Private-Public-Key-Authentication with OpenSSH in ffp

If you have to login to your NAS frequently, you might want to automate this process a little. One of the functions of openssh is the authentication via Private/Public-Key, which will be described for the user ”root” in the following tutorial. Of course you can adapt this tutorial to other users.

Changing the home of the user
By default, the home directory of the user ”root” is set to /home, which is located in the internal flash-memory. This memory is deleted every time the device is rebooted. Thus the home-directory of the root-user should be used to the directory of ffp.

mkdir -p /ffp/home/root/
usermod -d /ffp/home/root/ root
store-passwd.sh

You need to repeat the last two steps every time your firmware gets upgraded.

Generating the keypair

mkdir /ffp/home/root/.ssh
cd /ffp/home/root/.ssh

There are now two choices for the key. You can either have a password (which can automatically be entered by ssh-agent or PuttY Pageant) or no password. Both ways are described below and will generate two files named keypair and keypair.pub which contain the private and public key needed for the authentication:

  • Without Password
    ssh-keygen -f keypair -C 'Generated by nas-tweaks.net' -t rsa -q
  • With Password
    ssh-keygen -f keypair -C 'Generated by nas-tweaks.net' -N '' -t rsa -q

Activating authorized_keys in SSH
Open /ffp/etc/ssh/sshd_config and search for the following line:

#PubkeyAuthentication yes

And remove the comment:

PubkeyAuthentication yes

Moving the generated keys to authorized_keys

touch authorized_keys
chmod 600 authorized_keys
cat keypair.pub >> authorized_keys

Adding the private Key to the client
To copy the private keyfile to the client, you can choose between different ways depending on the available OS and programs.

  • Windows
    Download and install WinSCP and connect to your NAS-Device. Copy the File ~/.ssh/keypair to the client into a secure location.
  • Linux
    On the NAS-Device enter the following command with your credentials to copy the key to the client ”remote-system”:
    cat ~/.ssh/keypair | ssh user@remote-system 'umask 077; cat >>~/.ssh/authorized_keys'