2

I've recently purchased the Synology NAS 215j and having problems with SSH.

Root user works as expected I've added my public key to /root/.ssh/authorized_keys...

Problems with non-root user: sshd always asking the password and seems to ignore the key... When I want to use public key authentication only I get Permission denied (publickey).

I've checked the permissions of user's home dir:

$ ll /volume1/homes/
drwx------    7 user001  users       4.0K Dec 16 22:55 user001/
drwx--x--x    5 admin      users       4.0K Dec 16 00:00 admin/

permissions of .ssh/*:

$ ll /volume1/homes/myuser001/.ssh
-rw-------    1 user001 users        725 Dec 16 11:23 authorized_keys

$ ll /volume1/homes/user1
drwx------    2 user001 users       4.0K Dec 16 15:52 .ssh/

/etc/ssh/sshd_config:

Ciphers blowfish-cbc,aes256-cbc,aes256-ctr,aes128-ctr,[email protected],aes192-ctr,[email protected],[email protected],
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected]

Protocol 2
SyslogFacility AUTHPRIV
LogLevel ERROR
LoginGraceTime 60

MaxStartups 2
MaxAuthTries 3
MaxSessions 3

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile    %h/.ssh/authorized_keys
RhostsRSAAuthentication no
IgnoreRhosts yes
ChallengeResponseAuthentication no
UsePAM no
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin without-password
TCPKeepAlive yes
ClientAliveInterval 600
ClientAliveCountMax 0
Banner /etc/ssh/issue.net
AllowTcpForwarding no
X11Forwarding no
UsePrivilegeSeparation sandbox
AcceptEnv LANG LC_*
UseDNS no

ChrootDirectory none
Subsystem       sftp    internal-sftp -f DAEMON -u 000

Match User root
    AllowTcpForwarding yes

Verbose output for non-root user logging attempt:

$ ssh user001@nas -p 22222 -vvv

OpenSSH_7.1p1, OpenSSL 1.0.2e 3 Dec 2015
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to nas [192.168.1.51] port 22222.
debug1: Connection established.
debug1: identity file /Users/user001/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p2-hpn14v4
debug1: match: OpenSSH_6.6p2-hpn14v4 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to nas:22222 as 'skotik'
debug2: compat_kex_proposal: original KEX proposal: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: Compat: skipping algorithm "[email protected]"
debug2: compat_kex_proposal: compat KEX proposal: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug3: put_host_port: [nas]:22222
debug3: hostkeys_foreach: reading file "/Users/user001/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user001/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from [nas]:22222
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,ssh-rsa
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: blowfish-cbc,aes256-cbc,aes256-ctr,aes128-ctr,[email protected],aes192-ctr,[email protected],[email protected],
debug2: kex_parse_kexinit: blowfish-cbc,aes256-cbc,aes256-ctr,aes128-ctr,[email protected],aes192-ctr,[email protected],[email protected],
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client [email protected] <implicit> none
debug1: kex: client->server [email protected] <implicit> none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1022/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:SkJiuE7k6Z2ooVXv2cb4PGTeXgh+xNjxMtDG+8Pfqw0
debug3: put_host_port: [192.168.1.51]:22222
debug3: put_host_port: [nas]:22222
debug3: hostkeys_foreach: reading file "/Users/user001/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user001/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from [nas]:22222
debug3: hostkeys_foreach: reading file "/Users/user001/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user001/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from [192.168.1.51]:22222
debug1: Host '[nas]:22222' is known and matches the ECDSA host key.
debug1: Found key in /Users/user001/.ssh/known_hosts:9
debug2: bits set: 1027/2048
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused
debug2: key: /Users/user001/.ssh/id_rsa (0x7ff0b1c15460),
debug2: key: /Users/user001/.ssh/id_dsa (0x0),
debug2: key: /Users/user001/.ssh/id_ecdsa (0x0),
debug2: key: /Users/user001/.ssh/id_ed25519 (0x0),
debug3: input_userauth_banner

DISCONNECT IMMIDIATELY IF YOU ARE NOT AUTHORIZED PERSON!

debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/user001/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/user001/.ssh/id_dsa
debug3: no such identity: /Users/user001/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/user001/.ssh/id_ecdsa
debug3: no such identity: /Users/user001/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/user001/.ssh/id_ed25519
debug3: no such identity: /Users/user001/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

Verbose output for successful root login (for comparison):

ssh -p 22222 root@nas -vvv                                                                          
OpenSSH_7.1p1, OpenSSL 1.0.2e 3 Dec 2015
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to nas [192.168.1.51] port 22222.
debug1: Connection established.
debug1: identity file /Users/user001/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user001/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p2-hpn14v4
debug1: match: OpenSSH_6.6p2-hpn14v4 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to nas:22222 as 'root'
debug2: compat_kex_proposal: original KEX proposal: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: Compat: skipping algorithm "[email protected]"
debug2: compat_kex_proposal: compat KEX proposal: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug3: put_host_port: [nas]:22222
debug3: hostkeys_foreach: reading file "/Users/user001/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user001/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from [nas]:22222
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,ssh-rsa
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: blowfish-cbc,aes256-cbc,aes256-ctr,aes128-ctr,[email protected],aes192-ctr,[email protected],[email protected],
debug2: kex_parse_kexinit: blowfish-cbc,aes256-cbc,aes256-ctr,aes128-ctr,[email protected],aes192-ctr,[email protected],[email protected],
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client [email protected] <implicit> none
debug1: kex: client->server [email protected] <implicit> none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 990/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:SkJiuE7k6Z2ooVXv2cb4PGTeXgh+xNjxMtDG+8Pfqw0
debug3: put_host_port: [192.168.1.51]:22222
debug3: put_host_port: [nas]:22222
debug3: hostkeys_foreach: reading file "/Users/user001/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user001/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from [nas]:22222
debug3: hostkeys_foreach: reading file "/Users/user001/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/user001/.ssh/known_hosts:9
debug3: load_hostkeys: loaded 1 keys from [192.168.1.51]:22222
debug1: Host '[nas]:22222' is known and matches the ECDSA host key.
debug1: Found key in /Users/user001/.ssh/known_hosts:9
debug2: bits set: 1035/2048
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: pubkey_prepare: ssh_get_authentication_socket: Connection refused
debug2: key: /Users/user001/.ssh/id_rsa (0x7fc653600860),
debug2: key: /Users/user001/.ssh/id_dsa (0x0),
debug2: key: /Users/user001/.ssh/id_ecdsa (0x0),
debug2: key: /Users/user001/.ssh/id_ed25519 (0x0),
debug3: input_userauth_banner

DISCONNECT IMMIDIATELY IF YOU ARE NOT AUTHORIZED PERSON!

By accessing this system you agree that all your actions
will be monitored and logged.
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/user001/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug2: input_userauth_pk_ok: fp SHA256:NWHiMGnH1Sz8K/cLRV9x493V6B6P8+oat6xtwFViZl4
debug3: sign_and_send_pubkey: RSA SHA256:NWHiMGnH1Sz8K/cLRV9x493V6B6P8+oat6xtwFViZl4
Enter passphrase for key '/Users/user001/.ssh/id_rsa':
debug1: Authentication succeeded (publickey).
Authenticated to nas ([192.168.1.51]:22222).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/X11R6/bin/xauth  list /private/tmp/com.apple.launchd.6o3kYLK89Z/org.macosforge.xquartz:0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: fd 5 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 100 id 0
X11 forwarding request failed on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 87380
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0

Please help! I've spent 3 days googling and didn't find any solution why the same settings work for root user and don't work for regular user... I'm in dispare...

Improve this question

1 Answer 1

Reset to default
1

So I've contacted the Synology Support and they told me that this is going to be changed in DSMv6. And finally it was!

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .