SSH with authorized_keys to an Ubuntu system with encrypted homedir?
I recently set up a new server with Ubuntu karmic 9.10, and when I created my home directory I chose to make it encrypted. Now, after loading my authorized_keys file into ~/.ssh, it isn't recognized because my home directory isn't decrypted until after I log in. Is there a way to make SSH keys work with encrypted home directories under Ubuntu?
Change this line in your sshd_config file:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
And then move your authorized_keys file to /etc/ssh/your-username/authorized_keys
This post documents another way to solve this.
This solution was inspired by this post. IMHO it is much better than modifying your /etc/ssh/sshd_config since it doesn't require root access at all.
# Make your public key accessible
mkdir -m 700 /home/.ecryptfs/$USER/.ssh
echo $YOUR_PUBLIC_KEY > /home/.ecryptfs/$USER/.ssh/authorized_keys
ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys
ecryptfs-umount-private
chmod 700 $HOME
mkdir -m 700 ~/.ssh
ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys
# Make it auto-mount with first login.
# Note: it can cause problems with automated login.
echo /usr/bin/ecryptfs-mount-private > ~/.profile
echo cd >> ~/.profile
echo source .profile >> ~/.profile
ecryptfs-mount-private
I just spent some time messing around with this, and the answer is that it's pretty much fundamentally impossible. It is possible to set up passwordless public-key-authenticated logins via ssh, so you don't have to type in your password to log in, but that doesn't get you anywhere, because your home directory is still encrypted.
The simple fact is that your encrypted home directory is encrypted with a password*, so the only way to decrypt it is with that password.
And if you're thinking that in theory it should be possible to use your ssh key to decrypt the mount passphrase upon login, that won't work because your private key is never sent to the server at all.
So basically, if you want encryption, you have to use passwords. Encrypted home directories are incompatible with fingerprint logins for the same reason.
*I know it's more complicated than a single password, but let's keep it simple for now.
If you don't like modifying the default setup (I don't, I like my files to be where I expect them to be) then you might want to take a look at my post on how to do that:
http://www.enetworkservices.net/wordpress/ssh-public-keys-with-encrypted-home-directory.html
In short. You put your keys in the encrypted version of your user ~/.ssh
and symlink the encrypted version of ~/.ssh
to the other. This way it's always there.
For the lazy people like myself, here's a script to do it for you. Just run it as the normal user. No root access or permissions needed and no server configuration changes required. Pure normal user settings.
#!/bin/bash
#
# Encrypted Home DIR SSH Key fix.
# Requires modification to sshd_config
# AuthorizedKeys /etc/ssh/authorized_keys/%u/authorized_keys
# sudo mkdir /etc/ssh/authorized_keys -m 777
# for existing users run from home directory when login.
# for new users modify /etc/skel to include .bashrc to call script.
#
# Author: Benjamin Davis <[email protected]>
# Check if directory exists.
if [ ! -d "/etc/ssh/authorized_keys/$LOGNAME" ]
then
# Make directory with restricted permissions.
echo "Creating user ssh directory."
mkdir /etc/ssh/authorized_keys/$LOGNAME -m 700
fi
# Check real users home .ssh folder
if [ -d "/home/$LOGNAME/.ssh" ]
then
# Check if dir is symlink
if [ ! -h /home/$LOGNAME/.ssh ]
then
echo "Moving configs."
mv /home/$LOGNAME/.ssh/. /etc/ssh/authorized_keys/$LOGNAME/.
rm -rf /home/$LOGNAME/.ssh/
ln -s -T /etc/ssh/authorized_keys/$LOGNAME /home/$LOGNAME/.ssh
clear
fi
else
# Does not exist so link it.
if [[ $EUID -ne 0 ]]
then
echo "User ssh config folder does not exist. Creating."
mkdir /home/$LOGNAME/.ssh -m 700
ln -s -T /etc/ssh/authorized_keys/$LOGNAME /home/$LOGNAME/.ssh
fi
fi