DSM 7.1 SSH access passwordless with rsa keys

[Micky]

Hi there!

Basically I followed those official instructions How do I sign in to DSM with RSA key pairs via SSH? to set up my DS920+ to work with passwordless SSH access.

The keys are generated with the Windows 10 command ssh-keygen and copied to the .ssh directory of my admin user.
However when trying to login, using the Windows command line ssh [email protected] -p 2222, I'm still asked for the admin's password.

I previously did that kind of login, created the keys with putty and al runs well, with a DS916+
I've migrated to a DS920+ and deactivated the default admin account and wanted to start over with a new custom admin using again passwordless SSH access.

Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?

Before doing so, I would like to ask for you opinion...

 

[Micky]

Ok, solved myself ;-)

I'm using Keepass for storing the private ssh key with add-on KeeAgent. This add-on is responsible for passing the stored private key to any ssh request, that is trying to authenticate via ssh keys. (Keyword here is Pageant)

I simply had to restart Keepass after adding my private key - that's it

 

[one-eyed-king]

KeeAgent is actually the only reason, why I still use KeePass (next to bitwarden/vaultarden). After creating the entry, you can simply load/unload it from the entrie's context menu.

As pagent is used, and agent forwarding is enabled by default for the Syno-SSH connection, it applies to ssh connections you establish from the nas to any other ssh host as well. I use it frequently to push content to my github repos.

Note: key-based auth will only try up to 5 keys and fail if no presented key matches any fingerprint in the users authorized_keys file.

-- post merged: 10. Dec 2022 --

Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?

It was never necessary for key-based auth. All lines that start with # show the commented out default value. Removing the # does not change the configuration, unless you actually change its value. It makes it unnecessary harder to track custom configurations you might have done yourself.

 

[Micky]

The only part I couldn't finish according the above Synology link, is, enable ssh-key access for user root, too.
OK, for security reasons not very reasonable, however, I do not expose my NAS to internet so I would give it a go. To no avail so far.

 

[one-eyed-king]

I never tried to enable key-based auth for root. Root login indeed might require modification of /etc/ssh/sshd_config and even adding the adminstrators group as secondary group to the root user. Both things, I would not really do.

If it's about becoming root in WinSCP or VScode: it can be done by configuring the connection parameters.

 

[Micky]

OK, mind sharing how to do this using WinSCP.
Perhaps I could do it with new Windows Terminal, too.

 

[one-eyed-king]

I create a connection using the SCP protocol for the user with key-based auth.

The relevant settings in the advanced configuration are:

• Environment-> SCP/Shell -> Shell: sudo su - (last entry in the combobox)
• SSH -> Authentication -> "Attempt authentification using Pagent"

On DSM6 I could do the same additionaly with the SFTP protocol using sudo su -c /usr/local/bin/sftp-server. I couldn't find a way to make it work with SFTP on DSM7. Though the SCP approach works for both versions.

Can you extend on what you mean with new WIndows Terminal?
If it's about a terminal ssh connection, just connect with your user and then become root using sudo -i.

 

[Micky]

If it's about a terminal ssh connection, just connect with your user and then become root using sudo -i.

That's the way I currently use. However without using a ssh key but typing in a password.