Synology DSM - jtesta/ssh-audit GitHub Wiki
Synology Disk Station Manager or short DSM is an Linux-based operating system shipped with various devices made by Synology. This guide currently covers DSM 7.2 version branch.
DSM 7.2
Connect to a Synology device with DSM 7.2 via its web interface in order to apply these options:
- Open the Control Panel
- On the bar, scroll down to Connectivity and click on Terminal & SNMP
- On the tab Terminal tab check if Enable SSH service is enabled
- If yes, click on Advanced Settings
- Select the security level Customize
This opens a window Customize encryption mode, which contains 3 rows: Cipher, KEX and MAC, configure them as follows:
Customize encryption mode
Cipher
Leave the following ciphers enabled and disable the remaining ones if you are on DSM 7.2.2 or later:
aes128-ctr
[email protected]
aes192-ctr
aes256-ctr
[email protected]
[email protected]
DSM versions earlier than 7.2.2: In order to work around CVE-2023-48795, disable [email protected].
KEX
Leave the following key exchange algorithms (KEX) enabled and disable the remaining ones:
curve25519-sha256
[email protected]
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
MAC
Leave the following message authentication codes (MAC) enabled and disable the remaining ones:
[email protected]
[email protected]
[email protected]
Applying the settings
Click on Save to close the window Customize encryption mode, returning back to the windows Advanced Settings. There click on Save again to close this window, finally back in the Control Panel, click on Apply.
Hint: If you get an error saying not changes have been made when applying the changed configuration - even though you actually did change ciphers - DSM doesn't detect changed options in "customized ciphers". In order to apply them nonetheless, do the following steps as a workaround:
- Note the currently-configured SSH port (default:
22) - Change its value to something else such as i.e.
222, then click Apply - Then revert the port setting to the previous value and click on Apply once more.
Limitations
At least DSM version 7.2 doesn't allow you reaching a perfect score, since neither host keys, nor host-key algorithms can be updated or modified in a supported way other than by manually modifying /etc/ssh/sshd_config. Also those manual changes are likely to get overwritten by i.e. system updates or other configuration changes via the DSM web interface.
Validated versions
| DSM | ssh-audit |
|---|---|
| DSM 7.2.2-72803 | master @ 9049c8476ad75494f03941c1d2ff77206a2846c6 |
| DSM 7.2.1-69057 Update 4 | master @ fe65b5df8a2d36fb85747f600685091487837c0d |
| DSM 7.2.1-69057 Update 3 | master @ c8e075ad13516b59ab30461d2590c3403e3379e8 |
| DSM 7.2.1-69057 | master @ 02ab487232de438c0811116f2676cb1c9b5f3d62 |
| DSM 7.2-64570 Update 3 |