Sunday, April 10, 2011

Synology SSH 'root' Account, OpenSSH & /etc/shadow

I discovered something interesting about the Synology's SSH implementation the other day. The built-in SSH application does some weird account trickery without informing you. In essence, when you ssh into your NAS as user "root" it covertly does a credential look-up against the user "admin" instead, which has its credentials set by the normal means via the User app from the browser based Control Panel. The actual root user has a completely different password, which is presumably in place to allow remote support.

In other words Synology has !!! ROOT ACCESS TO YOUR NAS !!!

This would normally not even be an issue, especially if your NAS is not accessible outside your LAN. However, if you install the OpenSSH suite of tools then you will switch to using the OpenSSH version of ssh which knows nothing of this root/admin tomfoolery. In this case, attempting to log into the root account using the normal admin password will fail, as it will want the real root password.

The solution is pretty easy, and kills two birds with one stone, removing Synology remote access and isolating your root password from your admin password.
  1. Log in as root
  2. Edit your /etc/shadow file
  3. Delete the line which starts with "root:"
  4. Make a copy of the line which starts with "admin:"
  5. Change the "admin" to "root" in the copied line from step 4
You should now be able to log into root account using admin credentials. Note that changing your admin password in the browser GUI will have no effect on your root password.

The other alternative is to track down why OpenSSH is used in lieu of Synology's version and disable it, but I'd rather stick with OpenSSH personally. Please post a comment if you find any information regarding this tack.


  1. You should probably switch the root uid back to its original value after cloning the admin line, otherwise root and admin will have the same uid.

    1. Uhm - the uid of the root or admin user should not be affected by this tutorial, as it is located in /etc/passwd, not in /etc/shadow.