===== SSH Access ===== ==== Root user ==== Login as root. Default setting in /etc/sshd_config is PasswordAuthentication yes. Attach a USB stick to the box which contains an authorized_keys file with the public keys of the machines you want to use to SSH access to the box. mkdir /root/.ssh chmod 700 /root/.ssh cp /volumeUSB1/authorized_keys /root/.ssh chmod 400 /root/.ssh/authorized_keys ==== Non-root user ==== Log into the web interface Control Panel > Users > User Home > Enable user home services This enables path /var/services/homes and below this, all users which are registered to the system. Adding a user through the web interface does not set all necessary settings for SSH / shell access: - create directory /var/services/homes and /var/services/homes/ with proper privileges as root - copy .profile from /root to /var/services/homes/ and edit it's contents - you might wish to change the default prompt to PS1="\u@\h:\w\$ " in .profile - if you installed sudo, also add SUDO_PS1 with the same prompt to .profile Do the following as root: chmod 4755 /bin/busybox cd /var/services/homes/username mkdir .ssh chown username:users .ssh cp /root/.ssh/authorized_keys .ssh chown username:users .ssh/authorized_keys chmod 400 .ssh/authorized_keys cp /root/.profile /var/services/homes/username vi .profile -- change the line that reads “HOME=/root” to “HOME=/var/services/homes/username” chmod 600 .profile vi /etc/passwd -- make sure your home is /var/services/homes/username and change shell from /sbin/nologin to /bin/sh or /bin/ash === Hardening === # vi /etc/ssh/sshd_config Port 50111 LoginGraceTime 15 PermitRootLogin without-password PasswordAuthentication no === Tunneling === If you want to establish tunnels to services on the NAS, you need to enable TCP forwarding: # vi /etc/ssh/sshd_config AllowTcpForwarding yes PermitTunnel yes === Check configuration === Check configuration of sshd_config before reloading or restarting: # sshd -t # /etc/init.d/ssh reload ==== Update for DSM5 ==== Set the SSH Port in Control Panel / Terminal. ==== Trouble shooting ==== Make sure the NAS is configured correctly to access the internet, e.g. default gateway and DNS settings must be correct. Enable telnet in web interface > Control Panel > Terminal telnet box # as username ssh -v -v -v box # as root ==== Articles ==== [[http://forum.synology.com/enu/viewtopic.php?f=90&t=49585|Pubkey SSH for non-root users]] [[http://forum.synology.com/wiki/index.php/Enabling_the_Command_Line_Interface|Enabling the Command Line Interface]]