Auteur Topic: Howto secure SFTP using RSA keys  (gelezen 8481 keer)

Offline steven89

  • Bedankjes
  • -Gegeven: 0
  • -Ontvangen: 0
  • Berichten: 2
Howto secure SFTP using RSA keys
« Gepost op: 15 april 2015, 02:11:05 »
Securing SFTP using RSA keys, granting access to only one user account.

Have been busy all day tot setup a secure SFTP connection using RSA keys on my Synology diskstation, to save you the trouble I will show the step I have taken. I found a lot of information in the synology forum, but each time a bit different from what I want.
Steps performed on DSM 5.1-5022, to enable secure use of SFTP with RSA keys using just one user account with internet access. 
Connected at the local network, using a windows machine.
1. Login the diskstation DSM using admin account, create an account, e.g. “control”, make it a member of the administrator group, this becomes the account to perform administrator tasks.
2. Logoff, login using control, disable admin account, create new user account, e.g. sftp-user, this will become the only account that can access diskstation using SFTP.
3. Disable FTP service for all accounts except account “sftp-user”.
4. Terminal, temporarily enable SSH (port 22).
5. Enable SFTP-service, using port 99 (not 22)
6. Using application Putty (maybe download Putty first), login to diskstation using ssh with the local ip address, using account “sftp-user”,  now you are in the home directory of “sftp-user”.
7. Enter command: “ssh-keygen –t rsa”.
A key pair is generated, use default location (.ssh/id_rsa), add strong password.
Enter following commands:
   chmod 700 .ssh
   cd .ssh
   cat id_rsa.pub >> authorized_keys
   rm id_rsa.pub
   chmod 644 authorized_keys
Close putty using command exit
8. If not still logged on to DSM with account control then login again, go to .ssh directory of sftp-user (/homes/sftp-user/.ssh), download file id_rsa (the private key) to your windows machine ( e.g. to directory documents)
9. Using application WinSCP (maybe download and install first), make connection using protocol SCP, enter local ip-address of diskstation, port 22, user root, password for root (same as admin password), login
10. Go to /etc/ssh directory, we will edit file “sshd_config” but first make a copy for safety (e.g. sshd_config_save), then open file sshd_config  by double clicking it
11. In file sshd_config most lines are commented out using a “#”, we search for three lines where we will remove the “#”and make sure they are exactly as follows (maybe change a yes into a no):
PubkeyAuthentication yes
AuthorizedKeysFile  .ssh/authorized_keys
PasswordAuthentication no

Save file, and close the WINSCP connection
12. In WinSCP we select the button “tools”, run PuTTYgen, conversions, import key, now selected the (step 8) saved key id_rsa , enter the password, hit button“Save private key”, save using any name, e.g. “sftp_key.ppk”
13. If not still logged on to DSM with account “control” then login again, go to terminal, uncheck ssh-service, apply, check ssh-service, apply, and again uncheck ssh service, apply, now we are sure that the changes in file sshd_config are executed.
14. Go back to WinSCP to test SFTP using the local network, protocol SFTP, local ip-address of the diskstation, port 99, user sftp-user, advanced (maybe advanced again), Authentication, Private key file, select the saved key  (step 12) with name sftp_key.ppk, OK, login, enter password and you are connected using SFTP and RSA keys; but not yet using the internet.
15 Now login to your router, set port forwarding, I use external port 199 and internal 99 (in DSM we have set port 99 for SFTP, step 5), TCP, enter local ip-address of diskstation, enable, save. Only this one port has to be open for SFTP.
16. Now back to WinSCP, protocol SFTP, internet ip-address of the router, port 199 (port 199 is the external port), user sftp-user, advanced (maybe advanced again), Authentication, Private key file, select the saved key  (step 12) with name sftp_key.ppk, OK, login, enter password and you are connected using SFTP and RSA keys, using the internet!
Using the above steps you can enter the SFTP service of the diskstation from any location, as long as you have you private key (in this example sftp_key.ppk) present . I think it’s a positive thing that only one user account can be used to access the SFTP service of the diskstation, secured with RSA keys and a password.
However, it is no longer possible to login as root (or any other account) to diskstation using ssh. For root access to diskstation you will need to enable telnet, and login using the local network. Another possiblily might be to make a configuration backup of DSM before taking the above steps, I haven’t tested that.

Any suggestions to secure things even more are welcome.
  • Mijn Synology: DS214

Offline m4v3r1ck

  • MVP
  • *
  • Bedankjes
  • -Gegeven: 3031
  • -Ontvangen: 325
  • Berichten: 2.641
  • $ sudo -i
Re: Howto secure SFTP using RSA keys
« Reactie #1 Gepost op: 26 april 2015, 21:17:04 »
Any suggestions to secure things even more are welcome.

104 reads and not 1 reply? I can only suggest to you the English forum:

Synology Inc. Online Community Forum

Cheers
Commander: DS1821+ | DSM 7.2.1-69057 Update 6
SightWinder: DS1821+ | DSM 7.2.1-69057 Update 6 VMM
Wingman:     DS1812+ | DSM 6.2.4-25556 U8
UPS:             APC Back UPS BE850G2-GR (2x)
________________________________________________________________________________
Cheers! - ! I am an advocate of the "if it ain't broke, you didn't fix it enough" modus operandi !

Offline steven89

  • Bedankjes
  • -Gegeven: 0
  • -Ontvangen: 0
  • Berichten: 2
Re: Howto secure SFTP using RSA keys
« Reactie #2 Gepost op: 29 april 2015, 15:28:53 »
Gedaan.
  • Mijn Synology: DS214


 

Howto: Timemachine icm. Synology NAS

Gestart door BjörnBoard Mac OS X

Reacties: 15
Gelezen: 23877
Laatste bericht 05 april 2024, 11:28:22
door Briolet
backup script? howto?

Gestart door mrgoolieBoard Algemeen

Reacties: 2
Gelezen: 2766
Laatste bericht 27 juni 2012, 13:13:23
door mrgoolie
HOWTO's inrichten?

Gestart door ufosynoBoard Vragen en opmerkingen OVER het forum

Reacties: 23
Gelezen: 7771
Laatste bericht 09 augustus 2019, 00:06:41
door Briolet
HOWTO NZBget icm CP, SB, PS ?

Gestart door schumi2004Board NZBGet

Reacties: 6
Gelezen: 7173
Laatste bericht 06 juli 2011, 21:27:02
door bloomberg
DS412+ geheugenuitbreiding howto

Gestart door nomadBoard NAS hardware vragen

Reacties: 11
Gelezen: 8661
Laatste bericht 14 juli 2020, 13:33:15
door Briolet