1 [[!meta title="SSH key authentication with encrypted home directories"]]
2 [[!meta date="2010-10-09"]]
3 [[!meta author="rohieb"]]
4 [[!meta license="CC-BY-SA 3.0"]]
6 Yesterday, I ran into an interesting problem: I tried to set up [SSH
7 public key authentication][0] between two of my machines, `c3po` and
8 `r2d2`, so I could log in from `rohieb@r2d2` to `rohieb@c3po` without a
9 passphrase. However, everytime I tried to login to `c3po`, I was
10 prompted to enter the passwort for `rohieb@c3po`, and the debug output
11 mentioned something that the key could not be verified. More
12 astonishing, when I established a second SSH connection while the first
13 was still running, I was *not* prompted for a password, and debug output
14 said that key authentication had been sucessful. I googled a bit, and
15 after a while got to [this comment][1] on Launchpad, mentioning problems
16 when the user on the remote machine had its home directory encrypted
17 through ecryptfs – which was the case for me. Of course, since ecryptfs
18 only encrypts the user’s home *after* he has been authenticated, the SSH
19 daemon cannot read his `~/.ssh/authorized_keys` at the first time, and
20 falls back to password authentication.
22 [0]: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1#AUTHENTICATION
23 [1]: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427/comments/12
25 The Launchpad comment proposes to first unmount the ecryptfs filesystem,
26 then store `~/.ssh/authorized_keys` unencrypted, and then mount the
27 encrypted home again (**note** that no program should be running that
28 could try to access your home directory):
30 $ ecryptfs-umount-private
35 $ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
36 $ ecryptfs-mount-private
38 This works indeed, but has the drawback that key authentication only
39 works for the *first* login, because ecryptfs hides the unencrypted
40 files when it mounts the encrypted directory on login; and you had to
41 synchronize the encrypted and the unencrypted version of
42 `authorized_keys` everytime you add a new key. To circumvent that, I
43 simply moved the file to `/etc/ssh/authorized_keys/rohieb` (with the
44 file only readable and writable by me, and `/etc/ssh/authorized_keys`
45 writeable for all users) and adjusting `/etc/ssh/sshd_config`
48 $ sudo vi /etc/ssh/sshd_config # or use your favorite editor instead of vi
50 AuthorizedKeysFile /etc/ssh/authorized_keys/%u
51 [... some more lines ...]
52 $ sudo /etc/init.d/ssh restart
56 There is yet a better approach instead, which doesn’t need the SSHd
57 config to be edited at all:
59 1. login to the user on the remote machine
60 2. create `/home/.ecryptfs/$USER/.ssh` and put your `authorized_hosts` there
61 3. symlink your encrypted version there:
63 $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
65 4. symlink your unencrypted version there (as above, **make sure** no
66 process wants to write to your home directory in the meantime):
68 $ ecryptf-umount-private
70 $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
71 $ ecryptfs-mount-private
73 The paths are for Ubuntu 9.10 (Karmic Koala) and later. On other
74 systems, you might want to replace `/home/.ecryptfs` with
77 [[!tag Debian howto Ubuntu workaround eCryptfs encrypted_home Linux