I can’t do ssh public key login to my server and I think this issue is related to the fact my home is encrypted. I chose the option “encrypt my home folder” under the Ubuntu install setup. The permissions on /home/MY-USER are 700.
I’ve tried another workstation and everything works fine. I would be glad if someone help me to get out this without removing the encryption.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
If your home directory is encrypted, the ssh daemon can’t get in it to check if your private key matches your public one. Your .ssh folder is encrypted after all.
A workaround for this might be to have your .ssh folder with your authorized_keys in plaintext in your unencrypted home directory.
But if your encryption techinque uses your password as a key to decrypt everything you will still have to type it in to get everything decrypted.
So a true passwordless login will not work here. (unless you want to store your password somewhere in cleartext to be automatically fed to the decryption process, but this is even more unsecure then not encrypting at all.)
What technique are you using to encrypt your home directory?
Update:
ubuntu uses ecryptfs to mount an encrypted partition on login time (so when you supply your password)
To make ssh find your .ssh folder again you can do this:
# copy your .ssh folder mkdir /tmp/mine chmod 700 /tmp/mine mkdir /tmp/mine/.ssh chmod 700 /tmp/mine/.ssh cp ~/.ssh/authorized_keys /tmp/mine/.ssh/ cd /tmp/mine # unmount your encrypted home drive /sbin/umount.ecryptfs_private # copy your ssh folder to the place ssh will actually look for cp -r .ssh ~ # be sure to remove it again from /tmp rm /tmp/mine/ -rf
You should now be able to login again, but you will not have your home folder unencrypted automatically. To mount it unencrypted you will have to enter this on every login:
/sbin/mount.ecryptfs_private
Which will ask you for your login password again.
More information on this can be found here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427
Method 2
In the ssh_config file, you can can change the location of where it looks for your private key. You could probably do something like make a new folder at /etc/ssh/keys/ and put your id_rsa private key file in there and then change the IdentityFile option in ssh_config to look in the new location. In doing so you’ll want to take certain measures to secure your private key.
This is assuming you’re the only user of the computer. If not, you can make folders like /etc/ssh/keys/john/ and /etc/ssh/keys/dogbert/ and then in the IdentityFile option put /etc/ssh/keys/%u/id_rsa
Method 3
I had the same problem on an arch linux server, with a home directory encrypted with ecryptfs. To be able to login with ssh keys I first had to have logged in from the server console in order to have a decrypted .ssh/authorized_keys file. I have solved it as follows:
I first copied the content of the .ssh directory to a safe location.
Then, as root user:
In the home/.ecryptfs/<my username> directory I created a .ssh directory with permission 700 and under my own username and group (so, not root). Then I copied the content of my original .ssh directory (in my case, only an authorized_keys file) from the safe to this location, with permission 600 and under my own username and group.
In the /etc/ssh/sshd_config file, using Safado’s solution, I used the following option:
AuthorizedKeysFile /home/.ecryptfs/%u/.ssh/authorized_keys
Finally, in my home directory and under my own user name, I removed the .ssh directory and its content and replaced it with a soft link:
rm -rf .ssh (or use mv .ssh .ssh.bkp)
ln -s /home/.ecryptfs/<my username>/.ssh .
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0