Synology usage series 18: Install sudo to secure the Diskstation


I need to ssh to my NAS from remote location to perform administration.

Due to the reason of the ‘su’ command provided by Synology is restricted by root only… so it is required to login as root in order to perform administration.

However, it is not a good security practice to allow login directly as root. To overcome this, we can install sudo from ipkg.

First ssh or telnet to the diskstation as root.

# ipkg update
# ipkg install sudo

By default, only root is allowed to execute sudo. To allow a specify user to execute sudo, for example, user ‘ray’, add the following lines to the config file

# vi /opt/etc/sudoers

ray ALL=(ALL) ALL

This will allow user ray to execute sudo command.

Since we can execute su through the use of sudo, we no longer required to login as root directly. We can safely disable the root login now. Edit the ssh config file

# vi /etc/ssh/sshd_config

PermitRootLogin no

Telnet to the diskstation and then restart the sshd (instead of using telnet, you can disable SSH and then enable SSH again from the web admin console)

#/usr/syno/etc/rc.d/S95sshd.sh restart

Now ssh to the diskstation with the user with sudo right, i.e. ray, then sudo as root

Diskstation> id
uid=1031(ray) gid=100(users)
Diskstation> sudo su
Password:

BusyBox v1.1.0 (2009.04.21-19:01+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#
# id
uid=0(root) gid=0(root)
#





3 thoughts


  1. Very useful. I cannot secure shell in under my own account created with the GUI and can’t find the regular add user commands. How would you go about enabling user ‘ray’ described above?
    Thanks
    Mike

    • The user ‘ray’ in the example is just one of the regular user created from DSM. Login the DSM and create the user. Then follow the article to allow the created user to sudo to root to perform administration.

  2. Pingback: Solutions to problems with SSH - shawnkdev.ch

Leave a Reply

Your email address will not be published. Required fields are marked *