Chris ShireA Synology Diskstation is a great device for beginning a homelab with. It might be a bit pricey, but it’s a great way of learning basic Linux-y stuff and self-hosting web apps for the first time. However, Synology has placed some restrictions on certain functions which you wouldn’t find in a regular linux distro. One of those which I have a bit irritating is SSH access.
I use my Diskstation as a server to send backups to. This means it gets turned on from my main server via a bash script every couple of days for the backup to run to. It serves this purpose well, even if I’m not really using any specific Synology features. It supports Wake on Lan, so turning it on is easy enough, but turning it off via a remote command has proven to be a bit of a pain. This is because it seems to need the root account to issue the shutdown so you have two options;
- Allow root login via ssh…which is BAD from a security standpoint.
- Send the sudo password with the
-toption as an ssh command…which is also BAD from a security standpoint.
There is a (slightly hacky) method of turning off the diskstation via an SSH remote command though.
Full disclosure, I found this method on a blog a few years ago and documented it in a text file note for myself in the future. I recently had to redo the method as I was upgrading a couple of the disks in the unit, but could not find the blog post at all…it turns out my bookmarking ability is about as bad as the documentation I leave myself. Anyway, the method outlined below might be written by me in the post, but credit has to go elsewhere. If I ever find the blog again I’ll update this post with a link and details.
1. Create the “shutdown” account
So, first from DSM create an account ‘shutdown’. This account needs to be added to the adminstrators group, although you can heavily restrict logon permissions like access to DSM manager etc. It used to be that you could just grant user accounts a login shell in /etc/passwd but Synology have made it pretty tough to do that. The last I checked, even if you add /bin/bash to a user in /etc/passwd it reverts back to /bin/nologin when you reboot anyway! I’m sure Synology thought this was a good security move, but it means that if you want SSH access you need to be in the Administrators group…which seems a bit silly. Make sure you have a ridiculously secure password, but we’re going to setup ssh keys to login anyway.
Verify that in Control Panel - User, if you click on the tab ‘User Home’ you have ticked the field Enable user home service.
2. Enable SSH & setup keys.
Enabling SSH needs to be done through Control Panel - Terminal and SNMP;
Now, test the account by ssh’ing in as shutdown. If that’s done it’s time to setup SSH keys.
Use a guide like this to set up your keys. view the public key with;
$ cat id_rsa.pub
and Select & Copy the key. We are going to paste into a file we are going to create on the Synology.
Using your ssh session you created as the shutdown user, create a folder for the key in /var/services/homes/shutdown with;
$ mkdir .ssh/
Then set permissions on it with;
$ chmod 700 .ssh/
Then move inside the directory and issue;
$ vi authorized_keys
Note that Nano is not installed on the Synology so you’ll just have to deal with the Vi like it’s the 1980s…
Type i to go into interactive mode and then paste the key from earlier into the file. Then hit Esc and type :wq! to save the file. Lastly, type;
$ chmod 600 authorized_keys
Repeat for each account you wish to have shell access for, obviously putting the ssh keys into the relevent user folders. These are found in /var/services/homes/<username>. You should also move the id_rsa private key into your default SSH config folder on your local machine- ordinarily this is ~/.ssh.
Lastly, you need to disable password login in the SSH daemon configuration file. You need to be root for this, so type;
$ sudo su - root
Enter your password and then open the configuration file with;
$ vi /etc/ssh/sshd_config
Look for, and edit, the following directives;
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no
Then restart the SSH daemon with;
$ synoservicectl –restart sshd
Test your SSH login ability. If you have messed something up and accidently locked yourself out of your diskstation…you could enable the Telnet service in the same menu option in the DSM webUI as enabling SSH and sort it out that way.
3. Shutdown script
Now you have spent far longer than normal messing about to get a fairly basic function working and you’re cursing the design decisions taken by Synology’s software department…onto the clever bit.
The shutdown account is set to update the timestamp on a particular file when it logs in. This, in turn is watched by a script run every few mins to check for the updated timestamp. If it sees the file has been updated, it issues a shutdown command and turns the Synology off. The script is scheduled using Cron.
To get this working, make sure you are SSH’d into the Synology as the shutdown user and then type;
$ vi .profile
and when you are in, paste the following three lines into the file;
echo Set NAS to shutdown
touch .prepare_to_shut
exit
and save. I’m not sure if this is necessary, but I also then type;
$ touch .profile
as that’s how I always got bash to load preferences files in the past.
Then, to create the script which will look to see if a file has been timestamped or not type;
$ vi /var/services/homes/shutdown/shutdown_cron.sh
and paste the following script in;
#!/bin/sh
TAG=/var/services/homes/shutdown/.prepare_to_shut
if [ -r $TAG ]
then
# Removes the tag from the file after it has been read
rm $TAG
# Issues the shutdown command
/sbin/poweroff
fi
Save the file and type;
$ chmod +x var/services/homes/shutdown/shutdown_cron.sh`
To make it executable. We’re almost done - now the shutdown_cron.sh script just needs to be run every few minutes to check if the shutdown user has logged in. I think the easiest way of doing this is through the webUI, but it can be done on the command line as well. Log out of shutdown SSH session for now, we’ll log back in to test that shutdowns work shortly.
Create a scheduled task in Control Panel - Task Scheduler - Scheduled Task - User-defined script. I called the task “Shutdown NAS” to make it easy to work out later, and set the root user to run it. I set the schedule to have it run every 5 minutes daily and noted the script to run as follows;
And that should be it!
Test it all works by SSH-ing in with the shutdown account. This should look something like;
$ ssh -T -i /path/to/shutdown/account/private/key/id_rsa shutdown@<ip address of Synology>
You should get Set NAS to shutdown back and the Diskstation should Power itself off within five minutes.
The Synology Diskstations are amazing machines for a while variety of things…however I think I am getting to the point that I have outgrown the limitations they have put into their software. They are a truly excellent solution for a first server as they really ease you in gently. That said, I think I am at a point now where I really would rather just have a standard linux install without the limitations of the Synology software. I know these limitations are largely to protect users from doing something silly, but I have enough experience to take care of my own devices now I think.
Anyway, once this functionality is in place it’s easy enough to execute bash scripts to turn the Synology off remotely if you need to, just put the ssh command in the script.