Complete Guide: Setting Up SSH Keys on Synology for Enhanced Security

Hello, tech enthusiasts! Edy here. Today, I’m excited to delve into the world of Synology SSH, offering a comprehensive guide on setting up SSH keys using PuTTYgen for secure access to your Synology NAS. This guide is designed for anyone looking to enhance their Synology NAS security, from beginners to seasoned tech professionals. Let’s get started on our journey to secure Synology SSH access!

Part 1: Generating an SSH Key with PuTTYgen for Synology SSH

Securing your Synology NAS with SSH begins with creating a robust SSH key. I’ve always found PuTTYgen to be an excellent tool for this. Here’s my approach:

Step 1: Download and Open PuTTYgen:

• My first step in securing Synology SSH access is downloading PuTTY from https://www.putty.org/. After installation, I launch PuTTYgen, ready to start the critical generation process. Type “puttygen” in the Windows search box.

Step 2: Generate the Key:

• In PuTTYgen, I click “Generate” and move my mouse around to create randomness. This randomness is crucial for a secure Synology SSH key.

Optional Passphrase:

• I often add a passphrase for an extra layer of security. This step is vital for ensuring your Synology SSH access remains secure.

Step 3: Save the Keys:

• After generating the key, I save the private key securely. Please don’t use the “Save public key” button” to save the public key. Unfortunately it will save the public key in a format Synology cannot read. Use instead the “public key” and copy/paste it to Notepad.

Ensure that the public key in the authorized_keys file is on a single line with no breaks. Sometimes, copying and pasting can insert line breaks that invalidate the key.

Below is an example the line should start with “ssh-rsa….”

Part 2: Applying the SSH Key for Synology SSH

With our SSH key ready, let’s apply it to the Synology NAS.

Step 4: Enable SSH on Synology NAS:

• I enable SSH in the DSM under Control Panel > Terminal & SNMP to secure my Synology SSH access.

Step 5: Adding the Public Key to Synology NAS:

• Access File Station on Your Synology NAS:
  • Log into your Synology DiskStation Manager (DSM).
  • Open the File Station application.
    
• Navigate to Your Home Directory:
  • In File Station, go to the ‘home’ folder. This is typically your user directory.
    
• Create the .ssh Folder:
  
  • Inside your home directory, create a new folder and name it .ssh (if it doesn’t already exist).
    
• Create the authorized_keys File:
  
  • Now, you need to create the authorized_keys file within the .ssh folder.
    Since File Station doesn’t directly allow file creation, you’ll need to use a workaround:
    • Create a text file on your local computer and name it authorized_keys. Please be sure that you don’t use a file extension like txt. The file name must be exactly “authorized_keys”
    • Open the file with a text editor (like Notepad) and paste your public SSH key into it. Save the changes.
    • Return to File Station in DSM and upload the authorized_keys file into the .ssh folder.
      

Step 6: Setting Proper Permissions for User Home Directories on Synology NAS:

To establish secure SSH access with authorized_keys on a Synology NAS, it’s crucial to adjust the permissions of user home directories. By default, Synology sets these directories to 777 permissions, which are overly permissive and can lead to SSH errors such as ‘server refused the key.’

For Individual User Home Directory:

1. Connect to Your Synology NAS via SSH:
   • Use an SSH client like PuTTY to log into your Synology NAS as an administrator.
     
2. Navigate to the Homes Directory:
   • User home directories are typically located in /volume1/homes/. Use cd /volume1/homes/ to navigate to this directory.
     
3. Change Permissions for a Specific User’s Home Directory:
   • Use the chmod command for the specific user’s directory. If the user’s home directory is username, the command is chmod 755 username. This sets the directory permissions to 755 (read, write, and execute for the owner, read and execute for others).

For All User Home Directories:

1. Understand the Implications:
   • Be cautious when changing permissions for all user home directories. Ensure this aligns with your security policies.
     
2. Bulk Change Command:
   • In the /volume1/homes/ directory, use chmod -R 755 * to change permissions for all directories. The -R flag applies the change recursively to all files and subdirectories within each user’s home directory. However, be aware that this will change the permissions of all files and folders within each user’s home, which might not be desirable for files that require different permissions.

Additional Steps for .ssh and authorized_keys:

• Ensure the .ssh directory in each user’s home has 700 permissions (chmod 700 .ssh), and the authorized_keys file has 600 permissions (chmod 600 .ssh/authorized_keys).

In the screenshot below, you see the permission for the folder .ssh and for the file authorized_keys

I recommend my article “Linux file permissions explained: What you need to understand” for more information about Linux file and folder permissions. A good reference is the chmod calculator.

Last Step 7: Connecting via SSH:

• To test our Synology SSH access, I open PuTTY, enter my NAS’s IP address, and load my private key under Connection > SSH > Auth. After saving these settings, I click Open to connect.

FAQs on Synology SSH and Security:

Conclusion:

That’s it for our guide on Synology SSH setup using PuTTYgen! This method not only secures your NAS but also provides peace of mind. If you have any questions or need further insights on Synology SSH, please reach out in the comments. Here’s to a secure and efficient computing experience!

I would love to get some feedback from you. Was this article helpful? Please share your opinion with me in the comment section below. Or, if you prefer a more personal touch, feel free to email me directly at info@edywerder.ch. Your thoughts and insights are always appreciated. Additionally, you can connect with me on Reddit at Navigatetech.