folder for SSH keys for the user and set permissions
mkdir ~/.ssh
creates a hidden .ssh directory to hold the keys
chmod 0700 ~/.ssh
sets proper permissions for the folder (full rights to user, no rights to anyone else)
touch ~/.ssh/authorized_keys
Creates a new empty file named authorized_keys. This will hold the public keys of remote users that are allowed to log in here as this Synology user.
chmod 0644 ~/.ssh/authorized_keys
Set permissions of the new authorized keys file. (read/write to current user, read-only to everyone else)
ssh-keygen
Generate public and private keys
Press “enter” to accept default file location (should be user’s .ssh folder)
Press “enter” twice to indicate NOT to create passphrase. (The passphrase would prevent the login from working when used by rsync.)
Will add files id_rsa (private key) and id_rsa.pub (public key)
These should automatically be created with the correct permission (read/write by user only, i.e. chmod 600). You shouldn’t need to make any changes.
Configure the Synology’s SSH service to allow login by key
Go to an SSH session (Either an administrator or an SSH user. You may still have one open.)
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
makes a backup copy of the config file, just in case something goes wrong
sudo vi /etc/ssh/sshd_config
Uncomment line that says: #PubkeyAuthentication yes
Uncomment the line that says: #AuthorizedKeyFiles .ssh/authorized_keys
Make sure that line is uncommented that says: ChallengeResponseAuthentication no
Optionally, if you want to disable password-based logins, add a line: PasswordAuthentication no
Save the file and exit the editor
Restart the Synology’s SSH service
sudo synoservicectl --restart sshd
Or use web admin: Control Panel / Terminal & SNMP; uncheck “Enable SSH service”; apply; check “Enable SSH service”; apply
If there is an error in the config file, the service may not restart. If this is the case:
Enable telnet (Control Panel / Terminal & SNMP / Terminal)
Log in to the Synology as an admin user via a Telnet application (telnet, putty, or other)
Copy the config backup file you made above, and restart the sshd service again.
sudo cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
sudo synoservicectl --restart sshd
Create SSH keys for the remote user that will be logging into the Synology (i.e. the FreeNAS user)
On the remote / client system that will be logging into the Synology, log in as the user that will need to log into the Synology.
ssh-keygen
Generate keys as you did on the Synology in #8 above
The other steps (creating an .ssh folder, setting permissions, etc.) are already done by FreeNAS. When done though, the permissions on the remote folders and files should match what you did on the Synology.
The authorized_keys file not needed at this time (it is only needed on the server-side of the SSH login), but it doesn’t hurt to create the file for future use.
Copy the remote/client’s public key to the Synology. This can be done in a number of different ways, but the main thing you need to do is to get the contents of the remote user’s id_rsa.pub file into the Synology user’s authorized_keys file. The entire contents must be on a single line of the authorized_keys file. One way to do this:
ssh-copy-id -i ~/.ssh/id_rsa.pub synologyIP
Replace “synologyIP” with the actual IP address of your Synology
You will be prompted for the Synology username and password that you want the current local user to log into the Synology as.
From the remote/client SSH session, try logging into the Synology using the new key:
ssh synologyUser@synologyIP
Replace synologyUser with the actual Synology user you want to log in as, and replace synologyIP with the actual Synology IP address.
You should NOT be prompted for a password.
If the Synology username is the same as the remote/client username, synologyUser@ is optional.
	Full Instructions here: https://forum.synology.com/enu/viewtopic.php?t=126166

	System: Synology DS1815+ running DSM 6
	Log into Synology web UI as an administrator user
	Enable “User Home”
	Control Panel / User / Advanced, scroll down to “User Home”
	Check “Enable user home service”, select an appropriate Location (i.e. volume1)
	Click “Apply”
	Create user account(s) that should access Synology via SSH (or via rsync over SSH), using the Synology web UI as normal.
	Enable SSH for the Synology server
	Control Panel / Terminal & SNMP
	Check “Enable SSH Service”
	Click “Apply”
	Log into Synology as admin user via SSH
	Launch SSH application (putty, or other)
	Specify IP address (or host name) of Synology
	Provide admin username and password
	Fix the permissions on all home directories
	cd /volume1/homes
	to change to the directory containing home directories
	“volume1” was selected when you enabled “User Home” above
	ls -al
	to show all home directories
	The important thing is that home directories for SSH users MUST be writable ONLY by the user. The web UI creates these wrong. For each home directory, change permissions:
	sudo chmod 755 /volume1/homes/someuser
	Changes permission to full (read/write/execute) for the user, but to read/execute only for the group and for everyone else
	For each user that you want to grant SSH access to, edit their passwd entry to give them sh access
	NOTE that the changes may here may be reverted upon reboot of the Synology. See https://andidittrich.de/2016/03/howto-r ... users.html
	sudo vi /etc/passwd
	move down to the user you want to modify, move to the end of the line
	press “I” to go into insert mode
	backspace over “/sbin/nologin” and replace with “/bin/sh”
	when done editing, press “ESC”, then “qw” (quit, write file)
	if you make a mistake and want to quit without saving, press “ESC”, then “q!” (quit, without saving changes)
	For each user that you want to grant SSH access to, generate SSH keys
	You could do this while logged in as admin, but you would need to manually mess with changing ownership and permissions of files you create here. It is better / easier to log in as each individual user to perform the following.
	Re-launch your SSH application (putty, or other) to open a new session with the Synology
	Log in as the user you want to set up
	Create folder for SSH keys for the user and set permissions
	mkdir ~/.ssh
	creates a hidden .ssh directory to hold the keys
	chmod 0700 ~/.ssh
	sets proper permissions for the folder (full rights to user, no rights to anyone else)
	touch ~/.ssh/authorized_keys
	Creates a new empty file named authorized_keys. This will hold the public keys of remote users that are allowed to log in here as this Synology user.
	chmod 0644 ~/.ssh/authorized_keys
	Set permissions of the new authorized keys file. (read/write to current user, read-only to everyone else)
	ssh-keygen
	Generate public and private keys
	Press “enter” to accept default file location (should be user’s .ssh folder)
	Press “enter” twice to indicate NOT to create passphrase. (The passphrase would prevent the login from working when used by rsync.)
	Will add files id_rsa (private key) and id_rsa.pub (public key)
	These should automatically be created with the correct permission (read/write by user only, i.e. chmod 600). You shouldn’t need to make any changes.
	Configure the Synology’s SSH service to allow login by key
	Go to an SSH session (Either an administrator or an SSH user. You may still have one open.)
	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
	makes a backup copy of the config file, just in case something goes wrong
	sudo vi /etc/ssh/sshd_config
	Uncomment line that says: #PubkeyAuthentication yes
	Uncomment the line that says: #AuthorizedKeyFiles .ssh/authorized_keys
	Make sure that line is uncommented that says: ChallengeResponseAuthentication no
	Optionally, if you want to disable password-based logins, add a line: PasswordAuthentication no
	Save the file and exit the editor
	Restart the Synology’s SSH service
	sudo synoservicectl --restart sshd
	Or use web admin: Control Panel / Terminal & SNMP; uncheck “Enable SSH service”; apply; check “Enable SSH service”; apply
	If there is an error in the config file, the service may not restart. If this is the case:
	Enable telnet (Control Panel / Terminal & SNMP / Terminal)
	Log in to the Synology as an admin user via a Telnet application (telnet, putty, or other)
	Copy the config backup file you made above, and restart the sshd service again.
	sudo cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
	sudo synoservicectl --restart sshd
	Create SSH keys for the remote user that will be logging into the Synology (i.e. the FreeNAS user)
	On the remote / client system that will be logging into the Synology, log in as the user that will need to log into the Synology.
	ssh-keygen
	Generate keys as you did on the Synology in #8 above
	The other steps (creating an .ssh folder, setting permissions, etc.) are already done by FreeNAS. When done though, the permissions on the remote folders and files should match what you did on the Synology.
	The authorized_keys file not needed at this time (it is only needed on the server-side of the SSH login), but it doesn’t hurt to create the file for future use.
	Copy the remote/client’s public key to the Synology. This can be done in a number of different ways, but the main thing you need to do is to get the contents of the remote user’s id_rsa.pub file into the Synology user’s authorized_keys file. The entire contents must be on a single line of the authorized_keys file. One way to do this:
	ssh-copy-id -i ~/.ssh/id_rsa.pub synologyIP
	Replace “synologyIP” with the actual IP address of your Synology
	You will be prompted for the Synology username and password that you want the current local user to log into the Synology as.
	From the remote/client SSH session, try logging into the Synology using the new key:
	ssh synologyUser@synologyIP
	Replace synologyUser with the actual Synology user you want to log in as, and replace synologyIP with the actual Synology IP address.
	You should NOT be prompted for a password.
	If the Synology username is the same as the remote/client username, synologyUser@ is optional.