Synology Forum

SSH can either be enabled using the latest firmware and a patch, or using the recent beta firmware which allows you enable and disable SSH from the web-based management interface.

However, I was a little concerned about the default settings of SSHD, especially if one were to SSH over the internet and not just a local network. First, SSH protocol 1 is enabled which can be a security risk. Second, root login is permitted (which is understandable since regular users can’t seem to SSH in by default. Unfortunately, there are some caveats to disabling root login via SSH, which I discuss at the end of this post). Here are the steps I took to resolve the above issues (I assume you already have SSH working and can login as root or admin. Also, you should know how to use vi, or at least read this introduction):

1. Create a regular user from the web-based management interface if you have not done so already. Let’s say the username is frank.

2. Login as root via SSH.

3. Execute the following from the command line as root:

mkdir /volume1/users
mkdir /volume1/users/frank
cp /root/.profile /volume1/users/frank
chown -R frank:users /volume1/users/frank
vi /volume1/users/frank/.profile

Change the line that reads “HOME=/root” to “HOME=/volume1/users/frank”, then quit saving changes.

4. Execute the following from the command line as root:

cp -p /etc/passwd /etc/passwd.orig
vi /etc/passwd

Change frank’s home directory (entry before the last “:”)from “/nonexist” to “/volume1/users/frank”
and his shell (entry after the last “:”) from “/sbin/nologin” to “/bin/sh”, then quit saving changes.*

5. Make sure you can login as frank by executing the following from the command line as root:

su – frank
echo $HOME

6. Execute the following from the command line as root:

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config

Change the line “#Protocol 2,1” to “Protocol 2” and the line “#PermitRootLogin yes” to “PermitRootLogin no”, then quit saving changes (notice we removed the “#” from both lines).

You may also want to adjust the “LoginGraceTime” and “MaxAuthTries” settings, just be sure to remove the leading “#” from those lines.

7. Restart SSHD. If you are using the beta firmware you can disable then enable the service using the web-based management interface. If not, you may be able to use the disable SSH patch, then the enable SSH patch which may restart your NAS device (I have not tested this), or you can simply execute the following from the command line as root:

/usr/syno/etc.defaults/rc.d/ restart

I have not personally tested the above command either, and it may end your SSH session if that is where you execute it from. Alternatively, you could temporarily enable Telnet, login as root to execute the command above, then log out and disable Telnet.

8. Test the changes. If you use “ssh -1 user@host” when connecting to your NAS device, you should get an error that reads something like “Protocol major versions differ: 1 vs. 2”. If you try to SSH in as root, it should prompt you for the password, but give you an error like “Permission denied, please try again.” even if you supply the correct password. Finally, you should be able to login via SSH as your regular user (i.e. frank).

*Please note, that if you change your regular user’s info (like password, etc.) using the web-based management interface, the information in /etc/passwd will revert back to the defaults, which will no longer let you login via SSH using that user. If this happens, don’t panic, you can always SSH in as admin (which should have the same password as root, but not the same privileges). Unfortunately, only root can execute the “su” command, so to allow your regular user to use SSH again you will have to temporarily enable Telnet, login as root, repeat step #4 above, logout and disable Telnet.

Telnet is also the only way to regain root command line access, which is required to edit “/etc/ssh/sshd_config”, should you want to restore root SSH logins at some point. Alternatively, one could install sudo to execute commands as root, but that is beyond the scope of this post.

Hope this helps anyone wanting to secure SSH access. I used information from the following posts to accomplish this:
how to rsync over ssh as an unprivileged user
how restart SSH server

Leave a Reply

Your email address will not be published. Required fields are marked *