Over the couple of weeks, I have been becoming familiar with our new Synology Diskstation. The story is that our rather disappointing Iomega Home Media Network Hard Drive failed. It was so buggy and hard to log into, that neither FT or I noticed that this had happened. I gave up trying regular Time Machine backups to it, but was starting to get freaked out that I hadn’t backed up my Macbook for 62 days.
The Iomega HMNHD has a 3-year warranty with the vendor, but getting a decent response out of them took weeks. I wasn’t really looking forward to the protracted process of exchanging the Iomega, only to receive back a very limited device. In the intervening time, I discovered that Synology NAS can do things that most NAS drives can only dream about. Or rather, I discovered what a high-functioning NAS can do, and that Synology is a great company with good support and a great forum full of information.
I decided to kill two birds with one stone (two flies with one slap, in German) and provide myself with an offsite backup for work, and a home backup for my Macbook. Did I mention that Squeezebox Server can run on a Synology NAS, that Synology speaks AFP and have had a patch for supporting Time Machine under 10.7 Lion for about 2 months? These people are really in a league of their own.
Now I thought it would be really cool if my lab could login to the Synology and backup files there as a backup of last resort.
This proved to be really hard, as like any sensible organization, most outbound ports are locked down. Strangely, port 5001 seems to be open, so HTTPS administration of the Diskstation is possible. It took me a while to work that out, and a few times I called FT and instructed her to login over the phone to change a setting. I still have to do this to configure our easy.box, but not so much now that I discovered the simple way to deal with the Diskstation remotely, ssh.
By default, only the administrator is allowed to login by ssh, after enabling it on DSM. Enable telnet as well – you’ll need it to get back in when you lock up ssh with a single error of case or spelling in the sshd_config file.
But once you get over the fear of editing /etc/ssh/sshd_config and /etc/passwd then you can allow any user to login (change shell to /bin/ash is all and add to AllowUser, taking note of case). What’s not clear until you set a -v (verbose flag) on the ssh command is that RSA Authentication is enabled by default. But if the key-based authentication fails then the DS defaults to passwords.
For most people, the Terminal is not something they want to learn. I next decided to make a password free login with Automator, the OSX scripting wrapper. To do this, authorization with a public:private key pair seems ideal. When I started, I had no idea what a key was, which key had to go where or whether it could even work. Some great pages helped me out:
Tunneling afp over ssh How To: SSH Public Key Authentication — Jon’s View ssh – authorized_keys HOWTO
Especially invaluable was the syntax for forcing protocol 2, which I had to do only once on my office iMac.
Below I note the steps to generate the keypair and make a pw free login. SCP doesn’t work on the Synology, so I fall back on Finder to place the file. Some people suggest concatenating the text onto authorized_keys. This would work well if you already have one public key and want to add a second on the same account.
It turns out to be much easier to add the key to a partly privileged user than to a fully privileged admin.
Here we go:
localhost:~ Andrew$ ssh-keygen -t rsa
localhost:~ Andrew$ mv .ssh/id_rsa.pub autho
[connect to remote host using afp, either simple or complex method]
simple == afp://REMOTEHOST because you are on a network where port 548 isn’t blocked
complex == use ssh to tunnel in, as in the link above i.e.
ssh -L 15548:localhost:548 user@REMOTEHOST open afp://localhost:15548
[drag and drop ‘autho’ using Finder from localhost:~ to remotehost:~]
localhost:~ Andrew$ ssh Andrew@REMOTEHOST
Armando-II> mkdir .ssh
Armando-II> mv autho .ssh/authorized_keys
Armando-II> cd .ssh
Armando-II> more authorized_keys
ssh-rsa iiiiiiiiiiiiiii……iiiiiixxxxxxx== Andrew@localhost
Armando-II> chmod 600 authorized_keys
Armando-II> cd ..
Armando-II> chmod 700 .ssh
Connection to REMOTEHOST closed.
###pw free login follows!
localhost:~ Andrew$ ssh Andrew@REMOTEHOST
BusyBox v1.16.1 (2011-09-04 02:18:34 CST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
That was very straightfoward in the end.
Now one can use an Automator script to logon!