===== SSH Access =====

==== Key based authentication ====

Since DSM 6.0 the user to login via SSH must be member of the administrator group. Root login is not permitted anymore, but after login you can elevate with <code>sudo -i</code>

As the homes directory is now controlled by ACL, you need to disable StrictModes, otherwise SSH will not allow to read the authorized_keys file. Copy the public key for the client machine to grant access to the DS to ~/.ssh. Make sure directory .ssh and content have the correct permissions set.

Then modify /etc/ssh/sshd_config as follows and reboot the DS:<code>LoginGraceTime 15
PermitRootLogin without-password
StrictModes no # set to yes unless the homes directory is controlled by ACL
PasswordAuthentication no
AllowTcpForwarding yes
PermitTunnel yes
</code>

==== TODO ====

Log into the web interface
  Control Panel > Users > User Home > Enable user home services
This enables path /var/services/homes and below this, all users which are registered to the system.

Adding a user through the web interface does not set all necessary settings for SSH / shell access:
  - create directory /var/services/homes and /var/services/homes/<username> with proper privileges as root
  - copy .profile from /root to /var/services/homes/<username> and edit it's contents
  - you might wish to change the default prompt to PS1="\u@\h:\w\$ " in .profile
  - if you installed sudo, also add SUDO_PS1 with the same prompt to .profile

Do the following as root:
  chmod 4755 /bin/busybox
  cd /var/services/homes/username
  mkdir .ssh
  chown username:users .ssh
  cp /root/.ssh/authorized_keys .ssh
  chown username:users .ssh/authorized_keys
  chmod 400 .ssh/authorized_keys
  cp /root/.profile /var/services/homes/username
  vi .profile
  -- change the line that reads “HOME=/root” to “HOME=/var/services/homes/username”
  chmod 600 .profile
  vi /etc/passwd
  -- make sure your home is /var/services/homes/username and change shell from /sbin/nologin to /bin/sh or /bin/ash

=== Tunneling ===

If you want to establish tunnels to services on the NAS, you need to enable TCP forwarding:
  # vi /etc/ssh/sshd_config
  AllowTcpForwarding yes
  PermitTunnel yes

=== Check configuration ===

Check configuration of sshd_config before reloading or restarting:
  # sshd -t
  # /etc/init.d/ssh reload

==== Shell prompt ====

Change the shell prompt for root:
  $ vim ~/.profile
  SUDO_PS1='\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
  export SUDO_PS1
This will create <color red>root@DiskStation</color>: vs. <color green>user@DiskStation</color>:

==== Update for DSM5 ====

Set the SSH Port in Control Panel / Terminal.

==== Trouble shooting ====

Make sure the NAS is configured correctly to access the internet, e.g. default gateway and DNS settings must be correct.

Enable telnet in web interface > Control Panel > Terminal
  telnet box # as username
  ssh -v -v -v box # as root

==== Articles ====

[[http://forum.synology.com/enu/viewtopic.php?f=90&t=49585|Pubkey SSH for non-root users]]

[[http://forum.synology.com/wiki/index.php/Enabling_the_Command_Line_Interface|Enabling the Command Line Interface]]