[clug] SSH Public key auth + Encrypted home dir

Ben Coughlan ben.coughlan at gmail.com
Mon Aug 24 07:19:21 MDT 2009


On 24/08/2009, at 10:56 PM, Jeremy Kerr wrote:

> Ben,
>
>> The jist is that sshd can't read your authorized_keys file while your
>> home directory is unmounted (and encrypted).  Of course it's fine if
>> another session has already decrypted and mounted $HOME.
>
> You could change the server's AuthorizedKeysFile configuration, to  
> look in a
> common folder (/etc/sshd/authorized_keys/$USER perhaps?), rather  
> than than
> within the user's home dir (which is overwritten during the mount).  
> Then just
> symlink ~/.ssh/authorized_keys to this file.
>
> This way you only have one copy of the authorized_keys file, and  
> it'll be
> available both before and after login.

That was my next idea as well.  The problems start when users can  
overwrite each others keys, allowing them to log in as each other.   
Managing the permissions on the common folder feels like a bit of a  
headache.  I'm open to suggestions about that though, I've never tried  
doing it before.
>
> However, this still doesn't solve the issue you'll have next, which  
> is that
> your encrypted filesystem won't be mounted when logging in via ssh  
> (since the
> ssh authentication never has your logon password). You can always  
> mount it
> manually though.

Actually the encrypted home dir supported in Jaunty seems to manage  
this without any problems.  Which I also thought was odd, but  
convenient enough that I didn't ask questions.

Ben


More information about the linux mailing list