DSM 7.1 SSH access passwordless with rsa keys

198
37
NAS
DS920+, DS918+, DS214+, DS211j
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hi there!

Basically I followed those official instructions How do I sign in to DSM with RSA key pairs via SSH? to set up my DS920+ to work with passwordless SSH access.

The keys are generated with the Windows 10 command ssh-keygen and copied to the .ssh directory of my admin user.
However when trying to login, using the Windows command line ssh [email protected] -p 2222, I'm still asked for the admin's password.

I previously did that kind of login, created the keys with putty and al runs well, with a DS916+
I've migrated to a DS920+ and deactivated the default admin account and wanted to start over with a new custom admin using again passwordless SSH access.

Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?

Before doing so, I would like to ask for you opinion...
 
Last edited:
Ok, solved myself ;-)

I'm using Keepass for storing the private ssh key with add-on KeeAgent. This add-on is responsible for passing the stored private key to any ssh request, that is trying to authenticate via ssh keys. (Keyword here is Pageant)

I simply had to restart Keepass after adding my private key - that's it :)
 
Last edited:
KeeAgent is actually the only reason, why I still use KeePass (next to bitwarden/vaultarden). After creating the entry, you can simply load/unload it from the entrie's context menu.

As pagent is used, and agent forwarding is enabled by default for the Syno-SSH connection, it applies to ssh connections you establish from the nas to any other ssh host as well. I use it frequently to push content to my github repos.

Note: key-based auth will only try up to 5 keys and fail if no presented key matches any fingerprint in the users authorized_keys file.
-- post merged: --

Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?
It was never necessary for key-based auth. All lines that start with # show the commented out default value. Removing the # does not change the configuration, unless you actually change its value. It makes it unnecessary harder to track custom configurations you might have done yourself.
 
The only part I couldn't finish according the above Synology link, is, enable ssh-key access for user root, too.
OK, for security reasons not very reasonable, however, I do not expose my NAS to internet so I would give it a go. To no avail so far.
 
I never tried to enable key-based auth for root. Root login indeed might require modification of /etc/ssh/sshd_config and even adding the adminstrators group as secondary group to the root user. Both things, I would not really do.

If it's about becoming root in WinSCP or VScode: it can be done by configuring the connection parameters.
 
Last edited:
I create a connection using the SCP protocol for the user with key-based auth.

The relevant settings in the advanced configuration are:
  • Environment-> SCP/Shell -> Shell: sudo su - (last entry in the combobox)
  • SSH -> Authentication -> "Attempt authentification using Pagent"


On DSM6 I could do the same additionaly with the SFTP protocol using sudo su -c /usr/local/bin/sftp-server. I couldn't find a way to make it work with SFTP on DSM7. Though the SCP approach works for both versions.

Can you extend on what you mean with new WIndows Terminal?
If it's about a terminal ssh connection, just connect with your user and then become root using sudo -i.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

So, you are using now QC without port forwarding, that's already secure.:cool: If you still have questions...
Replies
6
Views
548
Have you checked that you do have an Internet routable WAN IP from Virgin Media? You might be able to tell...
Replies
6
Views
732
  • Solved
Glad you figured it out. Changed the thread to "question" and marked your post as "solved" solution.
Replies
5
Views
709
We use a system similar to what you are describing with installations at remote locations. When setup...
Replies
4
Views
876

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top