On my Synology (DSM 6.2.2-24922), I have 3 users:
admin
(disabled ssh and login)user1
(my new admin user, recommanded by Synology)user2
(not admin)
I can connect throw ssh with user1
but not with user2
.
I edited /etc/passwd
to replace /sbin/nologin
:
user1:x:1026:100:Administrator:/var/services/homes/user1:/bin/sh
user2:x:1035:100::/var/services/homes/user2:/bin/sh
I can su
user2 from user1
and ls
its home directory:
sudo su - user2
But ssh command always returns Permission denied
:
user2@my.domain.com's password:
debug1: Authentication succeeded (password).
Authenticated to my.domain.com ([123.123.123.123]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
Permission denied, please try again.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to my.domain.com closed.
Transferred: sent 2204, received 2744 bytes, in 0.1 seconds
Bytes per second: sent 23710.3, received 29519.5
debug1: Exit status 1
Any leads?
Best Answer
To log in via
ssh
, the user must be in the "administrators" group. If you look at/etc/ssh/sshd_config
on the Synology you will see anAllowGroups
line that sets up this restriction. If you putuser2
into theadministrators
group, they will be able to log in withssh
. Putting a user into theadministrators
group will automatically change their shell (the last field on their line in/etc/passwd
) from/sbin/no login
to/bin/bash
.My Synology sshd configuration allows a second group, "ssh_users", but I have not tested that at all.
If you play around with this, be aware that manual changes to user properties in files like
/etc/passwd
and/etc/group
are often undone if you modify the user in DSM, and sometimes if you make apparently unrelated changes in DSM. Sometimes an upgrade will undo manual changes too.