SSH Into a Synology Disk Station Using Secure Keys
May 30th, 2008After toying with the idea of getting a static IP address so I can connect to my Disk Station from the internet I took the plunge and ordered one.
My next thought was securing my Disk Station since I currently log in via SSH using a password and I’d rather only allow logins using a secure key to prevent brute force attacks.
The guide here is distilled from two pages (see below) and works from my Fedora9 box to my Disk Station.
References:
Enable SSH
I won’t cover enabling SSH since there are patches supplied from Synology for this purpose and the process is very simple.
I should mention that it’s a good idea to use the telnet patch to enable telnet so you don’t get locked out if something goes wrong.
Make SSH only accept login using keys
You need to login to your box via SSH and edit the file /etc/ssh/sshd_config as shown here to accept keys to log in.
#RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Also change the following line to prevent passwords being used to log in.
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no
While were here we’ll also change the default SSH port from 22 to something else to stop most attacks targeted at port 22. Uncomment the line at the top of the file and change the port number.
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 99
Create the Key Pairs
On you host computer (not the diskstation) open a terminal and run the following command, do NOT do this as root.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/bobpeers/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa Your public key has been saved in id_rsa.pub The key fingerprint is: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX bobpeers@freja
The id-rsa key is you private key and should be kept on the computer you connect from. The id_rsa.pub is the public key that should sit on the server (or servers) that you wish to connect to. If you choose a passphrase you will be prompted for that on login so if you wish to use automated scripts you should not use a passphrase.
The public key needs to be copied to the Disk Station. Back in the SSH terminal:
# cd /root mkdir .ssh touch .ssh/authorized_keys vi .ssh/authorized_keys
Since scp is not enabled you cannot just copy the key so we need to open the id_rsa.pub file on the host, copy the contents and paste them into the file on the Disk Station (in a terminal paste is ctrl + shift + v).
Edit the file permissions
On the Disk Station we need to secure the authorized_keys file, in the SSH terminal type:
chmod 700 .ssh chmod 644 .ssh/authorized_keys
Reboot and login
Reboot the Disk Station (type reboot in the SSH terminal, this will of course kill your session). Next on the host computer login in again but if you old login was:
$ ssh root@123.4.5.6
You should now use:
$ ssh root@123.4.5.6 -p 99
Where -p 99 is the port you used for SSH in the sshd_config file. You should now login to the Disk Station using your passphrase, if you chose one, or else you will be immediately logged in if you used an empty passphrase.