Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

DSM 7.1 SSH access passwordless with rsa keys

199
37
NAS
DS920+, DS918+, DS214+, DS211j
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hi there!

Basically I followed those official instructions How do I sign in to DSM with RSA key pairs via SSH? to set up my DS920+ to work with passwordless SSH access.

The keys are generated with the Windows 10 command ssh-keygen and copied to the .ssh directory of my admin user.
However when trying to login, using the Windows command line ssh [email protected] -p 2222, I'm still asked for the admin's password.

I previously did that kind of login, created the keys with putty and al runs well, with a DS916+
I've migrated to a DS920+ and deactivated the default admin account and wanted to start over with a new custom admin using again passwordless SSH access.

Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?

Before doing so, I would like to ask for you opinion...
 
Last edited:
Ok, solved myself ;-)

I'm using Keepass for storing the private ssh key with add-on KeeAgent. This add-on is responsible for passing the stored private key to any ssh request, that is trying to authenticate via ssh keys. (Keyword here is Pageant)

I simply had to restart Keepass after adding my private key - that's it :)
 
Last edited:
KeeAgent is actually the only reason, why I still use KeePass (next to bitwarden/vaultarden). After creating the entry, you can simply load/unload it from the entrie's context menu.

As pagent is used, and agent forwarding is enabled by default for the Syno-SSH connection, it applies to ssh connections you establish from the nas to any other ssh host as well. I use it frequently to push content to my github repos.

Note: key-based auth will only try up to 5 keys and fail if no presented key matches any fingerprint in the users authorized_keys file.
[automerge]1670698468[/automerge]
Previously I had to modify the file /etc/ssh/sshd_config, however, above linked instructions do not advice the same. So is editing the SSH daemon's config still necessary?
It was never necessary for key-based auth. All lines that start with # show the commented out default value. Removing the # does not change the configuration, unless you actually change its value. It makes it unnecessary harder to track custom configurations you might have done yourself.
 
The only part I couldn't finish according the above Synology link, is, enable ssh-key access for user root, too.
OK, for security reasons not very reasonable, however, I do not expose my NAS to internet so I would give it a go. To no avail so far.
 
I never tried to enable key-based auth for root. Root login indeed might require modification of /etc/ssh/sshd_config and even adding the adminstrators group as secondary group to the root user. Both things, I would not really do.

If it's about becoming root in WinSCP or VScode: it can be done by configuring the connection parameters.
 
OK, mind sharing how to do this using WinSCP.
Perhaps I could do it with new Windows Terminal, too.
 
Last edited:
I create a connection using the SCP protocol for the user with key-based auth.

The relevant settings in the advanced configuration are:
  • Environment-> SCP/Shell -> Shell: sudo su - (last entry in the combobox)
  • SSH -> Authentication -> "Attempt authentification using Pagent"


On DSM6 I could do the same additionaly with the SFTP protocol using sudo su -c /usr/local/bin/sftp-server. I couldn't find a way to make it work with SFTP on DSM7. Though the SCP approach works for both versions.

Can you extend on what you mean with new WIndows Terminal?
If it's about a terminal ssh connection, just connect with your user and then become root using sudo -i.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

So, you are using now QC without port forwarding, that's already secure.:cool: If you still have questions...
Replies
6
Views
639
Have you checked that you do have an Internet routable WAN IP from Virgin Media? You might be able to tell...
Replies
6
Views
882
  • Solved
Glad you figured it out. Changed the thread to "question" and marked your post as "solved" solution.
Replies
5
Views
796
We use a system similar to what you are describing with installations at remote locations. When setup...
Replies
4
Views
1,028

Thread Tags

Tags Tags
ssh

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top