3

On my Synology (DSM 6.2.2-24922), I have 3 users:

  • admin (disabled ssh and login)
  • user1 (my new admin user, recommanded by Synology)
  • user2 (not admin)

I can connect throw ssh with user1 but not with user2.

I edited /etc/passwd to replace /sbin/nologin:

user1:x:1026:100:Administrator:/var/services/homes/user1:/bin/sh
user2:x:1035:100::/var/services/homes/user2:/bin/sh

I can su user2 from user1 and ls its home directory:

sudo su - user2

But ssh command always returns Permission denied:

user2@my.domain.com's password:
debug1: Authentication succeeded (password).
Authenticated to my.domain.com ([123.123.123.123]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
Permission denied, please try again.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to my.domain.com closed.
Transferred: sent 2204, received 2744 bytes, in 0.1 seconds
Bytes per second: sent 23710.3, received 29519.5
debug1: Exit status 1

Any leads?

jootl
  • 163
  • 1
  • 5

1 Answers1

2

To log in via ssh, the user must be in the "administrators" group. If you look at /etc/ssh/sshd_config on the Synology you will see an AllowGroups line that sets up this restriction. If you put user2 into the administrators group, they will be able to log in with ssh. Putting a user into the administrators group will automatically change their shell (the last field on their line in /etc/passwd) from /sbin/no login to /bin/bash.

My Synology sshd configuration allows a second group, "ssh_users", but I have not tested that at all.

If you play around with this, be aware that manual changes to user properties in files like /etc/passwd and /etc/group are often undone if you modify the user in DSM, and sometimes if you make apparently unrelated changes in DSM. Sometimes an upgrade will undo manual changes too.

kauer
  • 46
  • 3
  • Thanks! I update my user to put him in `administrator` group and it's worked. For information, before the last update (< 6.2.2-24922) I could connect with `user2` in ssh (and the update reset all my settings once more). But I didn't remember (and I'm not sure) that I had to put him in admin group ¯\\_(ツ)_/¯ – jootl May 24 '19 at 07:59
  • 2
    I suppose it should be said that putting someone in the administrators group does make them an administrator... so they are not really an ordinary user any more. They will have privileges on your NAS that you may not want them to have. If you have time to do so, maybe investigate the ssh_users idea... – kauer May 24 '19 at 13:20
  • Yes I will use a group, especially that I created user2 not to be admin :) For now I neither have ssh group nor Allowgroups, so I have to create a new group and add it to ssh config. – jootl May 27 '19 at 13:01
  • I tried a lot, but it still doesent work to enable a non admin-group user to ssh connect, i edited the user in passwd to /bin/sh, restarted the ssh-shell via synoservice --restart, sshd_config doesent contain a allowgroups. – Kuronashi Dec 25 '19 at 09:59
  • @Kuronashi Sorry, I cannot help you I let my user in administrator – jootl Jan 09 '20 at 09:03