{"id":17674528,"url":"https://github.com/007revad/synology_ssh_key_setup","last_synced_at":"2025-03-30T16:43:21.379Z","repository":{"id":244516693,"uuid":"815282440","full_name":"007revad/Synology_SSH_key_setup","owner":"007revad","description":"How to setup SSH key authentication for your Synology","archived":false,"fork":false,"pushed_at":"2024-12-26T19:05:45.000Z","size":201,"stargazers_count":24,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-28T13:46:09.701Z","etag":null,"topics":["ssh-key","synology"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/007revad.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-14T18:56:16.000Z","updated_at":"2025-03-10T18:39:05.000Z","dependencies_parsed_at":"2024-06-15T09:49:55.810Z","dependency_job_id":"bc3b3984-f711-4270-a106-fa4d21539209","html_url":"https://github.com/007revad/Synology_SSH_key_setup","commit_stats":null,"previous_names":["007revad/synology_ssh_key_setup"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/007revad%2FSynology_SSH_key_setup","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/007revad%2FSynology_SSH_key_setup/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/007revad%2FSynology_SSH_key_setup/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/007revad%2FSynology_SSH_key_setup/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/007revad","download_url":"https://codeload.github.com/007revad/Synology_SSH_key_setup/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246350821,"owners_count":20763226,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ssh-key","synology"],"created_at":"2024-10-24T07:07:25.171Z","updated_at":"2025-03-30T16:43:21.348Z","avatar_url":"https://github.com/007revad.png","language":null,"funding_links":["https://www.paypal.com/paypalme/007revad","https://github.com/sponsors/007revad"],"categories":[],"sub_categories":[],"readme":"# Synology SSH key setup\n\n\u003c!-- \u003ca href=\"https://github.com/007revad/Synology_SSH_key_setup/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/release/007revad/Synology_SSH_key_setup.svg\"\u003e\u003c/a\u003e --\u003e\n\u003ca href=\"https://hits.seeyoufarm.com\"\u003e\u003cimg src=\"https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2F007revad%2FSynology_SSH_key_setup\u0026count_bg=%2379C83D\u0026title_bg=%23555555\u0026icon=\u0026icon_color=%23E7E7E7\u0026title=views\u0026edge_flat=false\"/\u003e\u003c/a\u003e\n\u003c!-- [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/paypalme/007revad) --\u003e\n\u003c!-- [![](https://img.shields.io/static/v1?label=Sponsor\u0026message=%E2%9D%A4\u0026logo=GitHub\u0026color=%23fe8e86)](https://github.com/sponsors/007revad) --\u003e\n\u003c!-- [![committers.top badge](https://user-badge.committers.top/australia/007revad.svg)](https://user-badge.committers.top/australia/007revad) --\u003e\n\u003c!-- [![committers.top badge](https://user-badge.committers.top/australia_public/007revad.svg)](https://user-badge.committers.top/australia_public/007revad) --\u003e\n\u003c!-- [![committers.top badge](https://user-badge.committers.top/australia_private/007revad.svg)](https://user-badge.committers.top/australia_private/007revad) --\u003e\n\u003c!-- [![Github Releases](https://img.shields.io/github/downloads/007revad/synology_hdd_db/total.svg)](https://github.com/007revad/Synology_HDD_db/releases) --\u003e\n\n### Description\n\nHow to setup SSH key authentication for your Synology\n\nTommes has an excellent guide [in English here](https://github.com/toafez/Tutorials/blob/main/SynologyNAS/ssh_from_os_to_nas_en.md), and [in German here](https://github.com/toafez/Tutorials/blob/main/SynologyNAS/ssh_from_os_to_nas.md) that goes with their [YouTube video in German here](https://youtu.be/VjoWjX_8E3Q).\n\n\u003cbr\u003e\n\nContent below from Gudbrand Olimb's now deleted https://blog.golimb.com/2020/10/03/synology-ssh-key-authentication/\n\n\u003cp align=\"left\"\u003e\u003cimg src=\"/images/icon.jpg\" width=\"467\" height=\"200\"\u003e\u003c/p\u003e\n\nThere is a lot of posts throughout the web on configuring SSH key authentication on Synology NAS many with some confusing and unnecessary steps such as:\n- Modifying the RSAAuthentication and PubkeyAuthentication parameters in /etc/ssh/sshd_config\n- Restarting the sshd service multiple times with sudo synoservicectl --reload sshd\n- Changing permissions on various folders with chmod both root folders and user folders\n- Unclear creation of ~/.ssh folder ending up under root\n\nAfter reading several and many great blog posts and guides on this I've tried to summarise what is actually required to make SSH key authentication work with Synology NAS assuming you are coming from a clean setup without to much changes. Hopefully this summary will help you so you dont need to search google and go through the same x number of guides.\n\nNow through this whole guide you will be in the **context of a specific user** who is included in the **Administrator group**.\n- _You will_ ***not*** _be sudo or su to root user although sudo will be used to perform some actions_.\n- The reason why you need to have a user specified in the administrator group is because it is only administrators who are allowed to login through SSH by default ref below.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"/images/image-1.png\"\u003e\u003c/p\u003e\n\nSo lets get started with the basic steps\n\n## 1. Prerequisite - Enable SSH on your Synology NAS\nAs shown in the picture above to enable SSH for your Synology NAS go to Control Panel -\u003e Terminal \u0026 SNMP -\u003e Terminal Tab -\u003e Check Enable SSH Service and enter a port.\n\n- It is highly recommended to use a custom port and not standard 22 as you then will get a lot of brute force attempts from robots and attackers scanning public IPs against port 22, this is if you are exposing your Synology NAS to the internet.\n\n## 2. Prerequisite - Creation of SSH key pair\nTo use SSH key authentication we will need to generate a SSH key pair (one privateKey, one publicKey). The publicKey will be shared with and stored in the Synology NAS SSH \"authorized keys\" while the privateKey will be used to prove our identity as it will correspond to the publicKey.\n\n- **Windows**\n   - If you are on Windows I recommend downloading puttygen to generate the keys, its very quick and user friendly, see the link below for a guide on creation of RSA key.\nhttps://www.ssh.com/ssh/putty/windows/puttygen\n\n- **Mac**\n   - Open a terminal, navigate to a folder and run below to generate a public and private key\n      - `ssh-keygen -t rsa -b 4096 -C \"user@domain.com\"`\n   - Go here if you want to read up some more: https://www.ssh.com/ssh/keygen/\n\n## 3. Prerequisite - Copy the publicKey\nOpen the created keyname.pub and copy the content to a text editor or similar. The public key should start on ssh-rsa and look a lot like below, beware there is no new line here, it is all in one line (this is also important for later).\n```\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com\n```\n\n## 4. SSH into your NAS\nNow that we have a key pair, we have enabled SSH on the Synology NAS lets log in to configure the SSH authorized_keys (= our generated public key)\n\nOpen a terminal and ssh into the server with your admin-user, ip and custom port: \n\n```\nssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort}\n```\n\nNow run `pwd` command to verify your are in the {admin-user} user directory. \n- The result should be: ***/volume1/homes/{admin-user}***\n\n## 5. Creation of .ssh directory and authorized_keys file\nNow in the {admin-user} directory create a directory named **.ssh**\n\n```\nmkdir .ssh\n```\n\nNow navigate to the .ssh folder\n\n```\ncd .ssh\n```\n\nNow run the `pwd` command to verify you are in the right location) lets create a authorized_keys file.\n  - The result should be ***/volume1/homes/{admin-user}/.ssh***\n\nNext create a authorized_keys file.\n\n```\nvi authorized_keys\n```\n\nThis will take you into the vi program interface for adding content.\n\n- Press **i** to enable inserting text.\n- Paste your public key from step 3.\n   - Ensure you paste your public key on one line only, no new line and remember the spaces.\n- Press **esc** to enter the vi program interface.\n- Press semicolon **:** key.\n- Type **wq!** and press enter to save the file.\n\nNow lets verify the file is created with the `ls` command.\n  - The result should be ***authorized_keys**\n\nNow lets verify the public key in the file with the command `more authorized_keys`\n\nThe result should look like:\n\n```\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSkT3A1j89RT/540ghIMHXIVwNlAEM3WtmqVG7YN/wYwtsJ8iCszg4/lXQsfLFxYmEVe8L9atgtMGCi5QdYPl4X/c+5YxFfm88Yjfx+2xEgUdOr864eaI22yaNMQ0AlyilmK+PcSyxKP4dzkf6B5Nsw8lhfB5n9F5md6GHLLjOGuBbHYlesKJKnt2cMzzS90BdRk73qW6wJ+MCUWo+cyBFZVGOzrjJGEcHewOCbVs+IJWBFSi6w1enbKGc+RY9KrnzeDKWWqzYnNofiHGVFAuMxrmZOasqlTIKiC2UK3RmLxZicWiQmPnpnjJRo7pL0oYM9r/sIWzD6i2S9szDy6aZ user@domain.com\n```\n\n## 6. Setting correct permissions\nNow often at this point this is where a lot of confusion occurs when trying to do SSH authentication with Synology NAS. A lot of this confusion occurs because the {admin-user} home directory by default allows any access which the sshd SSH daemon considers insecure and then prevents SSH key authentication from occurring.\n\n**Default permissions of users home folders is 777 / rwxrwxrwx**\n- Users home folder = /volume1/homes/{username}\n- In this case home folder = /volume1/homes/{admin-user}\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"/images/image-2.png\" width=\"500\" height=\"266\"\u003e\u003c/p\u003e\n\nWhat we need to do is to change the permissions to below:\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"/images/image-3.png\" width=\"500\" height=\"266\"\u003e\u003c/p\u003e\n\nThis can be done by running:\n```\nsudo chmod 755 /volume1/homes/{admin-user}\n```\nThere are some comments that changing the user home permissions might not be the best solution to resolve this due to security or the fact that a Synology update might change this later.\n- The first case on security should not be a worry in itself as we are actually reducing security permissions by changing from 777 to 755 permissions\n- The second case of Synology updates is something to be aware of and that you might need to set this permission again in future after an update if that update resets the permissions to 777\n  - Based on the fact that there is a risk of permissions being reset outside of our control I would discourage the removal of username/pw authentication possibility in sshd_config (/etc/ssh/sshd_config) which some has suggested to do when correctly having SSH key authentication working.\n \nNow if you want to be 100% sure you have the correct permissions for the user home and the .ssh directory and authorized_keys you can either\n- Run the following chmod commands to set the correct permissions:\n```\nsudo chmod 755 /volume1/homes/{admin-user}\nsudo chmod 755 /volume1/homes/{admin-user}/.ssh\nsudo chmod 644 /volume1/homes/{admin-user}/.ssh/authorized_keys\n```\n- Or check the permissions of each of the below folders and files one by one\n    - Chmod calculator - https://chmod-calculator.com/\n\nCheck the permissions of the following Folders and files:\n```\n/volume1/homes/{admin-user} | 755\n/volume1/homes/{admin-user}/.ssh | 755\n/volume1/homes/{admin-user}/.ssh/authorized_keys | 644\n```\n\nTo check navigate to /volume1/homes/{admin-user}/.ssh and run ls -al\n```\ncd /volume1/homes/{admin-user}/.ssh\nls -al\n\ndrwxr-xr-x  2 {admin-user} users 4096 Oct  3 15:58 .\ndrwxr-xr-x 16 {admin-user} users 4096 Oct  3 16:08 ..\n-rw-r--r--  1 {admin-user} users  747 Oct  3 16:11 authorized_keys\n```\n\n. represents /volume1/homes/{admin-user}/.ssh folder \u003cbr\u003e.. represents /volume1/homes/{admin-user} folder \u003cbr\u003eauthorized_keys represents /volume1/homes/{admin-user}/.ssh/authorized_keys file\n\n## 7. Ready to test\n\nNow we should be ready to go to connect to the Synology NAS with SSH key authentication. On your PC/Mac whatever go to the folder holding your private key, to test the connection perform the following command from terminal.\n```\nssh {admin-user}@{nas-ip-or-host} -p {specifiedCustomPort} -o \"IdentitiesOnly=yes\" -i {privateKey}\n```\n\nNow hopefully you are automatically logged in to the Synology NAS over SSH as the key pair exchange and authentication happens in the backend.\n\nNow if you want to simply your login so you can do as below for example:\n```\nssh synologyNas\n```\n\nThen checkout the following link for setting up a SSH config file with and alias (synologyNas) with preconfigured parameters for ip/host, port, privatekey, user, etc\n- https://mediatemple.net/community/products/grid/204644730/using-an-ssh-config-file\n\n## 8. Troubleshooting\n\nLog back into the Synology NAS using username/pw as {admin-user} through terminal and run command below, this will start a debug ssh server where you can see the interaction between Synology NAS and your PC/Mac\n```\nsudo /bin/sshd -p {debugPort} -d\n```\n\nNow from your PC/Mac open another terminal and perform the same key authentication command as before against the debug ssh server\n```\nssh {admin-user}@{nas-ip-or-host} -p {debugPort} -o \"IdentitiesOnly=yes\" -i {privateKey}\n```\n\nNow in the session from step 1 you should be able to see the debug console any any issues such as permission issues etc.\n\n### Common errors\n\n**Wrong permissions on user home folder**\n\nError message:\n```\ndebug1: temporarily_use_uid: 1026/100 (e=0/0)\ndebug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys\ndebug1: fd 4 clearing O_NONBLOCK\nAuthentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}\ndebug1: restore_uid: 0/0\n```\n\nResolution: Go back to step 6 and ensure you set the correct permissions on the users home directory\n\n\u003cbr\u003e\n\n**Wrong permissions on .ssh folder**\n\nError message:\n```\ndebug1: temporarily_use_uid: 1026/100 (e=0/0)\ndebug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys\ndebug1: fd 4 clearing O_NONBLOCK\nAuthentication refused: bad ownership or modes for directory /volume1/homes/{admin-user}/.ssh\ndebug1: restore_uid: 0/0\n```\n\nResolution: Go back to step 6 and ensure you set the correct permissions on the .ssh directory\n\n\u003cbr\u003e\n\n**Wrong permissions on authorized_keys file**\n\nError message:\n```\ndebug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys\ndebug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': Permission denied\ndebug1: restore_uid: 0/0\n```\nResolution: Go back to step 6 and ensure you set the correct permissions on the authorized_keys file in the .ssh directory\n\n\u003cbr\u003e\n\n**Wrongly created .ssh folder (usually under wrong user context like e.g. root and not user)**\n\nError message:\n```\ndebug1: temporarily_use_uid: 1026/100 (e=0/0)\ndebug1: trying public key file /var/services/homes/{admin-user}/.ssh/authorized_keys\ndebug1: Could not open authorized keys '/var/services/homes/{admin-user}/.ssh/authorized_keys': No such file or directory\ndebug1: restore_uid: 0/0\n```\n\nResolution: Go back to step 5 and ensure you create the .ssh directory and authorized_keys under the correct context/user {admin-user}\n\nThis error can typically happen if you ended up creating the .ssh folder under root as below:\n```\ncommand as root - ash# pwd\nresult - /root/.ssh\n```\n\nWhat it should be:\n```\ncommand as {admin-user} - {admin-user}# pwd\nresult - /volume1/homes/{admin-user}/.ssh\n```\n\n### A few extra handy tips\n\nIf you think/feel that the SSH daemon on the Synology NAS is not taking into effect your changes you can try to restart the daemon by running below command (requires admin access)\n```\nsudo synoservicectl --reload sshd\n```\n\nOn Mac to set correct permissions on .ssh folder and privateKeys used for SSH key authentication if you get error as below\n```\nPermissions 0777 for '/Users/username/.ssh/privateKeys/id_rsa' are too open.\nIt is recommended that your private key files are NOT accessible by others.\nThis private key will be ignored.\n```\n\nTo correct the permissions to be valid run below\n```\nsudo chmod -R 755 ~/.ssh\nsudo chmod -R 600 ~/.ssh/privateKeys/*\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F007revad%2Fsynology_ssh_key_setup","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F007revad%2Fsynology_ssh_key_setup","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F007revad%2Fsynology_ssh_key_setup/lists"}