Categories
Technical

Encrypted Home directories + SSH Key Authentication

There is an interesting it-makes-sense-when-you-think-about-it issue with Encrypted Home directories and SSH key authentication I’ve recently discovered in Ubuntu (it will affect any distro though). Since Encrypted home directories aren’t decrypted until the login is successful, and your SSH keys are stored in your home directory, the first SSH connection you make will require a password. If you have password authentication turned off, you’ll have big issues.

I found a question on Super User which explains solutions to this issue. My solution follows closely on this answer, although I have added in a symbolic link to make it easier to manage.

1. Create .ssh folder in /home for the keys to be stored

sudo mkdir /home/.ssh

2. Move existing authorized_keys file into .ssh dir as username

sudo mv ~/.ssh/authorized_keys /home/.ssh/username

3. Create symbolic link to authorized_keys file in user .ssh dir

ln -s /home/.ssh/username ~/.ssh/authorized_keys

4. Update sshd config file to set the new path for the authorized_keys file

sudo vim /etc/ssh/sshd_config

Change the AuthorizedKeysFile line to:

AuthorizedKeysFile      /home/.ssh/%u

5. Reboot the computer

sudo shutdown -r now

6. Login to your server and you shoud be presented with a minimal un-decrypted home directory… You will need to create and edit a .profile file in there to get ecryptfs to mount your home directory.

sudo vim ~/.profile

Add these lines:

ecryptfs-mount-privatecd /home/username

7. Log out/Restart, and go back in again. You should be promoted for your password after SSH key auth, and then be presented with your decrypted home directory.

You should now be able to login using SSH keys every time, no matter if your home dir is decrypted or not 🙂

3 replies on “Encrypted Home directories + SSH Key Authentication”

how can this possibly work? sshd will not allow the /home/.ssh directory to operate because it objects to the permissons of /

@jp (or whomever will come across this).

You can set StrictModes no.

Or…

Instead of /home/.ssh/%u, use /home/.ssh/%u/authorized_keys and:

chmod 700 /home/.ssh/%u
chmod 600 /home/.ssh/%u/authorized_keys

there is an error, “ecryptfs-mount-private” should not end with “cd” just
ecryptfs-mount-private /home/username

Leave a Reply

Your email address will not be published. Required fields are marked *