Blog

Recently, I received about ten emails from my NAS within a few days, warning me that multiple IPs were being blocked due to multiple failed SSH login attempts per IP. Concerned about security I decided to look into how to harden my setup. And so I went to see if I could use SSH public key authentication instead of password authentication when using SSH.

A quick search led me to: How do I sign in to DSM with RSA key pairs via SSH? – Synology Knowledge Center
It was a great starting point to get this working! While the guide explains how to set up the SSH keys, it has some gaps and is somewhat hard to read as it covers both the old DSM version and Windows native SSH client and PuTTY (or KiTTY), and more important it doesn’t it explain how to disable password authentication entirely. It simply shows you how to enable using SSH keys for login in alongside password authentication, which doesn’t improve security at all.

Here is my guide to use SSH keys instead of password authentication on a DSM 7.0+ with using PuTTY (or KiTTY) on Windows.

Setup DSM to use SSH

1. Sign in to your NAS using an admin account
2. Go to Control Panel > Terminal & SNMP > tick Enable SSH service
   • I also suggest to change the default port to something else
   • In Advanced settings change the encryption algorithm setting to High
     (or customize the encryption mode if you know what you are doing)
   • Don’t forget to setup auto block, but I won’t go into details here
3. Go to Control Panel > User & Grooups > Advanced > tick Enable user home service

Generate a RSA key pair

You can do this with PuTTY Key Generator but I opted to use the default windows tool and convert it to a .ppk file for use in PuTTY

1. Open powershell (you can use terminal)
2. Run the command ssh-keygen -t rsa
3. Enter the path where you want to save the RSA key, or just press enter to use the default path
4. Enter a passphrase for the private key when prompted. I don’t recommend skipping this step.

Upload your RSA key to your NAS

1. Go to File Station > home
2. Create a sub-folder names .ssh
3. Upload your id_rsa.pub file to the .ssh folder (this file can be found where you saved it before)
4. Rename the file to authorized_keys
   • You can add more keys, instead of renaming you have to append the file in the knowledge center they use cat id_rsa.pub >> authorized_keys this will append to the existing file if it exists

At this point your NAS is ready to allow login via RSA public keys

Convert private RSA Key to use with PuTTY

As mentioned before, for PuTTY you have to convert the private key file to a .ppk file

1. Launch PuTTYGen
2. Conversion > Import Key > Enter Passphrase
3. Save private key

Login with PuTTY

1. Launch PuTTY
2. Session: accountname@ip
3. Port: 22 (or the one you changed it too)
4. Connection > SSH > Auth > Browse and select your .ppk file
5. Open (you should now be prompted for your passphrase and be logged in)

Disable password authentication

1. Edit sudo vi /etc/ssh/sshd_config (this should ask your password, for sudo this still works)
2. Change PasswordAuthentication yes to PasswordAuthentication no
   • You can move to this line and press i to start insert / edit mode and use esc to stop editing
   • You can also search for this line by typing /PasswordAuth (and enter)
3. Save and quit by pressing :wq
4. Now you have to restart the SSH deamon (Easiest way to disable, and enable the SSH service in the web portal, don’t forget to click apply)
   • If you now try to login using password again you should get a message like “Permission denied (publickey)”

In the end this was pretty easy to set this up, however I wished Synology integrated this in their GUI, allowing users to upload private keys, and let admins enable/disable Password Authentication for SSH; 2 small features that would make this a more secure feature.

I hope you found this useful and if I missed something or made an error, please let me know 🙂