Home > Debian, howto, Ubuntu, workaround > SSH key authentication with encrypted home directories

SSH key authentication with encrypted home directories

Yesterday, I ran into an interesting problem: I tried to set up SSH public key authentication between two of my machines, c3po and r2d2, so I could log in from rohieb@r2d2 to rohieb@c3po without a passphrase. However, everytime I tried to login to c3po, I was prompted to enter the passwort for rohieb@c3po, and the debug output mentioned something that thekey could not be verified. More astonishing, when I established a second SSH connection while the first was still running, I was not prompted for a password, and debug output said that key authentication had been sucessful. I googled a bit, and after a while got to this comment on Launchpad, mentioning problems when the user on the remote machine had its home directory encrypted through ecryptfs – which was the case for me. Of course, since ecryptfs only encrypts the user’s home after he has been authenticated, the SSH daemon cannot read his ~/.ssh/authorized_keys at the first time, and falls back to password authentication.

The Launchpad comment proposes to first unmount the ecryptfs filesystem, then store ~/.ssh/authorized_keys unencrypted, and then mount the encrypted home again (note that no program should be running that could try to access your home directory):

 $ ecryptfs-umount-private
 $ cd $HOME
 $ chmod 700 .
 $ mkdir -m 700 .ssh
 $ chmod 500 .
 $ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
 $ ecryptfs-mount-private

This works indeed, but has the drawback that key authentication only works for the first login, because ecryptfs hides the unencrypted files when it mounts the encrypted directory on login; and you had to synchronize the encrypted and the unencrypted version of authorized_keys everytime you add a new key. To circumvent that, I simply moved the file to /etc/ssh/authorized_keys/rohieb (with the file only readable and writable by me, and /etc/ssh/authorized_keys writeable for all users) and adjusting /etc/ssh/sshd_config appropriately:

$ sudo vi /etc/ssh/sshd_config  # or use gedit instead of vi, or whatever...
[... some lines ...]
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
[... some more lines ...]
$ sudo /etc/init.d/ssh restart

Update

There is a better approach instead, which doesn’t need the SSHd config to be edited at all:

  • login to the user on the remote machine
  • create /home/.ecryptfs/$USER/.ssh and put your authorized_hosts there
  • symlink your encrypted version there:
    $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
  • symlink your unencrypted version there (as above, make sure no process wants to write to your home directory in the meantime):
    $ ecryptf-umount-private
    $ mkdir ~/.ssh
    $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
    $ ecryptfs-mount-private
    

The paths are for Ubuntu 9.10 (Karmic Koala) and later. On other systems, you might want to replace /home/.ecryptfs with /var/lib/ecryptfs.


Flattr this

About these ads
  1. December 20, 2010 at 23:46 | #1

    nice one. but!!!…… how do you get ecryptfs to auto mount the encrypted home directory using public key auth? i cannot seem to figure this out :X

  2. rohieb
    December 21, 2010 at 01:51 | #2

    Unfortunately that was the same question I was wondering about for a while now, but I haven’t been able to figure it out yet. However, eCryptfs lets you mount your home directory manually after login by executing /usr/bin/ecryptfs-mount-private, and typing your login password.

  3. Andrew Galecki
    December 31, 2010 at 16:05 | #3

    Thanks rohieb. It’s great article :) I tested this solution and it’s ok :)
    Take care !

  4. March 10, 2014 at 03:25 | #4

    Here is a sample script to cover this. Paths for ubuntu, edit for your system:

    https://gist.github.com/sukima/9458901

    • indigodaddy
      April 9, 2014 at 13:17 | #5

      @sukima – where/how/when do you run your script?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: