Log in to the Synology Desktop and go to "Control Panel > Terminal & SNMP"
Check "Enable SSH Service" and choose a non-default port. If you use the default port of 22 you'll get a security warning later.
Log in to your NAS using ssh:
ssh -p <port> your-nas-user@your-nas-hostname
sudo vim /etc/ssh/sshd_config
Find the following lines and uncomment them (remove the #):
#RSAAuthentication yes
#PubkeyAuthentication yes
It's possible to restart the service using the following command:
sudo synoservicectl --reload sshd
If you have not done this already, you should probably check how to do this with whatever ssh client you are using.
Example:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
The result, by default, is some files in the folder ~/.shh. Among which your private (id_rsa) and public key (id_rsa.pub).
Ssh into the NAS again.
On the NAS, you must create a file ~/.ssh/authorized_keys:
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
In that file, you must add the contents of your local ~/.ssh/id_rsa.pub. SSH then uses this public key to verify that your client machine is in posession of the private key. Then it lets you in.
On my client I did the following to first copy over my public key:
scp -P <port> ~/.ssh/id_rsa.pub my-nas-user@my-nas-hostname:/var/services/homes/my-nas-user
And then on the NAS SSH session:
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
rm ~/id_rsa.pub
Usually, the above steps are enough to make it work. But my NAS still stubornly asked me the password.
The users home folder ~/ is not allowed to be writable to group and other, "chmod 755 /volume1/homes/user: should do the trick.
chmod 755 means:
Solution: chmod 755 /var/services/homes/my-nas-user
https://blog.aaronlenoir.com/2018/05/06/ssh-into-synology-nas-with-ssh-key/