Synology’s DSM 6 does support ssh logins – but only for administrator users. There is no setting or config file for this: Synology ship a custom version of OpenSSH that prevents anybody but root from logging in. Wow. I don’t know how anybody at Synology thought that would be a good idea, because this just makes people assign superuser privileges to their regular user accounts.
In my use case I want to ssh to my diskstation from a server cronjob, so I would have to leave superuser credentials on an public-internet facing server 🤦♂️. Let’s not do that. In this post I will go over how to install a vanilla OpenSSH sshd which enables regular users to log in via ssh.
While it’s possible to cross-compile and install OpenSSH from source, we will go the easy route and install it via the Optware opkg package manager. First, let’s install opkg itself via the Easy Bootstrap Installer (EBI). Make the Diskstation’s Package Center find EBI by adding
https://cphub.net/ as an additional package source. Don’t forget to hit the reload button to fetch the new source.
EBI and install it. You will have to decide between the Entware and Optware distribution. Choose the one with the more recent OpenSSH. To find out what version is offered, find out your Diskstation’s arch and check the respective package index. You can find them at Entware (mipsel), and Optware-ng (mipsel-ng), respectively. I went with Entware on my DS218.
Next, make sure the ssh and telnet services (we need both!) are enabled in the Control Panel Terminal tab.
Open up a new ssh connection to the Diskstation (mine has
diskstation as hostname). Log in as
opkg update and
opkg install openssh-server-pam (we’ll continue to use Synology’s pam modules like autoblock, so the new sshd needs pam support).
sudo /opt/bin/opkg update
sudo /opt/bin/opkg install openssh-server-pam
My Diskstation’s built-in
/bin/sshd has version
OpenSSH_7.4p1, OpenSSL 1.0.2u-fips 20 Dec 2019, while opkg installed
/opt/sbin/sshd with version
OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020.
So far so good. Now we’re getting into more dangerous territories. We need to modify the system’s
# 1. Add the privilege-separated sshd user
sudo cp /etc/passwd /etc/passwd.orig
echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
' | sudo tee -a /etc/passwd
# 2. Replace /sbin/nologin with /bin/sh
# in /etc/passwd for your non-admin user
# 3. Add the sshd user group
sudo cp /etc/group /etc/group.orig
echo 'sshd:x:74:' | sudo tee -a /etc/group
# 4. Let sshd use the existing host keys
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
sudo sed -i 's/#HostKey /HostKey /g' /etc/ssh/sshd_config
# 5. Make a link to the real sshd_config at the place where the new sshd will look.
sudo mv /opt/etc/ssh/sshd_config /opt/etc/ssh/sshd_config.orig
sudo ln -s /etc/ssh/sshd_config /opt/etc/ssh/sshd_config
Time to try it out! Start the new sshd on a free port and see if you can connect to it from your machine.
# check if the new sshd will work
sudo /opt/sbin/sshd -p 22000
ssh mynonadminuser@diskstation -p 22000
Now comes the dicey part that scared me the most: The sshd heart transplantation. We will
telnet to the diskstation, stop and kill all sshd processes, and finally replace and start our new sshd binary. Here we go.
# Enter via telnet, not ssh!
# Stop the sshd service and kill remaining processes
sudo /sbin/initctl stop sshd
sudo killall sshd
# Swap out the binary
sudo cp /bin/sshd /bin/sshd.orig
sudo cp /opt/sbin/sshd /bin/sshd
# Start the service again
sudo /sbin/initctl start sshd
# Check the log to see if all that worked out
sudo tail /var/log/upstart/sshd.log
Operation successful, patient dead? Let’s check the pulse.
It lives! Wipe the sweat off your forehead, pop the 🍾 and add some finishing touches.
# Add the .ssh dir with correct permissions
sudo chmod 0700 .ssh
sudo chown -R mynonadminuser:users .ssh
# Copy keys from your machine for sshkey authentication
Congratulations on unchaining your Diskstation! Let me know in the comments how you plan on sshing the station for fun and profit ⬇️.
- Edit 2020-04-22: Corrected sshd_config symlink command, thanks @Babybox!