Securing SFTP using RSA keys, granting access to only one user account.
Have been busy all day tot setup a secure SFTP connection using RSA keys on my Synology diskstation, to save you the trouble I will show the step I have taken. I found a lot of information in the synology forum, but each time a bit different from what I want.
Steps performed on DSM 5.1-5022, to enable secure use of SFTP with RSA keys using just one user account with internet access.
Connected at the local network, using a windows machine.
1. Login the diskstation DSM using admin account, create an account, e.g. “control”, make it a member of the administrator group, this becomes the account to perform administrator tasks.
2. Logoff, login using control, disable admin account, create new user account, e.g. sftp-user, this will become the only account that can access diskstation using SFTP.
3. Disable FTP service for all accounts except account “sftp-user”.
4. Terminal, temporarily enable SSH (port 22).
5. Enable SFTP-service, using port 99 (not 22)
6. Using application Putty (maybe download Putty first), login to diskstation using ssh with the local ip address, using account “sftp-user”, now you are in the home directory of “sftp-user”.
7. Enter command: “ssh-keygen –t rsa”.
A key pair is generated, use default location (.ssh/id_rsa), add strong password.
Enter following commands:
chmod 700 .ssh
cd .ssh
cat id_rsa.pub >> authorized_keys
rm id_rsa.pub
chmod 644 authorized_keys
Close putty using command exit
8. If not still logged on to DSM with account control then login again, go to .ssh directory of sftp-user (/homes/sftp-user/.ssh), download file id_rsa (the private key) to your windows machine ( e.g. to directory documents)
9. Using application WinSCP (maybe download and install first), make connection using protocol SCP, enter local ip-address of diskstation, port 22, user root, password for root (same as admin password), login
10. Go to /etc/ssh directory, we will edit file “sshd_config” but first make a copy for safety (e.g. sshd_config_save), then open file sshd_config by double clicking it
11. In file sshd_config most lines are commented out using a “#”, we search for three lines where we will remove the “#”and make sure they are exactly as follows (maybe change a yes into a no):
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
Save file, and close the WINSCP connection
12. In WinSCP we select the button “tools”, run PuTTYgen, conversions, import key, now selected the (step
saved key id_rsa , enter the password, hit button“Save private key”, save using any name, e.g. “sftp_key.ppk”
13. If not still logged on to DSM with account “control” then login again, go to terminal, uncheck ssh-service, apply, check ssh-service, apply, and again uncheck ssh service, apply, now we are sure that the changes in file sshd_config are executed.
14. Go back to WinSCP to test SFTP using the local network, protocol SFTP, local ip-address of the diskstation, port 99, user sftp-user, advanced (maybe advanced again), Authentication, Private key file, select the saved key (step 12) with name sftp_key.ppk, OK, login, enter password and you are connected using SFTP and RSA keys; but not yet using the internet.
15 Now login to your router, set port forwarding, I use external port 199 and internal 99 (in DSM we have set port 99 for SFTP, step 5), TCP, enter local ip-address of diskstation, enable, save. Only this one port has to be open for SFTP.
16. Now back to WinSCP, protocol SFTP, internet ip-address of the router, port 199 (port 199 is the external port), user sftp-user, advanced (maybe advanced again), Authentication, Private key file, select the saved key (step 12) with name sftp_key.ppk, OK, login, enter password and you are connected using SFTP and RSA keys, using the internet!
Using the above steps you can enter the SFTP service of the diskstation from any location, as long as you have you private key (in this example sftp_key.ppk) present . I think it’s a positive thing that only one user account can be used to access the SFTP service of the diskstation, secured with RSA keys and a password.
However, it is no longer possible to login as root (or any other account) to diskstation using ssh. For root access to diskstation you will need to enable telnet, and login using the local network. Another possiblily might be to make a configuration backup of DSM before taking the above steps, I haven’t tested that.
Any suggestions to secure things even more are welcome.
Topic: Howto secure SFTP using RSA keys (gelezen 8403 keer)
Vergelijkbare onderwerpen (5)
05 april 2024, 11:28:22