[clug] SSH Public key auth + Encrypted home dir

Daniel Pittman daniel at rimspace.net
Mon Aug 24 07:17:48 MDT 2009

Ben Coughlan <ben.coughlan at gmail.com> writes:

> An interesting problem I just came across involving public key authorisation
> to an SSH session when the user has an encrypted home directory.


> The jist is that sshd can't read your authorized_keys file while your home
> directory is unmounted (and encrypted).  Of course it's fine if another
> session has already decrypted and mounted $HOME.

*nod*  That would be the same issue as ssh public key auth with mount-on-login
filesystems, which is occasionally run into elsewhere.

> The work around moves authorized_keys to $HOME/.ssh on the filesystem when
> $HOME is 'not' mounted.  Which works fine.
> My problem is that it requires the two authorized_keys files to be kept in
> sync, lest I try and log in somewhere else simultaneously and my key doesn't
> exist on whichever one is mounted.

Script it.  Have something run routinely that ensures the two files are kept
in sync; cron is, as they say, your friend here.

> Does anyone have a better idea?  I'd like to avoid storing keys outside of
> users home directories given the issues with permissions.

I doubt you can get any better ideas; ssh can't authenticate as the user to
access the encrypted file, so you are kind of stuck.  Well, unless eCryptfs
offers a facility to have a file unencrypted or whatever...

> One further question:  I've recently started using 'screen' and I'm finding it
> quite nifty.  How will it behave when I detach and log out  given that my home
> directory will be unmounted?  (assuming I'm leaving  stuff running that may or
> may not be using my home dir)

If you have screen running it will keep the directories busy.  This means that
you /can't/ unmount your home dir while screen runs, I anticipate.

✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons
   Looking for work?  Love Perl?  In Melbourne, Australia?  We are hiring.

More information about the linux mailing list