[clug] SSH Public key auth + Encrypted home dir

Robert Edwards bob at cs.anu.edu.au
Mon Aug 24 17:41:41 MDT 2009 

Ben Coughlan wrote:
> 
> On 24/08/2009, at 10:56 PM, Jeremy Kerr wrote:
> 
>> Ben,
>>
>>> The jist is that sshd can't read your authorized_keys file while your
>>> home directory is unmounted (and encrypted).  Of course it's fine if
>>> another session has already decrypted and mounted $HOME.
>>
>> You could change the server's AuthorizedKeysFile configuration, to 
>> look in a
>> common folder (/etc/sshd/authorized_keys/$USER perhaps?), rather than 
>> than
>> within the user's home dir (which is overwritten during the mount). 
>> Then just
>> symlink ~/.ssh/authorized_keys to this file.
>>
>> This way you only have one copy of the authorized_keys file, and it'll be
>> available both before and after login.
> 
> That was my next idea as well.  The problems start when users can 
> overwrite each others keys, allowing them to log in as each other.  
> Managing the permissions on the common folder feels like a bit of a 
> headache.  I'm open to suggestions about that though, I've never tried 
> doing it before.

This is only really a problem if you want the users to opportunistically
put their keys in the central key repository. If you have a script to do
it for each user as accounts are created, the permissions problem is no
different than would already exist for /home (or where ever you put all
your users home directories).

You would need to be especially careful about backing up this directory
(it now contains everyone's private keys...) and NFS autohome stuff will
need to be rethought, if you use that.

Cheers,

Bob Edwards.

>>
>> However, this still doesn't solve the issue you'll have next, which is 
>> that
>> your encrypted filesystem won't be mounted when logging in via ssh 
>> (since the
>> ssh authentication never has your logon password). You can always 
>> mount it
>> manually though.
> 
> Actually the encrypted home dir supported in Jaunty seems to manage this 
> without any problems.  Which I also thought was odd, but convenient 
> enough that I didn't ask questions.
> 
> Ben

More information about the linux mailing list