1 [[!meta title="SSH key authentication with encrypted home directories"]]
2 [[!meta date="2010-10-09"]]
3 [[!meta author="rohieb"]]
4 [[!meta license="CC-BY-SA 3.0"]]
5 [[!flattrthing id=80700]]
7 Yesterday, I ran into an interesting problem: I tried to set up [SSH
8 public key authentication][0] between two of my machines, `c3po` and
9 `r2d2`, so I could log in from `rohieb@r2d2` to `rohieb@c3po` without a
10 passphrase. However, everytime I tried to login to `c3po`, I was
11 prompted to enter the passwort for `rohieb@c3po`, and the debug output
12 mentioned something that the key could not be verified. More
13 astonishing, when I established a second SSH connection while the first
14 was still running, I was *not* prompted for a password, and debug output
15 said that key authentication had been sucessful. I googled a bit, and
16 after a while got to [this comment][1] on Launchpad, mentioning problems
17 when the user on the remote machine had its home directory encrypted
18 through ecryptfs – which was the case for me. Of course, since ecryptfs
19 only encrypts the user’s home *after* he has been authenticated, the SSH
20 daemon cannot read his `~/.ssh/authorized_keys` at the first time, and
21 falls back to password authentication.
23 [0]: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1#AUTHENTICATION
24 [1]: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427/comments/12
26 The Launchpad comment proposes to first unmount the ecryptfs filesystem,
27 then store `~/.ssh/authorized_keys` unencrypted, and then mount the
28 encrypted home again (**note** that no program should be running that
29 could try to access your home directory):
31 $ ecryptfs-umount-private
36 $ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
37 $ ecryptfs-mount-private
39 This works indeed, but has the drawback that key authentication only
40 works for the *first* login, because ecryptfs hides the unencrypted
41 files when it mounts the encrypted directory on login; and you had to
42 synchronize the encrypted and the unencrypted version of
43 `authorized_keys` everytime you add a new key. To circumvent that, I
44 simply moved the file to `/etc/ssh/authorized_keys/rohieb` (with the
45 file only readable and writable by me, and `/etc/ssh/authorized_keys`
46 writeable for all users) and adjusting `/etc/ssh/sshd_config`
49 $ sudo vi /etc/ssh/sshd_config # or use your favorite editor instead of vi
51 AuthorizedKeysFile /etc/ssh/authorized_keys/%u
52 [... some more lines ...]
53 $ sudo /etc/init.d/ssh restart
57 There is yet a better approach instead, which doesn’t need the SSHd
58 config to be edited at all:
60 1. login to the user on the remote machine
61 2. create `/home/.ecryptfs/$USER/.ssh` and put your `authorized_hosts` there
62 3. symlink your encrypted version there:
64 $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
66 4. symlink your unencrypted version there (as above, **make sure** no
67 process wants to write to your home directory in the meantime):
69 $ ecryptf-umount-private
71 $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
72 $ ecryptfs-mount-private
74 The paths are for Ubuntu 9.10 (Karmic Koala) and later. On other
75 systems, you might want to replace `/home/.ecryptfs` with
78 [[!tag Debian howto Ubuntu workaround eCryptfs encrypted_home Linux