Last updated on Monday 28th of February 2022 08:52:48 PM

©XSIBackup running as server in ©Synology NAS

How to enable SSH access in your ©Synology device

Synology SSH options ©XSIBackup-DC (XSIBackup Datacenter) is a binary aimed at backing up huge virtual disk files. It is offered both as a free functional trial and as a licensed product.

©XSIBackup-DC can run in all sorts of platforms: VMWare ©ESXi Hypervisor, Linux and other devices, such as Synology NAS appliances that run some flavour of Linux.

Although the free version of ©XSIBackup-DC is limited to 6 h. of use after each reboot and 60GB of size per virtual disk, this limitations applies just for client use. You may use the free version of ©XSIBackup-DC as a fully enabled server for data transfers over IP. This also applies to any device capable of running ©XSIBackup-DC such as Synology NAS appliances.

Before you can install ©XSIBackup-DC to your Synology NAS you must enable SSH access to it. Just go to Control Panel in your DSM and go down to Terminal & SNMP, then on the new options window check Enable SSH Service.

Synology enable SSH access

This is enough to enable access most of the times, but if you have some experience managing SSH systems, you might find it useful to click on the Advanced button. It will offer you to choose different KEX and Ciphers to be used in your SSH connections.

To login as root without having to sudo-i from admin, you may add the PermitRootLogin yes to the /etc/ssh/sshd_config file in your ©Synology appliance.

The basic use is just to choose among: High, Medium and Low security profiles, but that does not offer you much control, especially since it does not differentiate among KEX algorithms and Ciphers.

Synology SSH choose ciphers

When you enter the Customize option, you will be presented a modal window where to choose the KEX algorithm, the data transfer Ciphers and the MAC algorithms. The latter is related to hashing data, we'll select all available.

The KEX algorithm will be used when negotiating a connection. It is not that important, just as long as it is secure enough so we can select all to allow the SSH layer choose the best. The reason why it's not that important is cause it will typically happen once per backup session, thus it won't affect overall speed.

The most important part of this selection screen is the Ciphers. They are used to encrypt data and depending on how complicated they are and whether there exists an additional co-processing unit that takes care of encryption or if the CPU incorporates especial instructions to decipher the data, it can create load on the CPU and slow down data transfer.

Thus, unless you do need strong security on the data transfer, you may relax this a bit and allow some lighter ciphers or even deprecated ones if you are transferring public data per instance.

The best thing to do around ciphers is choosing them all too, so that we can control from the client side which of the available ciphers at the server to choose. We have created an specific post on using custom ciphers.

The previous post was written for ©XSIBackup-Pro, but the concepts involved are the same. In case you want strong encryption on the data transfer you can prevent deprecated ciphers like: arcfour by not selecting them in this list.

How to install and use ©XSIBackup-DC in your ©Synology device

Backing up Virtual Disk to ©Synology

Installing ©XSIBackup-DC to your Synology NAS is very easy once you have configured root access to it over SSH. Just copy the binary to the /usr/bin folder in your Synology NAS and assign it execute permissions for the users that will make use of it. In this post we cover root usage, we will write a specific post on configuring other users than root.

(*) Since DSM 6.2.2-24922 and aobove ©Synology has blocked access via SSH to other users different than root. This makes it impossible to use other user than root to perform backups with ©XSIBackup-DC. This is not a big issue from a security point of view in regards to communications, as authentication is done via shared RSA keys, but will limit your capacity to use the ©Synology device as a distributed security system via SSH.

Now the only thing left is to use the --add-key argument from our ©ESXi host to link it to the Synology device. You would issue some command like this:

./xsibackup --add-key root@a.b.c.d:port

Where a.b.c.d is the IP of your NAS and port is a port number in the range 1-65535, although it will typically be 22 for SSH.

You will be prompted to enter your ©Synology password a number of times before the process completes. Once the link process is over you will be able to backup and replicate data to any volume in your NAS appliance.

The linking process is exactly the same as in any other case, as said ©Synology OS is just a Linux OS for ©XSIBackup-DC.

The path of every volume in the ©Synology OS File System won't be exactly the same as what you see through the DSM. To list all available volumes you should just issue a df -h command in the command line. That will output something like this:

root@NAS01:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/md0 2.3G 887M 1.3G 41% /
none 492M 0 492M 0% /dev
/tmp 496M 548K 495M 1% /tmp
/run 496M 3.2M 493M 1% /run
/dev/shm 496M 4.0K 496M 1% /dev/shm
none 4.0K 0 4.0K 0% /sys/fs/cgroup
cgmfs 100K 0 100K 0% /run/cgmanager/fs
/dev/md4 1.8T 1.3T 587G 68% /volume2
/dev/vg1000/lv 1.8T 1.8T 43G 98% /volume3
/dev/vg1002/lv 913G 745G 168G 82% /volume1
/dev/sdq1 466G 18G 448G 4% /volumeUSB1/usbshare

Then choose the path in your ©Synology NAS to configure your backup job, per instance:

ESXi#1# ./xsibackup --backup "VMs(W7-001,W10-002,LIN-001,FBSD-005)" \
root@ \ --use-smtp=1

Where are users' profiles stored?

Enter your DSM GUI by using a browser, go to Control panel => User => Advanced, scroll down and you will see an option group that allows you to control where in your volumes users' profiles are stored.

Configure the home directory for ©Synology users

If you navigate your directory structure in the command line, you will see a folder named .ssh under your user's profile in the /volume[x]/homes/user/ folder, where [x] is your volume's number.

One of the files stored in the .ssh folder is named authorized_keys and contains the public keys of the hosts that have been grated access to the ©Synology device by means of an SSH key.

The --add-key action in ©XSIBackup-DC takes care of finding the home dir, creating the .ssh folder and authorized_keys file as well as assigning proper permissions in case they don't exist. Thus, the --add-key action must always be run with the root user, as it's the only one whose privileges in the ©Synology device will allow to perform this kind of operations.

Default home in Linux systems is /home whereas in ©Synology devices this location is customizable, thus, you will need to use the --home-path argument to specify where the users' homes are located. In our example:

./xsibackup --add-key root@a.b.c.d:port --home-path="/volume[x]/homes"