Connection failed to Synology DSM 5.2

hansel
edited September 2016 in PhotoBackup for iOS
I'm trying to backup my iPad's photos to my Synology DSM 5.2 NAS device. SSH on the Synology is enabled, I can succesfully connect with SSH on port 22 with a client.
When I try to setup the connection to the point below, I click the path icon (or when already typed in, push the green Backup button):
image

I get this error.
image

Why is this? Do I need to import ssh key or something?

Edit:
Can't post images... :(
The error is:
Failed to establish an SSH session to "192.168.1.100:22": Unable to exchange excryption keys

Comments

  • gchen
    PhotoBackup uses libssh2, which supports the following ciphers:
    • Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc (rijndael-cbc@lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, arcfour128, none
    Check the ssh setting on your Synology (Control Panel-> Terminal & SNMP -> Advanced Settings -> Customize; I'm running DSM 6.0.2 though), and make sure at least one cipher in the list above is selected.
  • hansel
    When entering the Advanced Settings of DSM Terminal setting I had enabled the radio button "high" ( as in high security). When customizing this setting I see a few of the supported security algoritmes enabled. So I guess all DSM settings are ok.
    Changing it to medium security setting changes the behaviour of Backup app. Permission denied.
    Will try low security next.
  • hansel
    None of the algoritme setting work in DSM5.2. Tried al three levels plus Customize one with only one of the algoritmes enabled.
  • gchen
    Can you try the Windows or Mac version of Acrosync to see if they work?  Both come with a 15 day free trial period.  All versions of Acrosync use the same rsync/ssh engine as PhotoBackup so this may help us isolate the problem.
  • hansel
    edited October 2016
    I'm sorry for updating this late.

    I downloaded the Windows version of Acrosync and filled in the same (and all variations) connection details with the exact same results. Pop up telling me in red text: "Failed to establish an SSH connection to '<ipaddress>': Unable to exchange encryption keys"

    There is no logging about this connection problem on the Synology device.

    At the same time I had opened a ssh connection with PuTTY which connects fine over port 22.
  • gchen

    You can enable verbose sshd logging on Synology to see what caused the problem.

    The easiest way I found to enable verbose sshd logging is to run another sshd instance like:







    /bin/sshd -d -D -p 222


    You can also edit /etc/ssh/sshd_config to enable verbose logging, but I think you'll also need to change the filter setting for those log messages to appear in /var/log/messages. 


  • pacificsky
    I'm hitting the same errors as user 'hansel'.
    With the SSH security level set to high on my Synology, I get the "Unable to exchange encryption keys" error. 

    I turned on debug logging on SSHD on my Synology DSM DSM 6.0.2-8451 Update 1 and here is what I get before connection fails on the client and the debug server exits on my Synology:

    Server listening on 0.0.0.0 port 222.
    debug1: Bind to port 222 on ::.
    debug1: Server TCP RWIN socket size: 87380
    debug1: HPN Buffer Size: 87380
    Server listening on :: port 222.
    debug1: Server will not fork when running in debugging mode.
    debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
    debug1: inetd sockets after dupping: 3, 3
    Connection from 10.0.0.198 port 64085 on 10.0.0.101 port 222
    debug1: HPN Disabled: 0, HPN Buffer Size: 87380
    debug1: Client protocol version 2.0; client software version libssh2_1.5.0
    SSH: Server;Ltype: Version;Remote: 10.0.0.198-64085;Protocol: 2.0;Client: libssh2_1.5.0
    debug1: no match: libssh2_1.5.0
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.8p1-hpn14v6
    debug1: permanently_set_uid: 1024/100 [preauth]
    debug1: ssh_sandbox_child: prctl(PR_SET_SECCOMP): Invalid argument [preauth]
    debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
    debug1: SSH2_MSG_KEXINIT sent [preauth]
    debug1: SSH2_MSG_KEXINIT received [preauth]
    debug1: AUTH STATE IS 0 [preauth]
    ssh_dispatch_run_fatal: no matching MAC found [preauth]
    debug1: do_cleanup [preauth]
    debug1: monitor_read_log: child log fd closed
    mm_request_receive: socket closed
    debug1: do_cleanup
    debug1: Killing privsep child 28070



  • hansel
    A bit off-topic but how did you turn on debug logging and let it appear in /var/log/messages or somewhere else? I can't see it. Nowhere.
  • pacificsky
    edited October 2016
    I didn't. I just logged in as the admin user over ssh and then ran sshd manually on port 222 using sudo

    > sudo /bin/sshd -d -D -p 222

    Then I set up PhotoBackup on iOS to connect to port 222 instead of 22 so it was talking to my debug SSHD instance. And I grabbed this log from the console where it was running :-)
  • hansel
    Ok, thanks. I was looking into a more permanent sshd log solution. This will work offcourse. 
    I hope gchen can solve the issue. 

    My log is like this:

    Server listening on 0.0.0.0 port 222.
    debug1: Bind to port 222 on ::.
    debug1: Server TCP RWIN socket size: 87380
    debug1: HPN Buffer Size: 87380
    Server listening on :: port 222.
    debug1: Server will not fork when running in debugging mode.
    debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
    debug1: inetd sockets after dupping: 3, 3
    Connection from 192.168.1.213 port 57207 on 192.168.1.100 port 222
    debug1: HPN Disabled: 0, HPN Buffer Size: 87380
    debug1: Client protocol version 2.0; client software version libssh2_1.5.0
    SSH: Server;Ltype: Version;Remote: 192.168.1.213-57207;Protocol: 2.0;Client: libssh2_1.5.0
    debug1: no match: libssh2_1.5.0
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.6p2-hpn14v4
    debug1: permanently_set_uid: 1024/100 [preauth]
    debug1: ssh_sandbox_child: prctl(PR_SET_SECCOMP): Invalid argument [preauth]
    debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
    debug1: SSH2_MSG_KEXINIT sent [preauth]
    debug1: SSH2_MSG_KEXINIT received [preauth]
    debug1: AUTH STATE IS 0 [preauth]
    no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com server hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,umac-128@openssh.com [preauth]
    debug1: do_cleanup [preauth]
    debug1: monitor_read_log: child log fd closed
    debug1: do_cleanup
    debug1: Killing privsep child 5601
  • gchen
    The issue here is this line:

    no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com server hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,umac-128@openssh.com [preauth]

    Clearly the server and the client couldn't agree on a MAC hashing algorithm that both support.


    On my synology DS214se running DSM 6.0.2-8451, /etc/ssh/sshd_config shows the following algorithms are supported:

    MACs hmac-md5,hmac-md5-96,hmac-md5-96-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-ripemd160,hmac-ripemd160-etm@openssh.com,hmac-ripemd160@openssh.com,hmac-sha1,hmac-sha1-96,hmac-sha1-96-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com


    So I guess adding hmac-sha1-96 to your /etc/ssh/sshd_config should resolve the issue.  Unfortunately hmac-sha1-96 is known to be a weak algorithm, but currently this is the only workaround.
  • hansel
    Hi gchen, I'm not sure but that doesn't sound logical. Let me explain.

    I have set the security settings of ssh (Advanced Settings in Terminal & SNMP control panel) at all possible levels, including "Low". At this level the algorithm you describe, hmac-sha1-96, is activated. But as described earlier in this topic, this was no solution to the problem. Can you explain why you think adding the above algorithm to /etc/ssh/sshd_config should do the trick?
  • hansel
    Just tried once again from the windows machine with a tail on /var/log/messages on the server. See below. Seem ok to me. But I get a "Permission denied, please try again" warning in Acrosync 1.5. 

    Oct 13 20:09:07 hera sshd[28168]: Set /proc/self/oom_score_adj to 0
    Oct 13 20:09:07 hera sshd[28168]: Connection from 192.168.1.213 port 55832 on 192.168.1.100 port 22
    Oct 13 20:09:07 hera sshd[28168]: SSH: Server;Ltype: Version;Remote: 192.168.1.213-55832;Protocol: 2.0;Client: libssh2_1.5.0
    Oct 13 20:09:08 hera sshd[28168]: SSH: Server;Ltype: Kex;Remote: 192.168.1.213-55832;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth]
    Oct 13 20:09:08 hera sshd[28168]: SSH: Server;Ltype: Authname;Remote: 192.168.1.213-55832;Name: root [preauth]
    Oct 13 20:09:08 hera sshd[28168]: Accepted password for root from 192.168.1.213 port 55832 ssh2
    Oct 13 20:09:08 hera sshd[28168]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Oct 13 20:09:08 hera sshd[28168]: SSH: Server;Ltype: Kex;Remote: 192.168.1.213-55832;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none
    Oct 13 20:09:08 hera sshd[28168]: Starting session: command for root from 192.168.1.213 port 55832

  • gchen
    It could be that rsync is not enabled.  See this thread: https://acrosync.com/forum.html#/discussion/421/permission-denied-acccesing-synology-nas
  • hansel
    Brilliant! That was it!

    I never touched the Backup & Replication app in the main menu. I opened it, went to "Backup Services -> Network Backup Destination" and enabled the "Network backup service" function over port 22. Now, I have a rsync running as daemon:

    > ps | grep rsync
    30191 root 29528 S /usr/syno/bin/rsync --daemon
    30236 root 3772 S grep rsync
    >

    Now I can browse the server's filesystem in the Acrosync application. 
    Thanks!
Sign In or Register to comment.