rohieb.name/ blag/ post/ SSH key authentication with encrypted home directories
April 2024
M T W T F S S
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          

Archives

Tags:

AF9015 Alice DSL Blueman C++ CDROM DNS DVB-T DVD Debian Debian testing Dell Latitude Device Manager Emacs Evolution Flattr GNOME GNU Ghostscript Git GitHub Google Earth HanseNet IMAP IPv4 IPv6 ISO9660 ImageMagic ImageMagick Internet of Things IoT JavaScript Kaffeine LaTeX LaTeX beamer Linux Linux 3.2 Linux gaming Markdown Master Boot Record MediaWiki Medion Akoya 6612 Mesa Mozilla Mozilla Firefox NTFS NetworkManager OpenSSH PDA PDF PGF Portal QDjango Qt SIGSEGV SysRq TSSTCorp SN-S083a Thinkpad SL510 TikZ UDF UNIX UNIX signal numbers USB Ubuntu Ubuntu Jaunty Ubuntu Karmic Ubuntu Lucid Ubuntu Precise VNC Vista Windows Windows Mobile WordPress X X11 XMPP XUL XULRunner Xorg ZSNES applet auto-suspend backport battery power blacklist blog blogging bluetooth broken hardware convert cron debugging desktop desktop publishing diff driver eCryptfs eglibc encrypted home engineering exceptions failure fdisk file formats fix games git-notes gitify gitolite hacking highlight howto iPAQ ikiwiki kernel module kill laptop laptop-mode libdvdread libtxc-dxtn longpost meta micropayment migration mirror mobile internet access multithreading netcat network network protocols note to self packaging partition partition table partition type patch patchutils powersave presentation programming project proxy server quickfix rant reference registry science screen seminar sfdisk shell signal.h signals slots speaking standby synchronisation talk timing university upgrade useless bits of information video vlc wireless keyboard workaround

Yesterday, I ran into an interesting problem: I tried to set up SSH public key authentication between two of my machines, c3po and r2d2, so I could log in from rohieb@r2d2 to rohieb@c3po without a passphrase. However, everytime I tried to login to c3po, I was prompted to enter the passwort for rohieb@c3po, and the debug output mentioned something that the key could not be verified. More astonishing, when I established a second SSH connection while the first was still running, I was not prompted for a password, and debug output said that key authentication had been sucessful. I googled a bit, and after a while got to this comment on Launchpad, mentioning problems when the user on the remote machine had its home directory encrypted through ecryptfs – which was the case for me. Of course, since ecryptfs only encrypts the user’s home after he has been authenticated, the SSH daemon cannot read his ~/.ssh/authorized_keys at the first time, and falls back to password authentication.

The Launchpad comment proposes to first unmount the ecryptfs filesystem, then store ~/.ssh/authorized_keys unencrypted, and then mount the encrypted home again (note that no program should be running that could try to access your home directory):

$ ecryptfs-umount-private
$ cd $HOME
$ chmod 700 .
$ mkdir -m 700 .ssh
$ chmod 500 .
$ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
$ ecryptfs-mount-private

This works indeed, but has the drawback that key authentication only works for the first login, because ecryptfs hides the unencrypted files when it mounts the encrypted directory on login; and you had to synchronize the encrypted and the unencrypted version of authorized_keys everytime you add a new key. To circumvent that, I simply moved the file to /etc/ssh/authorized_keys/rohieb (with the file only readable and writable by me, and /etc/ssh/authorized_keys writeable for all users) and adjusting /etc/ssh/sshd_config appropriately:

$ sudo vi /etc/ssh/sshd_config  # or use your favorite editor instead of vi
[... some lines ...]
AuthorizedKeysFile /etc/ssh/authorized_keys/%u
[... some more lines ...]
$ sudo /etc/init.d/ssh restart

Update

There is yet a better approach instead, which doesn’t need the SSHd config to be edited at all:

  1. login to the user on the remote machine
  2. create /home/.ecryptfs/$USER/.ssh and put your authorized_hosts there

  3. symlink your encrypted version there:

    $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts

  4. symlink your unencrypted version there (as above, make sure no process wants to write to your home directory in the meantime):

    $ ecryptf-umount-private
$ mkdir ~/.ssh
$ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
$ ecryptfs-mount-private

The paths are for Ubuntu 9.10 (Karmic Koala) and later. On other systems, you might want to replace /home/.ecryptfs with /var/lib/ecryptfs.