A blog

Give ssh access to non-admin Synology users

Synology’s DSM 6 does support ssh logins – but only for administrator users. There is no setting or config file for this: Synology ship a custom version of OpenSSH that prevents anybody but root from logging in. Wow. I don’t know how anybody at Synology thought that would be a good idea, because this just makes people assign superuser privileges to their regular user accounts.
In my use case I want to ssh to my diskstation from a server cronjob, so I would have to leave superuser credentials on an public-internet facing server 🤦‍♂️. Let’s not do that. In this post I will go over how to install a vanilla OpenSSH sshd which enables regular users to log in via ssh.

While it’s possible to cross-compile and install OpenSSH from source, we will go the easy route and install it via the Optware opkg package manager. First, let’s install opkg itself via the Easy Bootstrap Installer (EBI). Make the Diskstation’s Package Center find EBI by adding https://cphub.net/ as an additional package source. Don’t forget to hit the reload button to fetch the new source.

The DSM Package Center settings window with "cphub.net" added as package source
Add the Community Package Hub to the Package Cetner sources.

Search for EBI and install it. You will have to decide between the Entware and Optware distribution. Choose the one with the more recent OpenSSH. To find out what version is offered, find out your Diskstation’s arch and check the respective package index. You can find them at Entware (mipsel), and Optware-ng (mipsel-ng), respectively. I went with Entware on my DS218.

Next, make sure the ssh and telnet services (we need both!) are enabled in the Control Panel Terminal tab.

The DSM Control Panel with ssh and telnet services enabled
The Control Panel allows to enable ssh – but only for admins.

Open up a new ssh connection to the Diskstation (mine has diskstation as hostname). Log in as admin to opkg update and opkg install openssh-server-pam (we’ll continue to use Synology’s pam modules like autoblock, so the new sshd needs pam support).

ssh admin@diskstation

sudo /opt/bin/opkg update
sudo /opt/bin/opkg install openssh-server-pam

My Diskstation’s built-in /bin/sshd has version OpenSSH_7.4p1, OpenSSL 1.0.2u-fips 20 Dec 2019, while opkg installed /opt/sbin/sshd with version OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020.

So far so good. Now we’re getting into more dangerous territories. We need to modify the system’s /etc/passwd, /etc/group, and /etc/ssh/sshd_config files.

# 1. Add the privilege-separated sshd user
sudo cp /etc/passwd /etc/passwd.orig
echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
' | sudo tee -a /etc/passwd

# 2. Replace /sbin/nologin with /bin/sh
# in /etc/passwd for your non-admin user

# 3. Add the sshd user group
sudo cp /etc/group /etc/group.orig
echo 'sshd:x:74:' | sudo tee -a /etc/group

# 4. Let sshd use the existing host keys
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
sudo sed -i 's/#HostKey /HostKey /g' /etc/ssh/sshd_config

# 5. Make a link to the real sshd_config at the place where the new sshd will look.
sudo mv /opt/etc/ssh/sshd_config /opt/etc/ssh/sshd_config.orig
sudo ln -s /etc/ssh/sshd_config /opt/etc/ssh/sshd_config

Time to try it out! Start the new sshd on a free port and see if you can connect to it from your machine.

# check if the new sshd will work
sudo /opt/sbin/sshd -p 22000

ssh mynonadminuser@diskstation -p 22000

Now comes the dicey part that scared me the most: The sshd heart transplantation. We will telnet to the diskstation, stop and kill all sshd processes, and finally replace and start our new sshd binary. Here we go.

# Enter via telnet, not ssh!
telnet diskstation

# Stop the sshd service and kill remaining processes
sudo /sbin/initctl stop sshd
sudo killall sshd

# Swap out the binary
sudo cp /bin/sshd /bin/sshd.orig
sudo cp /opt/sbin/sshd /bin/sshd

# Start the service again
sudo /sbin/initctl start sshd

# Check the log to see if all that worked out
sudo tail /var/log/upstart/sshd.log

Operation successful, patient dead? Let’s check the pulse.

ssh mynonadminuser@diskstation

It lives! Wipe the sweat off your forehead, pop the 🍾 and add some finishing touches.

ssh admin@diskstation

# Add the .ssh dir with correct permissions
cd ../mynonadminuser
mkdir .ssh
sudo chmod 0700 .ssh
sudo chown -R mynonadminuser:users .ssh
# Copy keys from your machine for sshkey authentication
ssh-copy-id mynonadminuser@diskstation

Congratulations on unchaining your Diskstation! Let me know in the comments how you plan on sshing the station for fun and profit ⬇️.

  • Edit 2020-04-22: Corrected sshd_config symlink command, thanks @Babybox!
«
%d bloggers like this: