[clug] SSH Public key auth + Encrypted home dir
daniel at rimspace.net
Mon Aug 24 07:17:48 MDT 2009
Ben Coughlan <ben.coughlan at gmail.com> writes:
> An interesting problem I just came across involving public key authorisation
> to an SSH session when the user has an encrypted home directory.
> The jist is that sshd can't read your authorized_keys file while your home
> directory is unmounted (and encrypted). Of course it's fine if another
> session has already decrypted and mounted $HOME.
*nod* That would be the same issue as ssh public key auth with mount-on-login
filesystems, which is occasionally run into elsewhere.
> The work around moves authorized_keys to $HOME/.ssh on the filesystem when
> $HOME is 'not' mounted. Which works fine.
> My problem is that it requires the two authorized_keys files to be kept in
> sync, lest I try and log in somewhere else simultaneously and my key doesn't
> exist on whichever one is mounted.
Script it. Have something run routinely that ensures the two files are kept
in sync; cron is, as they say, your friend here.
> Does anyone have a better idea? I'd like to avoid storing keys outside of
> users home directories given the issues with permissions.
I doubt you can get any better ideas; ssh can't authenticate as the user to
access the encrypted file, so you are kind of stuck. Well, unless eCryptfs
offers a facility to have a file unencrypted or whatever...
> One further question: I've recently started using 'screen' and I'm finding it
> quite nifty. How will it behave when I detach and log out given that my home
> directory will be unmounted? (assuming I'm leaving stuff running that may or
> may not be using my home dir)
If you have screen running it will keep the directories busy. This means that
you /can't/ unmount your home dir while screen runs, I anticipate.
✣ Daniel Pittman ✉ daniel at rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.
More information about the linux