Atom Feed
Comments Atom Feed

Similar Articles

2016-07-17 15:23
AWS ssh known_host sync
2009-09-21 18:57
Page allocation failures and other wierdness
2009-06-08 21:54
Home Servers
2015-09-05 15:44
EC2 ssh key automatic validation

Recent Articles

2019-07-28 16:35
git http with Nginx via Flask wsgi application (git4nginx)
2018-05-15 16:48
Raspberry Pi Camera, IR Lights and more
2017-04-23 14:21
Raspberry Pi SD Card Test
2017-04-07 10:54
DNS Firewall (blackhole malicious, like Pi-hole) with bind9
2017-03-28 13:07
Kubernetes to learn Part 4

Glen Pitt-Pladdy :: Blog

Ubuntu, encrypted home directories and ssh key authentication

There's plenty on the web about this subject but none of it seems to be the complete story.

Ubuntu allows you to encrypt your home directories which is great where improved security is needed (eg. laptops), however it means that ssh can't pick up the ~/ssh/authorized_keys and then a whole lot of other messy stuff happens once you fix that.

Getting the keys

The first problem is that when the ssh connection occurs the encrypted home directory doesn't yet exist.

Solution: create an alternative authorized_keys file. Create a directory (with appropriate ownership and permissions called say /etc/ssh/yourusername). Put your authorized_keys file in that.

Then without your encrypted home directory mounted create a ~/.ssh directory and symlink your real authorized_keys file from /etc/ssh/yourusername/authorized_keys into that directory. When you connect that file can be read.

Once your home directory is mounted you can do the same with the encrypted ~/.ssh which will take care of when your home directory is already mounted when you connect.

Mounting the encrypted home directory

When you connect with ssh keys now you will find your home directory isn't mounted. The README.txt file will help you, but it would be much neater if this happened automatically.

The simple way is to create a ~/.profile file that mounts your home directory, but the observant will notice that this will mean that the ~/.profile in your encrypted home directory will never be run and that may mean the shell will behave differently depending how you login. In my case I end up with not all the auto-completion and other neat things missing. The trick is the last line here:

. ~/.profile

That mounts the home directory (if needed), changes directory to the newly mounted home directory, and finally runs the ~/.profile from the encrypted home directory.

All sorted!


Note: Identity details will be stored in a cookie. Posts may not appear immediately