SSH with authorized_keys to an Ubuntu system with encrypted homedir?

Question

I recently set up a new server with Ubuntu karmic 9.10, and when I created my home directory I chose to make it encrypted. Now, after loading my authorized_keys file into ~/.ssh, it isn't recognized because my home directory isn't decrypted until after I log in. Is there a way to make SSH keys work with encrypted home directories under Ubuntu?

score 40 · Accepted Answer · answered Oct 26 '09 at 20:28

40

Change this line in your sshd_config file:

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

And then move your authorized_keys file to /etc/ssh/your-username/authorized_keys

This post documents another way to solve this.

answered Oct 26 '09 at 20:28

djhowell

3,801

score 9 · Answer 2 · edited Feb 06 '20 at 15:06

This solution was inspired by this post. IMHO it is much better than modifying your /etc/ssh/sshd_config since it doesn't require root access at all.

# Make your public key accessible
mkdir -m 700 /home/.ecryptfs/$USER/.ssh
echo $YOUR_PUBLIC_KEY > /home/.ecryptfs/$USER/.ssh/authorized_keys
ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys
ecryptfs-umount-private
chmod 700 $HOME
mkdir -m 700 ~/.ssh
ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys

# Make it auto-mount with first login.
# Note: it can cause problems with automated login.
echo /usr/bin/ecryptfs-mount-private > ~/.profile
echo cd >> ~/.profile
echo source .profile >> ~/.profile
ecryptfs-mount-private

score 2 · Answer 3 · edited May 13 '11 at 05:10

If you don't like modifying the default setup (I don't, I like my files to be where I expect them to be) then you might want to take a look at my post on how to do that:

http://www.enetworkservices.net/wordpress/ssh-public-keys-with-encrypted-home-directory.html

In short. You put your keys in the encrypted version of your user ~/.ssh and symlink the encrypted version of ~/.ssh to the other. This way it's always there.

For the lazy people like myself, here's a script to do it for you. Just run it as the normal user. No root access or permissions needed and no server configuration changes required. Pure normal user settings.

#!/bin/bash
#
# Encrypted Home DIR SSH Key fix.
# Requires modification to sshd_config
#  AuthorizedKeys /etc/ssh/authorized_keys/%u/authorized_keys
# sudo mkdir /etc/ssh/authorized_keys -m 777
# for existing users run from home directory when login.
# for new users modify /etc/skel to include .bashrc to call script.
#
# Author: Benjamin Davis <bdavis@enetworkservices.net>

# Check if directory exists.
if [ ! -d "/etc/ssh/authorized_keys/$LOGNAME" ]
then
    # Make directory with restricted permissions.
    echo "Creating user ssh directory."
    mkdir /etc/ssh/authorized_keys/$LOGNAME -m 700
fi

# Check real users home .ssh folder
if [ -d "/home/$LOGNAME/.ssh" ]
then
    # Check if dir is symlink
    if [ ! -h /home/$LOGNAME/.ssh ]
    then
        echo "Moving configs."
        mv /home/$LOGNAME/.ssh/. /etc/ssh/authorized_keys/$LOGNAME/.
        rm -rf /home/$LOGNAME/.ssh/
        ln -s -T /etc/ssh/authorized_keys/$LOGNAME /home/$LOGNAME/.ssh
        clear
    fi
else
    # Does not exist so link it.
    if [[ $EUID -ne 0 ]]
    then
        echo "User ssh config folder does not exist. Creating."
        mkdir /home/$LOGNAME/.ssh -m 700
        ln -s -T /etc/ssh/authorized_keys/$LOGNAME /home/$LOGNAME/.ssh
    fi
fi

score 2 · Answer 4 · answered Oct 27 '09 at 03:50

I just spent some time messing around with this, and the answer is that it's pretty much fundamentally impossible. It is possible to set up passwordless public-key-authenticated logins via ssh, so you don't have to type in your password to log in, but that doesn't get you anywhere, because your home directory is still encrypted.

The simple fact is that your encrypted home directory is encrypted with a password*, so the only way to decrypt it is with that password.

And if you're thinking that in theory it should be possible to use your ssh key to decrypt the mount passphrase upon login, that won't work because your private key is never sent to the server at all.

So basically, if you want encryption, you have to use passwords. Encrypted home directories are incompatible with fingerprint logins for the same reason.

*I know it's more complicated than a single password, but let's keep it simple for now.

score 0 · Answer 5 · edited May 13 '11 at 05:12

You can use the more secure public key to login, and then execute the following to mount your directory after typing in your password:

ecryptfs-mount-private

Read the ~/README.txt file after logging in via SSH, you'll find that you don't have your files because the encrypted directory is not mounted.

You shouldn't be using passwordless public-keys to login anyway. Look at ssh-agent for a better way.

score 0 · Answer 6 · answered Dec 16 '21 at 13:00

my issue is related to authorized_keys

Observation - It was not possible to add new keys to .ssh/authorized_keys on Ubuntu. But worked like a charm on Amazon Linux.

On Ubuntu always getting a

-bash: ./.ssh/authorized_keys: Permission denied with cat ./.ssh/my-plublic-id_rsa.pub >> ./.ssh/authorized_keys

Not sure what I am missing.

PS: I had spun up 2 EC2 instances on AWS -

One running "Ubuntu 20.04.3 LTS" and Another running "Amazon Linux 2"

SSH with authorized_keys to an Ubuntu system with encrypted homedir?

6 Answers6

Linked

Related