OpenSSH server refuses to accept key authentication unless logged into server locally
My server is running Ubuntu-Server and ahs OpenSSH-Server installed on it. I set up the /etc/ssh/sshd_config file to accept and require rsa keys, it looks for keys in the 'AuthorizedKeys ~/.ssh/authorized_keys' file. In that file I have two separate public keys, one created using putty that I am using with WinSCP and one created from Secure Shell Client.
My issue is that I have to log in as my user on the server before the authentication works. If I were to remotely reboot the server, then try to ssh into it, I get an error saying my key could not be authenticated and I am rejected access. Soon as I walk over and login to the sever locally I can then ssh in remotely as long as that user stays logged in.
Any idea on what I may be doing wrong here? Im thinking I have my AuthorizedKeys parameter set up incorrectly in the /etc/ssh/sshd_config file
Solution 1:
So, just as i guessed: Your $HOME is actually within an encrypted container whic is only opened upon login. In order to let you into the system the sshd wants the public-key before it lets you in and thus is some kind of egg-chicken problem.
One option to dance around the problem is to put the .ssh/authorized_keys
file into some other place via the following change to the /etc/ssh/sshd_config
:
AuthorizedKeysFile /home/.ssh/%u
So, user joe
has his public-keys in /home/.ssh/joe
etc etc.
Another idea worth trying is to do something like this:
$> login
<os unlocks encrypted /home/joe>
$> cp .ssh/authorized_keys /tmp/
$> logout
<os locks encrypted /home/joe again>
$> mkdir /home/joe/.ssh/
$> cp /tmp/authorized_keys /home/joe/.ssh/
The idea is to pull the authorized_keys
file out of the encrypted container (just like the first idea) and then place that unencrypted file at the right place. When you log into the system the OS then will mount your encrypted home as some kind of 'overlay' ontop of /home/joe
, hiding the unencrypted .ssh/authorized_keys
.
The third idea might involve some port-knocking: You trigger some kind of network-traffic to some secret port(s) with some secret data which then triggers the OS to unlock your encrypted home. After the knocking procedure you will be able to log into the system.
General disadvantage / things to consider: these ideas depend on how you have encrypted your $HOME. If the encryption needs your password to unencrypt the data then you have to provide it somehow.