Synology SSH Key-Based Login
When logging in to your Synology using SSH, you have probably grown accustomed to typing in your password. However, there are other ways to authenticate an SSH session. In this post, I’m going to walk you through key-based login.
What is key-based authentication?
Key-based authentication is a more secure alternative to password authentication. It works by exchanging keys. For this post, I will keep the explanation as simple as possible. There are two keys, a public key, and a private key. You have the public key you can exchange freely; it does not matter if somebody has it. This key is meant to be shared. Hence the name public key.
Data gets encrypted with the public key. This is one-way encryption. Just like a one-way street, it can go only one way. Once encrypted, only the private key can decrypt it, nothing else. The private key you keep to yourself. For additional security, you can even password-protect your private key so that you must first type your password to unlock it when it’s needed to decrypt data.
Prerequisites
Windows
Everything in this guide is compliant with Windows. When using Windows you require the OpenSSH client. This is now available as a feature in Windows. If you have not installed it yet, please follow the instructions from Microsoft. It’s available from Windows Features. Install OpenSSH Client. This is available for Windows 10/11.
MacOS
Mac OS X includes a command-line SSH client as part of the operating system
Linux
Please install the OpenSSH Client for your Linux distribution.
Setup key-based authentication
Let’s get started with setting up key-based authentication. I’d like to give you a summary of what we are going to do. We are going to create the keys we talked about earlier. Then we will copy the public key to our Synology so it can be used for authentication.
Generate Key-Pair
- Replace
DS_HOSTNAME
with the name of your DiskStation, when you use spaces in your NAS name please enclose the name in double quotes(")
for the-C
parameter. - Replace
DS_NAME
with the Hostname of your DiskStation is all lower-case characters.
This will organize and get everything nice and in order. You want the filename(s) where the keys are written to always consist of lower-case characters.
ssh-keygen -b 4096 -t ed25519 -C DS_HOSTNAME -f ./.ssh/DS_NAME.key
Windows
When running on Windows, just execute this command from your user directory C:\Users\<USERNAME>\ in a command prompt or PowerShell.
This will create two files in the .ssh
directory within your home directory on your computer, if the .ssh
directory does not exist it will be created.
- DS_NAME.key (Private Key)
- DS_NAME.key.pub (Public Key)
Example where the DiskStation is called ‘MyNAS’
ssh-keygen -b 4096 -t ed25519 -C MyNAS -f ./.ssh/mynas.key
What we are creating here is actually a key pair with its own custom file name. (This is what the parameter -f
is for.) We are doing this so we can unique keys per purpose.
I also have separate keys for my router, other servers, and development like git. We do not want multiple devices, servers or accounts to be affected if a key single key gets compromised.
I also recommend using unique keys per device, server, or account.
Copy key to your server
Now that we have our keys we are going to put our public key on the SSH Server in our case that will be our Synology. We are going to copy the key using a utility specially made for this, ssh-copy-id
, this command is not available for Windows, therefor for Windows, I’m providing a different command which will do the same.
IMPORTANT:
Please be aware that this step does require user home directories to be enabled because the key gets copied to the .ssh directory of the user you log in with to your DiskStation. Read my post on how to enable user home directories.
MacOS / Linux
Because we created a unique key for our server, we must tell ssh-copy-id
which key needs to be sent to the server. This is done with the -i
parameter. It will automatically find the matching public key and send it over.
Also in my earlier post on how to set up terminal access, I advised not to run SSH
on its default port 22
but on port 32
. I will provide multiple similar commands, and use the one that applies to your situation.
- Replace
DS_NAME.key
with the name, you used earlier to generate your key pair. - Replace USER with your Synology username.
- Replace DISKSTATION with the IP or hostname of your Synology you want to copy the key to.
SSH on default port 22
ssh-copy-id -i ./.ssh/DS_NAME.key USER@DISKSTATION
ssh-copy-id -i ./.ssh/mynas.key admin@mynas
SSH on default port 32
ssh-copy-id -i ./.ssh/DS_NAME.key -p 32 user@diskstation
ssh-copy-id -i ./.ssh/mynas.key -p 32 admin@mynas
Windows
Windows does not have the ssh-copy-id utility available with its OpenSSH client. However, we can do the same with a PowerShell command.
Open a PowerShell terminal.
type $env:USERPROFILE\.ssh\DS_NAME.key.pub | ssh USER@DISKSTATION "cat >> .ssh/authorized_keys"
- Replace
DS_NAME.key.pub
with the name you used earlier to generate your key-pair, please note that in this case, we must explicitly use the filename of the public key, ssh-copy-id is capable of finding it, however, for Windows, we must manually point it to the right now. - Replace USER with your Synology username.
- Replace DISKSTATION with the IP or hostname of your Synology you want to copy the key to.
You are now ready to connect to your NAS. Jump to the Connect section to learn how or continue with the easy access section I have written. I recommend setting up easy access.
Easy access (Optional, Recommended)
Now that we have copied over the key, we can do a nice little trick to make our own lives easier. We are going to set up an SSH host entry. This will save us a lot of typing when we want to connect to our DiskStation. The reason we need this is that we are using a named key. If you generate a default key, it will have a default name and this is used for every connection if you are not providing the name of the key.
We are going to make an entry in the SSH config file for our Synology NAS. If this file does not exist you can go ahead and make it. The location is ~/.ssh/config
for if you are using Mac, Linux, or WSL under Windows.
If you are using Windows with a command prompt. The location is .ssh/config
in your Windows home directory. C:\Users\<USERNAME>\.ssh\config
Indent in .ssh/config
The indent in the SSH config file is a <TAB> character, please do not copy past the entire block, unfortunately, I was unable to put <TAB> characters in the code below.
Please make the following entry, where the name after Host
is the name you will type on the command line. So in the example below, the command to connect to our DiskStation will simply become: ssh mynas
After creating the .ssh/config
file set the permission of the file correctly for Linux, Mac, and WSL.
chmod 600 ~/.ssh/config
.ssh/config
Host mynas
HostName mynas.diskstation.me
Port 32
User blogadmin
PreferredAuthentications publickey
IdentityFile ~/.ssh/mynas.key
After saving this .ssh/config you will be able to connect to your NAS with a simple ssh mynas command. Please be aware that when it asks for a password it will ask for the password of the identity file if you did protect the key with a password.
Make sure you put the correct username in and the correct filename.
TIP: Keep-Alive
If you want the SSH session to remain open, you can add the following parameter to your host section in .ssh/config
.
ServerAliveInterval 60
I hope you enjoyed this post, feel free to leave a comment or send me an email with suggestions.
Connect
When you have set up everything you are now capable of logging in to your DiskStation. If you have set up the easy access check below.
Connect to your server with key-based authentication with the following command. Replace USER
and DISKSTATION
and optionally PORT
with the values of your situation. For Windows, I recommend using PowerShell because this will recognize the ~ character as being the user’s home directory.
Connect on default port 22
ssh -i ~/.ssh/mynas.key USER@DISKSTATION
Connect on a different port
ssh -i ~/.ssh/mynas.key -p PORT USER@DISKSTATION
Pro-Tip
In MacOS, Linux, or WSL, you can set up an alias in your terminal for your command, which allows you to replace the entire command with a single word.
alias mynas='ssh -i ~/.ssh/mynas.key -p PORT USER@DISKSTATION`
When you give the command mynas
in the terminal, it will automatically log in.
Connect with Easy Access
By simply providing the Host
identifier you wrote in your .ssh/config
file. So if you named it mynas
as in the example. You can now connect to your NAS with the following command.
ssh mynas
You will now login into your NAS with the username and identity key provided in your config.
I hope you liked this post and that this will help you. Feel free to leave a comment or send me an email with suggestions. I hope to hear from you soon.