SSH Access

Key based authentication

Since DSM 6.0 the user to login via SSH must be member of the administrator group. Root login is not permitted anymore, but after login you can elevate with

sudo -i

As the homes directory is now controlled by ACL, you need to disable StrictModes, otherwise SSH will not allow to read the authorized_keys file. Copy the public key for the client machine to grant access to the DS to ~/.ssh. Make sure directory .ssh and content have the correct permissions set.

Then modify /etc/ssh/sshd_config as follows and reboot the DS:

LoginGraceTime 15
PermitRootLogin without-password
StrictModes no # set to yes unless the homes directory is controlled by ACL
PasswordAuthentication no
AllowTcpForwarding yes
PermitTunnel yes

TODO

Log into the web interface

Control Panel > Users > User Home > Enable user home services

This enables path /var/services/homes and below this, all users which are registered to the system.

Adding a user through the web interface does not set all necessary settings for SSH / shell access:

  1. create directory /var/services/homes and /var/services/homes/<username> with proper privileges as root
  2. copy .profile from /root to /var/services/homes/<username> and edit it's contents
  3. you might wish to change the default prompt to PS1=“\u@\h:\w\$ ” in .profile
  4. if you installed sudo, also add SUDO_PS1 with the same prompt to .profile

Do the following as root:

chmod 4755 /bin/busybox
cd /var/services/homes/username
mkdir .ssh
chown username:users .ssh
cp /root/.ssh/authorized_keys .ssh
chown username:users .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
cp /root/.profile /var/services/homes/username
vi .profile
-- change the line that reads “HOME=/root” to “HOME=/var/services/homes/username”
chmod 600 .profile
vi /etc/passwd
-- make sure your home is /var/services/homes/username and change shell from /sbin/nologin to /bin/sh or /bin/ash

Tunneling

If you want to establish tunnels to services on the NAS, you need to enable TCP forwarding:

# vi /etc/ssh/sshd_config
AllowTcpForwarding yes
PermitTunnel yes

Check configuration

Check configuration of sshd_config before reloading or restarting:

# sshd -t
# /etc/init.d/ssh reload

Shell prompt

Change the shell prompt for root:

$ vim ~/.profile
SUDO_PS1='\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
export SUDO_PS1

This will create root@DiskStation: vs. user@DiskStation:

Update for DSM5

Set the SSH Port in Control Panel / Terminal.

Trouble shooting

Make sure the NAS is configured correctly to access the internet, e.g. default gateway and DNS settings must be correct.

Enable telnet in web interface > Control Panel > Terminal

telnet box # as username
ssh -v -v -v box # as root

Articles

Pubkey SSH for non-root users

Enabling the Command Line Interface