--- /dev/null
+[[!meta title="SSH key authentication with encrypted home directories"]]
+[[!meta date="2010-10-09"]]
+[[!meta author="rohieb"]]
+[[!meta license="CC-BY-SA 3.0"]]
+[[!flattrthing id=80700]]
+
+Yesterday, I ran into an interesting problem: I tried to set up [SSH
+public key authentication][0] between two of my machines, `c3po` and
+`r2d2`, so I could log in from `rohieb@r2d2` to `rohieb@c3po` without a
+passphrase. However, everytime I tried to login to `c3po`, I was
+prompted to enter the passwort for `rohieb@c3po`, and the debug output
+mentioned something that the key could not be verified. More
+astonishing, when I established a second SSH connection while the first
+was still running, I was *not* prompted for a password, and debug output
+said that key authentication had been sucessful. I googled a bit, and
+after a while got to [this comment][1] on Launchpad, mentioning problems
+when the user on the remote machine had its home directory encrypted
+through ecryptfs – which was the case for me. Of course, since ecryptfs
+only encrypts the user’s home *after* he has been authenticated, the SSH
+daemon cannot read his `~/.ssh/authorized_keys` at the first time, and
+falls back to password authentication.
+
+[0]: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1#AUTHENTICATION
+[1]: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427/comments/12
+
+The Launchpad comment proposes to first unmount the ecryptfs filesystem,
+then store `~/.ssh/authorized_keys` unencrypted, and then mount the
+encrypted home again (**note** that no program should be running that
+could try to access your home directory):
+
+ $ ecryptfs-umount-private
+ $ cd $HOME
+ $ chmod 700 .
+ $ mkdir -m 700 .ssh
+ $ chmod 500 .
+ $ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
+ $ ecryptfs-mount-private
+
+This works indeed, but has the drawback that key authentication only
+works for the *first* login, because ecryptfs hides the unencrypted
+files when it mounts the encrypted directory on login; and you had to
+synchronize the encrypted and the unencrypted version of
+`authorized_keys` everytime you add a new key. To circumvent that, I
+simply moved the file to `/etc/ssh/authorized_keys/rohieb` (with the
+file only readable and writable by me, and `/etc/ssh/authorized_keys`
+writeable for all users) and adjusting `/etc/ssh/sshd_config`
+appropriately:
+
+ $ sudo vi /etc/ssh/sshd_config # or use your favorite editor instead of vi
+ [... some lines ...]
+ AuthorizedKeysFile /etc/ssh/authorized_keys/%u
+ [... some more lines ...]
+ $ sudo /etc/init.d/ssh restart
+
+## Update
+
+There is yet a better approach instead, which doesn’t need the SSHd
+config to be edited at all:
+
+1. login to the user on the remote machine
+2. create `/home/.ecryptfs/$USER/.ssh` and put your `authorized_hosts` there
+3. symlink your encrypted version there:
+
+ $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
+
+4. symlink your unencrypted version there (as above, **make sure** no
+ process wants to write to your home directory in the meantime):
+
+ $ ecryptf-umount-private
+ $ mkdir ~/.ssh
+ $ ln -s /home/.ecryptfs/$USER/.ssh/authorized_hosts ~/.ssh/authorized_hosts
+ $ ecryptfs-mount-private
+
+The paths are for Ubuntu 9.10 (Karmic Koala) and later. On other
+systems, you might want to replace `/home/.ecryptfs` with
+`/var/lib/ecryptfs`.
+
+[[!tag Debian howto Ubuntu workaround eCryptfs encrypted_home Linux
+ OpenSSH]]
projects / www-rohieb-name.git / blobdiff