SSH into your Synology DSM 6.1 with a Yubikey
Hello my fellow Steemians!
During the last few days I have been experimenting a lot with a nice little Synology DS216+II NAS that currently runs on DSM 6.1. I found that for the more basic administration tasks the web-interface is perfect. But as soon as you want to dig a little deeper, SSH-ing into the server is almost inevitable. But: How to achieve this? And most importantly: How to achieve this without opening up a lot of potential vulnerabilities?
Desired end-configuration:
- Connect to the NAS via SSH
- Allow only public-key authentication; block passwords
- Use the GPG authentication-subkey stored on a Yubikey for this
Because I want to connect to the NAS from a Windows machine, I will also include instructions on how to configure Kleopatra (part of Gpg4Win) and Putty.
Let's go through this step by step:
Step 1: Ensure the user has a home directory
The very first thing you need to do (provided you have a NAS, created all the users etc.) is to make sure the home directory service is enabled. This is needed because we will store the user's SSH-key in his/her home folder.
Step 2: Enable SSH-service
The SSH-server is deactivated by default. Also change the default port to some value of your choosing. Do not activate Telnet!
Step 3: Establish an SSH connection with Putty
By default, password login is allowed for SSH. Therefore we can now establish a connection. Use the IP of your server and whatever port you chose in the previous step. Change nothing else, simply hit 'Open'. A command prompt should open with the question 'login as:'. Enter your username and password here.
Step 4: Store your SSH public key
If all goes according to plan, you should now have a command prompt in front of you. The default location for the SSH login is the user's home folder. What we need to do is add a folder called '.ssh' to the user's home directory and within that folder create a file called 'authorized_keys'. Then we need to set the file permissions very restrictively. If the permissions are not set correctly, sshd will not accept the keys listed in the 'authorized_keys' file.
Run:
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 700 ~.ssh
chmod 600 ~.ssh/authorized_keys
chmod g-w ~/
Finally, add your SSH public key as one-line text to 'authorized_keys' using vi. If you are not familiar with vi, do it the following way:
- Outside of the ssh shell, copy the key into your clipboard
- Open the file in the shell with
vi ~.ssh/authorized_keys - Right click once inside the shell. This should paste the content of the clipboard to the file. Make sure all characters of the key were successfully copied and also check if the key is really on one line.
- Save and close vi by entering
:xand hitting Enter.
Step 5: Harden your SSH server by editing the config-file
The last step now is to change some configuration settings of the SSH server. Because we will disable password login in this step you need to make sure all of the above steps were completed. If something is wrong it might happen that authentication via the publickey-method will fail and you can no longer establish an ssh connection at all. If that happens, enable Telnet to fix whatever is wrong. Just make sure you are in a secure network and also don't forget to disable Telnet once you're done.
Open the ssh-server's config file with
sudo vi /etc/ssh/sshd_config
Once open, look for the following entries and make sure they are not commented out (aka there's no '#' at the beginning of the line). Then set the values as follows:
PubkeyAuthentication yesAuthorizedKeysFile .ssh/authorized_keysPasswordAuthentication noChallengeResponseAuthentication no
Apart from disabling password authentication, there are some other settings that can be adjusted for a more secure ssh-server. I strongly recommend you check out this article for more details.
If you need help with vi, have a look at this cheatsheet.
When you're done, save and close with :x + Enter
Step 6: Restart sshd
In order for the new settings to take effect, you need to restart the ssh server. Keep in mind that this will terminate your active ssh connections.
sudo synoservicectl –restart sshd
Step 7: Enable Putty support in Kleopatra
The last piece of the puzzle is to enable Putty support in Kleopatra, such that you can use your Yubikey for SSH authentication.
Step 8: Enjoy!
Congratulations! You should now be ready to use Putty the same way as in step 3 to establish a connection to your NAS. After you have entered your username there will no longer be a prompt for a password, but instead a window will open to ask for your Yubikey PIN.