惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
LINUX DO - 热门话题
S
Secure Thoughts
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threat Research - Cisco Blogs
AI
AI
B
Blog RSS Feed
S
Schneier on Security
雷峰网
雷峰网
Schneier on Security
Schneier on Security
Help Net Security
Help Net Security
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
罗磊的独立博客
有赞技术团队
有赞技术团队
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
The Cloudflare Blog
Webroot Blog
Webroot Blog
Last Week in AI
Last Week in AI
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
美团技术团队
L
Lohrmann on Cybersecurity
T
The Blog of Author Tim Ferriss
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Vercel News
Vercel News
Know Your Adversary
Know Your Adversary
O
OpenAI News
博客园 - 【当耐特】
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cybersecurity and Infrastructure Security Agency CISA
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
I
InfoQ
GbyAI
GbyAI
T
Threatpost
C
Cisco Blogs

Whexy Blog

We lost the AIxCC. So, what now? Arm VMM with Apple's Hypervisor Framework Driving WaveShare E‐Paper Display with a Raspberry Pi Pico in MicroPython Use cgroup v2 inside docker containers Annual Hit Piece: Fuzzing Top Conference Paper Debunking Report Can SSD Cache Improve Synology NAS Write Speeds? Virtualization is all you need Running Windows Games on Mac Without Virtual Machines Tears of the Kingdom: End of an Era Anonymous CDN Traffic Relay Self-host Relay Service with CDN Home Networking Solution Building Your Own Blog System Connecting Smart Devices to SUSTech Campus Network Function Color Theory Stop Forkin' Around: Faster Creating of Large Processes on Linux PMU Interrupts: How to handle them Asynchronous Mutex Using QEMU to run Linux images on M1 Macbook Alligator In Vest - My first research work Experience Using Several Plugins in Complex LaTeX Projects Variance in Rust Understanding Rust Generic Traits SUSTeam: Ultimate Gaming Platform Inline Assembly Language in C React Learning Notes Building a School Bus Schedule App for Apple Watch 12307 Train Ticket Purchase Platform Sakai and Local Folder Synchronization Building a Super Simple OpenJudge in Two Nights Setting Up Remote Backup for macOS Shell Script for Automatically Logging into SUSTech Campus Network Building a Movie Streaming System in the Dorm
Solving SSH Key Login Issues on Synology NAS
Permission Requirements for authorized_keys · 2023-08-04 · via Whexy Blog

Recently, I encountered a very strange issue. Typically, we can use the ssh-copy-id command to copy public keys to a server and achieve passwordless login. However, on my Synology NAS, despite following the standard procedures, I was unable to achieve key-based login and was constantly prompted to enter a password.

On the internet, some people recommended solutions including:

  1. Ensure the authorized_keys file permissions are set to 600.
  2. Confirm that key login options are enabled in the sshd_config file.
  3. Restart the SSH service to apply the latest sshd_config settings.

Although I was very familiar with all these solutions, when troubleshooting the issue, I carefully checked the configuration multiple times but still could not log in using keys. This left me quite confused.

Faced with the inability to log in using keys, I decided to directly examine the sshd logs for debugging. Here's how to debug sshd:

  1. Start an sshd process on another port with debug logging enabled using the command: /bin/sshd -d -p 2222.
  2. Try connecting to the debug sshd with: ssh <name>@<addr> -p 2222.

Through these steps, I discovered that sshd indeed accepted the key, but encountered ACL (Access Control List) permission errors when reading the .ssh/authorized_keys file, thus rejecting the authentication.

🔐

In most online posts, people mention setting authorized_keys to 600 permissions, but few mention ACL permission requirements. In fact, on my own proxmox virtual machine, I've never had issues even when setting authorized_keys to 777 permissions.

I consulted the authorized_keys documentation to understand the specific permission requirements for this file.

The documentation indicates the following:

  1. The authorized_keys file must belong to the user themselves.
  2. If authorized_keys is located in the user's home directory ~/.ssh, then the home directory ~ itself must be not writable by other non-privileged users, unless the StrictModes option is set to "no".
  3. The authorized_keys file does not necessarily need 600 permissions; this is just recommended in the documentation.

This shows that the permissions of authorized_keys itself are not important, but there are requirements for home directory permissions... who would have thought? 😅

After learning that ACL permissions were causing the problem, I found a blog post describing a similar situation. The author also encountered ACL permission issues because Synology didn't automatically update the ACL permission table after deleting an administrator account.

My situation was more specific: I had set up Alist on Synology to remotely manage files through WebDAV. To achieve this goal, I had to grant the alist user read and write permissions to the homes directory. In the Synology system, the homes directory is the parent directory of all user home directories, located at /var/services/homes.

Traditional file system permissions cannot meet such fine-grained permission requirements: the homes folder itself belongs to the admin user group, and alist is not a member of the admin group. Without using ACL, the only option would be to open public access permissions for everyone.

Of course, this approach violates the authorized_keys requirement that the home directory should not be writable by other unprivileged users.

For the issues caused by ACL permissions, I have three solutions:

  1. Update ACL permission table: If other users don't need to read the home directory, you can right-click on the homes directory in Synology's File Station web interface, select "Properties", and reset permissions. According to the method mentioned in the blog post, you can randomly select a user, add permissions for them, then delete them to update the ACL permission table.
  2. Adjust the authorized_keys location in sshd_config: In the sshd_config configuration file, you can adjust the location of the authorized_keys file. If a relative path is specified, the file is searched relative to the login user's home directory. To solve the problem, we can use an absolute path to place authorized_keys outside the home directory. However, note that since the authorized_keys file must strictly belong to a specific login user, this setting will prevent other users who need SSH login from using key-based login.
  3. Disable the StrictModes option: In sshd_config, disable the StrictModes option. This option determines whether sshd checks the file modes and ownership of the user's files and home directory before accepting login. After disabling this option, sshd no longer performs these checks, which can resolve ACL permission issues.

Ultimately, I adopted the third solution, disabling StrictModes. However, please note that if you disable StrictModes, never expose the SSH port to the public internet, as this would be very dangerous.

© LICENSED UNDER CC BY-NC-SA 4.0