DSM 7.1 SSH access passwordless with rsa keys

Currently reading
DSM 7.1 SSH access passwordless with rsa keys

DS920+, DS918+, DS214+, DS211j
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hi there!

Basically I followed those official instructions How do I sign in to DSM with RSA key pairs via SSH? to set up my DS920+ to work with passwordless SSH access.

The keys are generated with the Windows 10 command ssh-keygen and copied to the .ssh directory of my admin user.
However when trying to login, using the Windows command line ssh [email protected] -p 2222, I'm still asked for the admin's password.

I previously did that kind of login, created the keys with putty and al runs well, with a DS916+
I've migrated to a DS920+ and deactivated the default admin account and wanted to start over with a new custom admin using again passwordless SSH access.

Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?

Before doing so, I would like to ask for you opinion...
Last edited:
Ok, solved myself ;-)

I'm using Keepass for storing the private ssh key with add-on KeeAgent. This add-on is responsible for passing the stored private key to any ssh request, that is trying to authenticate via ssh keys. (Keyword here is Pageant)

I simply had to restart Keepass after adding my private key - that's it :)
Last edited:
KeeAgent is actually the only reason, why I still use KeePass (next to bitwarden/vaultarden). After creating the entry, you can simply load/unload it from the entrie's context menu.

As pagent is used, and agent forwarding is enabled by default for the Syno-SSH connection, it applies to ssh connections you establish from the nas to any other ssh host as well. I use it frequently to push content to my github repos.

Note: key-based auth will only try up to 5 keys and fail if no presented key matches any fingerprint in the users authorized_keys file.
-- post merged: --

Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?
It was never necessary for key-based auth. All lines that start with # show the commented out default value. Removing the # does not change the configuration, unless you actually change its value. It makes it unnecessary harder to track custom configurations you might have done yourself.
The only part I couldn't finish according the above Synology link, is, enable ssh-key access for user root, too.
OK, for security reasons not very reasonable, however, I do not expose my NAS to internet so I would give it a go. To no avail so far.
I never tried to enable key-based auth for root. Root login indeed might require modification of /etc/ssh/sshd_config and even adding the adminstrators group as secondary group to the root user. Both things, I would not really do.

If it's about becoming root in WinSCP or VScode: it can be done by configuring the connection parameters.
Last edited:
I create a connection using the SCP protocol for the user with key-based auth.

The relevant settings in the advanced configuration are:
  • Environment-> SCP/Shell -> Shell: sudo su - (last entry in the combobox)
  • SSH -> Authentication -> "Attempt authentification using Pagent"

On DSM6 I could do the same additionaly with the SFTP protocol using sudo su -c /usr/local/bin/sftp-server. I couldn't find a way to make it work with SFTP on DSM7. Though the SCP approach works for both versions.

Can you extend on what you mean with new WIndows Terminal?
If it's about a terminal ssh connection, just connect with your user and then become root using sudo -i.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

  • Question
Tailscale may be a better option than Synology VPN.
Right understood. The PHP file will be executed by the web host itself so by the http user I guess.
  • Question
As it seems this is an ongoing question, I'll add what worked for me. fwiw, I agree with @one-eyed-king...
A few days ago overnight I lost wireless access from my two laptops to my Synology. My Synology DS411 is...
  • Question
Aah, that's it. Thank you so much. I had been looking at the three dots at the top right nit the correct...
Hi, you need to use a SRV record in the dns zone for your domain name, with this you can add ports to A...

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!