Atom Feed
Comments Atom Feed


Similar Articles

17/07/2016 15:23
AWS ssh known_host sync

Recent Articles

23/04/2017 14:21
Raspberry Pi SD Card Test
07/04/2017 10:54
DNS Firewall (blackhole malicious, like Pi-hole) with bind9
28/03/2017 13:07
Kubernetes to learn Part 4
23/03/2017 16:09
Kubernetes to learn Part 3
21/03/2017 15:18
Kubernetes to learn Part 2

Glen Pitt-Pladdy :: Blog

Ubuntu, encrypted home directories and ssh key authentication

There's plenty on the web about this subject but none of it seems to be the complete story.

Ubuntu allows you to encrypt your home directories which is great where improved security is needed (eg. laptops), however it means that ssh can't pick up the ~/ssh/authorized_keys and then a whole lot of other messy stuff happens once you fix that.

Getting the keys

The first problem is that when the ssh connection occurs the encrypted home directory doesn't yet exist.

Solution: create an alternative authorized_keys file. Create a directory (with appropriate ownership and permissions called say /etc/ssh/yourusername). Put your authorized_keys file in that.

Then without your encrypted home directory mounted create a ~/.ssh directory and symlink your real authorized_keys file from /etc/ssh/yourusername/authorized_keys into that directory. When you connect that file can be read.

Once your home directory is mounted you can do the same with the encrypted ~/.ssh which will take care of when your home directory is already mounted when you connect.

Mounting the encrypted home directory

When you connect with ssh keys now you will find your home directory isn't mounted. The README.txt file will help you, but it would be much neater if this happened automatically.

The simple way is to create a ~/.profile file that mounts your home directory, but the observant will notice that this will mean that the ~/.profile in your encrypted home directory will never be run and that may mean the shell will behave differently depending how you login. In my case I end up with not all the auto-completion and other neat things missing. The trick is the last line here:

. ~/.profile

That mounts the home directory (if needed), changes directory to the newly mounted home directory, and finally runs the ~/.profile from the encrypted home directory.

All sorted!


Are you human? (reduces spam)
Note: Identity details will be stored in a cookie. Posts may not appear immediately