Synology SSH Key-Based Login

Synology SSH Key-Based Login

When logging in to your Synology using SSH, you have probably grown accustomed to typing in your password. However, there are other ways to authenticate an SSH session. In this post, I’m going to walk you through key-based login.

What is key-based authentication?

Key-based authentication is a more secure alternative to password authentication. It works by exchanging keys. For this post, I will keep the explanation as simple as possible. There are two keys, a public key, and a private key. You have the public key you can exchange freely; it does not matter if somebody has it. This key is meant to be shared. Hence the name public key.

Data gets encrypted with the public key. This is one-way encryption. Just like a one-way street, it can go only one way. Once encrypted, only the private key can decrypt it, nothing else. The private key you keep to yourself. For additional security, you can even password-protect your private key so that you must first type your password to unlock it when it’s needed to decrypt data.

Prerequisites

Windows

Everything in this guide is compliant with Windows. When using Windows you require the OpenSSH client. This is now available as a feature in Windows. If you have not installed it yet, please follow the instructions from Microsoft. It’s available from Windows Features. Install OpenSSH Client. This is available for Windows 10/11.

MacOS

Mac OS X includes a command-line SSH client as part of the operating system

Linux

Please install the OpenSSH Client for your Linux distribution.

Setup key-based authentication

Let’s get started with setting up key-based authentication. I’d like to give you a summary of what we are going to do. We are going to create the keys we talked about earlier. Then we will copy the public key to our Synology so it can be used for authentication.

Generate Key-Pair

  • Replace DS_HOSTNAME with the name of your DiskStation, when you use spaces in your NAS name please enclose the name in double quotes (") for the -C parameter.
  • Replace DS_NAME with the Hostname of your DiskStation is all lower-case characters.

This will organize and get everything nice and in order. You want the filename(s) where the keys are written to always consist of lower-case characters.

ssh-keygen -b 4096 -t ed25519 -C DS_HOSTNAME -f ./.ssh/DS_NAME.key
Windows

When running on Windows, just execute this command from your user directory C:\Users\<USERNAME>\ in a command prompt or PowerShell.

This will create two files in the .ssh directory within your home directory on your computer, if the .ssh directory does not exist it will be created.

  • DS_NAME.key (Private Key)
  • DS_NAME.key.pub (Public Key)
Example where the DiskStation is called ‘MyNAS’
ssh-keygen -b 4096 -t ed25519 -C MyNAS -f ./.ssh/mynas.key

What we are creating here is actually a key pair with its own custom file name. (This is what the parameter -f is for.) We are doing this so we can unique keys per purpose.

I also have separate keys for my router, other servers, and development like git. We do not want multiple devices, servers or accounts to be affected if a key single key gets compromised.

I also recommend using unique keys per device, server, or account.

Copy key to your server

Now that we have our keys we are going to put our public key on the SSH Server in our case that will be our Synology. We are going to copy the key using a utility specially made for this, ssh-copy-id, this command is not available for Windows, therefor for Windows, I’m providing a different command which will do the same.

IMPORTANT: Please be aware that this step does require user home directories to be enabled because the key gets copied to the .ssh directory of the user you log in with to your DiskStation. Read my post on how to enable user home directories.

MacOS / Linux

Because we created a unique key for our server, we must tell ssh-copy-id which key needs to be sent to the server. This is done with the -i parameter. It will automatically find the matching public key and send it over.

Also in my earlier post on how to set up terminal access, I advised not to run SSH on its default port 22 but on port 32. I will provide multiple similar commands, and use the one that applies to your situation.

  • Replace DS_NAME.key with the name, you used earlier to generate your key pair.
  • Replace USER with your Synology username.
  • Replace DISKSTATION with the IP or hostname of your Synology you want to copy the key to.
SSH on default port 22
ssh-copy-id -i ./.ssh/DS_NAME.key USER@DISKSTATION
ssh-copy-id -i ./.ssh/mynas.key admin@mynas
SSH on default port 32
ssh-copy-id -i ./.ssh/DS_NAME.key -p 32 user@diskstation
ssh-copy-id -i ./.ssh/mynas.key -p 32 admin@mynas

Windows

Windows does not have the ssh-copy-id utility available with its OpenSSH client. However, we can do the same with a PowerShell command.

Open a PowerShell terminal.

type $env:USERPROFILE\.ssh\DS_NAME.key.pub | ssh USER@DISKSTATION "cat >> .ssh/authorized_keys"
  • Replace DS_NAME.key.pub with the name you used earlier to generate your key-pair, please note that in this case, we must explicitly use the filename of the public key, ssh-copy-id is capable of finding it, however, for Windows, we must manually point it to the right now.
  • Replace USER with your Synology username.
  • Replace DISKSTATION with the IP or hostname of your Synology you want to copy the key to.

You are now ready to connect to your NAS. Jump to the Connect section to learn how or continue with the easy access section I have written. I recommend setting up easy access.

Now that we have copied over the key, we can do a nice little trick to make our own lives easier. We are going to set up an SSH host entry. This will save us a lot of typing when we want to connect to our DiskStation. The reason we need this is that we are using a named key. If you generate a default key, it will have a default name and this is used for every connection if you are not providing the name of the key.

We are going to make an entry in the SSH config file for our Synology NAS. If this file does not exist you can go ahead and make it. The location is ~/.ssh/config for if you are using Mac, Linux, or WSL under Windows.

If you are using Windows with a command prompt. The location is .ssh/config in your Windows home directory. C:\Users\<USERNAME>\.ssh\config

Indent in .ssh/config

The indent in the SSH config file is a <TAB> character, please do not copy past the entire block, unfortunately, I was unable to put <TAB> characters in the code below.

Please make the following entry, where the name after Host is the name you will type on the command line. So in the example below, the command to connect to our DiskStation will simply become: ssh mynas

After creating the .ssh/config file set the permission of the file correctly for Linux, Mac, and WSL.

chmod 600 ~/.ssh/config

.ssh/config

Host mynas
    HostName mynas.diskstation.me
    Port 32
    User blogadmin
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/mynas.key

After saving this .ssh/config you will be able to connect to your NAS with a simple ssh mynas command. Please be aware that when it asks for a password it will ask for the password of the identity file if you did protect the key with a password.

Make sure you put the correct username in and the correct filename.

TIP: Keep-Alive

If you want the SSH session to remain open, you can add the following parameter to your host section in .ssh/config.

    ServerAliveInterval 60

I hope you enjoyed this post, feel free to leave a comment or send me an email with suggestions.

Connect

When you have set up everything you are now capable of logging in to your DiskStation. If you have set up the easy access check below.

Connect to your server with key-based authentication with the following command. Replace USER and DISKSTATION and optionally PORT with the values of your situation. For Windows, I recommend using PowerShell because this will recognize the ~ character as being the user’s home directory.

Connect on default port 22
ssh -i ~/.ssh/mynas.key USER@DISKSTATION
Connect on a different port
ssh -i ~/.ssh/mynas.key -p PORT USER@DISKSTATION
Pro-Tip

In MacOS, Linux, or WSL, you can set up an alias in your terminal for your command, which allows you to replace the entire command with a single word.

alias mynas='ssh -i ~/.ssh/mynas.key -p PORT USER@DISKSTATION`

When you give the command mynas in the terminal, it will automatically log in.

Connect with Easy Access

By simply providing the Host identifier you wrote in your .ssh/config file. So if you named it mynas as in the example. You can now connect to your NAS with the following command.

ssh mynas

You will now login into your NAS with the username and identity key provided in your config.

I hope you liked this post and that this will help you. Feel free to leave a comment or send me an email with suggestions. I hope to hear from you soon.

Read More