Using SSH key authentification on a Synology NAS for remote rsync backups

Synology DiskStations are awesome. The DSM web interface is both powerful and easy to use and is constantly improving. One thing I have struggled with, though, has been setting up public key authentification in order to allow automated scripts to push backups to the NAS via rsync. Here is how it can be done.

First, two things to keep in mind :

  • By default, root is not allowed to connect, you need to connect with another user and use sudo su (type the password of the user you are connected with, not the root password).
  • Only members of the administrators group are allowed to connect by SSH. However, even non-administrators can use the rsync service.

Public key authentification is disabled by default, you will need to enable it :

  • make sure the SSH service is enabled in Control panel > Terminal & SNMP > Enable SSH service
  • set up a user account if you don’t already have one (mine will be called foaly) and temporarily add it to the administrators group using Control panel > User > foaly > Edit > User groups)
  • log into the NAS via SSH : ssh foaly@[nas-ip] in a Linux terminal or use Putty on Windows
  • log into a root session : sudo su
  • edit the SSH service config : vim /etc/ssh/sshd_config
  • uncomment the lines PubkeyAuthentication yes and AuthorizedKeysFile .ssh/authorized_keys (make sure not to change anything else, otherwise you could lock yourself out of SSH)
  • restart the SSH service, either using synoservicectl --restart sshd or by disabling and re-enabling the SSH service in Control panel > Terminal &SNMP
  • if you added your user to the administrators group at the beginning of this procedure, you can now remove it form the group (except if this is the same user you want to add keys to, keep reading)

Now that public key authentification is enabled, you need to exchange keys for each host and user that need to be able to automatically authenticate. Let’s assume you want to allow a remote server to authenticate with the user backup :

  • add the backup user to the administrators group
  • connect to the server and generate a key pair if don’t have one already : ssh-keygen -t rsa
  • copy the public key to the NAS : ssh-copy-id backup@[nas-ip] (you will need to enter the password of the backup user)
  • this is important : connect to the NAS by SSH and check the files permissions :
    • chmod 0711 ~
    • chmod 0711 ~/.ssh
    • chmod 0600 ~/.ssh/authorized_keys
  • now, the authentification should work : from the server, try to log in to the NAS (ssh backup@nas-ip) and check that it logs in without requiring a password
  • if you only want to use rsync with this user (not SSH) you can now remove the backup user from the administrators group

In order to push data via rsync on the NAS, here are the steps to follow :

  • make sure the rsync service is enabled in Control panel > File Services > rsync > Enable rsync service (do not check Enable rsync account)
  • choose (create if necessary) the shared folder you want to push to, for example Backups
  • fire rsync with something like this : rsync -az /var/www backup@[nas-ip]:/volume1/Backups/

Here is an example of a more complex rsync command :
rsync -az -e "ssh -p 23342" --backup --backup-dir="rsync_bak_`date '+%F_%H-%M'`" --exclude 'tmp*' --exclude 'cache*' --exclude 'logs' /var/www backup@[nas-ip]:/volume1/Backups/

This will :

  • connect to the randomly-chosen port 23342 : this is useful if your NAS is an a local network behind a router/firewall/NAT, you can configure the NAT to redirect the external port 23342 to the port 22 on the NAS (this can make your configuration safer against bots looking for open SSH ports to exploit)
  • keep a copy of the previous version of each modified file in a dedicated folder with the current date, every time the backup is performed
  • exclude some useless directories from the backup

Leave a Reply

Your email address will not be published. Required fields are marked *