Can't do SSH public key login under encrypted home
up vote
5
down vote
favorite
I can't do ssh public key login to my server and I think this issue is related to the fact my home is encrypted. I chose the option "encrypt my home folder" under the Ubuntu install setup. The permissions on /home/MY-USER are 700.
I've tried another workstation and everything works fine. I would be glad if someone help me to get out this without removing the encryption.
ubuntu ssh ecryptfs
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
asked Sep 4 '12 at 12:55
lucasvscn
12813
migrated from serverfault.com Sep 4 '12 at 14:43
This question came from our site for system and network administrators.
add a comment |
up vote
5
down vote
favorite
I can't do ssh public key login to my server and I think this issue is related to the fact my home is encrypted. I chose the option "encrypt my home folder" under the Ubuntu install setup. The permissions on /home/MY-USER are 700.
I've tried another workstation and everything works fine. I would be glad if someone help me to get out this without removing the encryption.
ubuntu ssh ecryptfs
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
asked Sep 4 '12 at 12:55
lucasvscn
12813
migrated from serverfault.com Sep 4 '12 at 14:43
This question came from our site for system and network administrators.
Add -v to your ssh commandline and see if you find any interesting entries. If not, increase the verbose level to -vv, and then -vvv.
– pkhamre
Sep 4 '12 at 13:00
1
When you say you've tried another workstation, did it have an encrypted home directory as well?
– Safado
Sep 4 '12 at 14:10
add a comment |
up vote
5
down vote
favorite
up vote
5
down vote
favorite
I can't do ssh public key login to my server and I think this issue is related to the fact my home is encrypted. I chose the option "encrypt my home folder" under the Ubuntu install setup. The permissions on /home/MY-USER are 700.
I've tried another workstation and everything works fine. I would be glad if someone help me to get out this without removing the encryption.
ubuntu ssh ecryptfs
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
asked Sep 4 '12 at 12:55
lucasvscn
12813
I can't do ssh public key login to my server and I think this issue is related to the fact my home is encrypted. I chose the option "encrypt my home folder" under the Ubuntu install setup. The permissions on /home/MY-USER are 700.
I've tried another workstation and everything works fine. I would be glad if someone help me to get out this without removing the encryption.
ubuntu ssh ecryptfs
ubuntu ssh ecryptfs
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
asked Sep 4 '12 at 12:55
lucasvscn
12813
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
asked Sep 4 '12 at 12:55
lucasvscn
12813
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
edited Sep 4 '12 at 22:20
Gilles
522k12610401570
522k12610401570
asked Sep 4 '12 at 12:55
lucasvscn
12813
asked Sep 4 '12 at 12:55
lucasvscn
12813
asked Sep 4 '12 at 12:55
lucasvscn
12813
12813
migrated from serverfault.com Sep 4 '12 at 14:43
This question came from our site for system and network administrators.
migrated from serverfault.com Sep 4 '12 at 14:43
This question came from our site for system and network administrators.
Add -v to your ssh commandline and see if you find any interesting entries. If not, increase the verbose level to -vv, and then -vvv.
– pkhamre
Sep 4 '12 at 13:00
1
When you say you've tried another workstation, did it have an encrypted home directory as well?
– Safado
Sep 4 '12 at 14:10
add a comment |
Add -v to your ssh commandline and see if you find any interesting entries. If not, increase the verbose level to -vv, and then -vvv.
– pkhamre
Sep 4 '12 at 13:00
1
When you say you've tried another workstation, did it have an encrypted home directory as well?
– Safado
Sep 4 '12 at 14:10
Add -v to your ssh commandline and see if you find any interesting entries. If not, increase the verbose level to -vv, and then -vvv.
– pkhamre
Sep 4 '12 at 13:00
Add -v to your ssh commandline and see if you find any interesting entries. If not, increase the verbose level to -vv, and then -vvv.
– pkhamre
Sep 4 '12 at 13:00
1
1
When you say you've tried another workstation, did it have an encrypted home directory as well?
– Safado
Sep 4 '12 at 14:10
When you say you've tried another workstation, did it have an encrypted home directory as well?
– Safado
Sep 4 '12 at 14:10
add a comment |
2 Answers
2
active
oldest
votes
up vote
6
down vote
accepted
In the ssh_config file, you can can change the location of where it looks for your private key. You could probably do something like make a new folder at /etc/ssh/keys/ and put your id_rsa private key file in there and then change the IdentityFile option in ssh_config to look in the new location. In doing so you'll want to take certain measures to secure your private key.
This is assuming you're the only user of the computer. If not, you can make folders like /etc/ssh/keys/john/ and /etc/ssh/keys/dogbert/ and then in the IdentityFile option put /etc/ssh/keys/%u/id_rsa
edited Sep 4 '12 at 19:58
bahamat
24k14690
answered Sep 4 '12 at 14:09
Safado
1762
After seeing cjc's answer, it brings up an important detail that you left out. Is the encrypted home folder on your workstation or on the server? If it's on the server, then you need to follow cjc's instructions.
– Safado
Sep 4 '12 at 15:03
thank you! this worked for me. I put my id_rsa under /etc/ssh/keys with 666 permissions and so I was able to login :)
– lucasvscn
Sep 4 '12 at 19:34
@lucasvscn Please change those permissions immediately. You do not want that to be go+w.
– derobert
Sep 4 '12 at 20:02
@derobert you're right! but, when I first copy id_rsa to /etc the owner was changed to root and the only way to work was giving to it 666. I just fix it putting my user as owner and the permissions to 600.
– lucasvscn
Sep 4 '12 at 20:24
permissions of 400 should be sufficient
– Jens Timmerman
Oct 26 '16 at 14:55
add a comment |
up vote
7
down vote
If your home directory is encrypted, the ssh daemon can't get in it to check if your private key matches your public one. Your .ssh folder is encrypted after all.
A workaround for this might be to have your .ssh folder with your authorized_keys in plaintext in your unencrypted home directory.
But if your encryption techinque uses your password as a key to decrypt everything you will still have to type it in to get everything decrypted.
So a true passwordless login will not work here. (unless you want to store your password somewhere in cleartext to be automatically fed to the decryption process, but this is even more unsecure then not encrypting at all.)
What technique are you using to encrypt your home directory?
Update:
ubuntu uses ecryptfs to mount an encrypted partition on login time (so when you supply your password)
To make ssh find your .ssh folder again you can do this:
# copy your .ssh folder
cp -r .ssh /tmp # Don't do this on a shared system where others are logged in at this moment! they could get access to your ssh secrets
cd /tmp
# unmount your encrypted home drive
/sbin/umount.ecryptfs_private
# copy your ssh folder to the place ssh will actually look for
cp -r .ssh ~
# be sure to remove it again from /tmp
rm .ssh -rf
You should now be able to login again, but you will not have your home folder unencrypted automatically. To mount it unencrypted you will have to enter this on every login:
/sbin/mount.ecryptfs_private
Which will ask you for your login password again.
More information on this can be found here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
hi Jens, yes.. I know the implications. I choose the option "encrypt my home folder" under Ubuntu install setup, so I don't know what encrypt technique was used.
– lucasvscn
Sep 4 '12 at 19:33
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
accepted
In the ssh_config file, you can can change the location of where it looks for your private key. You could probably do something like make a new folder at /etc/ssh/keys/ and put your id_rsa private key file in there and then change the IdentityFile option in ssh_config to look in the new location. In doing so you'll want to take certain measures to secure your private key.
This is assuming you're the only user of the computer. If not, you can make folders like /etc/ssh/keys/john/ and /etc/ssh/keys/dogbert/ and then in the IdentityFile option put /etc/ssh/keys/%u/id_rsa
edited Sep 4 '12 at 19:58
bahamat
24k14690
answered Sep 4 '12 at 14:09
Safado
1762
After seeing cjc's answer, it brings up an important detail that you left out. Is the encrypted home folder on your workstation or on the server? If it's on the server, then you need to follow cjc's instructions.
– Safado
Sep 4 '12 at 15:03
thank you! this worked for me. I put my id_rsa under /etc/ssh/keys with 666 permissions and so I was able to login :)
– lucasvscn
Sep 4 '12 at 19:34
@lucasvscn Please change those permissions immediately. You do not want that to be go+w.
– derobert
Sep 4 '12 at 20:02
@derobert you're right! but, when I first copy id_rsa to /etc the owner was changed to root and the only way to work was giving to it 666. I just fix it putting my user as owner and the permissions to 600.
– lucasvscn
Sep 4 '12 at 20:24
permissions of 400 should be sufficient
– Jens Timmerman
Oct 26 '16 at 14:55
add a comment |
up vote
6
down vote
accepted
In the ssh_config file, you can can change the location of where it looks for your private key. You could probably do something like make a new folder at /etc/ssh/keys/ and put your id_rsa private key file in there and then change the IdentityFile option in ssh_config to look in the new location. In doing so you'll want to take certain measures to secure your private key.
This is assuming you're the only user of the computer. If not, you can make folders like /etc/ssh/keys/john/ and /etc/ssh/keys/dogbert/ and then in the IdentityFile option put /etc/ssh/keys/%u/id_rsa
edited Sep 4 '12 at 19:58
bahamat
24k14690
answered Sep 4 '12 at 14:09
Safado
1762
After seeing cjc's answer, it brings up an important detail that you left out. Is the encrypted home folder on your workstation or on the server? If it's on the server, then you need to follow cjc's instructions.
– Safado
Sep 4 '12 at 15:03
thank you! this worked for me. I put my id_rsa under /etc/ssh/keys with 666 permissions and so I was able to login :)
– lucasvscn
Sep 4 '12 at 19:34
@lucasvscn Please change those permissions immediately. You do not want that to be go+w.
– derobert
Sep 4 '12 at 20:02
@derobert you're right! but, when I first copy id_rsa to /etc the owner was changed to root and the only way to work was giving to it 666. I just fix it putting my user as owner and the permissions to 600.
– lucasvscn
Sep 4 '12 at 20:24
permissions of 400 should be sufficient
– Jens Timmerman
Oct 26 '16 at 14:55
add a comment |
up vote
6
down vote
accepted
up vote
6
down vote
accepted
In the ssh_config file, you can can change the location of where it looks for your private key. You could probably do something like make a new folder at /etc/ssh/keys/ and put your id_rsa private key file in there and then change the IdentityFile option in ssh_config to look in the new location. In doing so you'll want to take certain measures to secure your private key.
This is assuming you're the only user of the computer. If not, you can make folders like /etc/ssh/keys/john/ and /etc/ssh/keys/dogbert/ and then in the IdentityFile option put /etc/ssh/keys/%u/id_rsa
edited Sep 4 '12 at 19:58
bahamat
24k14690
answered Sep 4 '12 at 14:09
Safado
1762
In the ssh_config file, you can can change the location of where it looks for your private key. You could probably do something like make a new folder at /etc/ssh/keys/ and put your id_rsa private key file in there and then change the IdentityFile option in ssh_config to look in the new location. In doing so you'll want to take certain measures to secure your private key.
This is assuming you're the only user of the computer. If not, you can make folders like /etc/ssh/keys/john/ and /etc/ssh/keys/dogbert/ and then in the IdentityFile option put /etc/ssh/keys/%u/id_rsa
edited Sep 4 '12 at 19:58
bahamat
24k14690
answered Sep 4 '12 at 14:09
Safado
1762
edited Sep 4 '12 at 19:58
bahamat
24k14690
edited Sep 4 '12 at 19:58
bahamat
24k14690
edited Sep 4 '12 at 19:58
bahamat
24k14690
24k14690
answered Sep 4 '12 at 14:09
Safado
1762
answered Sep 4 '12 at 14:09
Safado
1762
answered Sep 4 '12 at 14:09
Safado
1762
1762
After seeing cjc's answer, it brings up an important detail that you left out. Is the encrypted home folder on your workstation or on the server? If it's on the server, then you need to follow cjc's instructions.
– Safado
Sep 4 '12 at 15:03
thank you! this worked for me. I put my id_rsa under /etc/ssh/keys with 666 permissions and so I was able to login :)
– lucasvscn
Sep 4 '12 at 19:34
@lucasvscn Please change those permissions immediately. You do not want that to be go+w.
– derobert
Sep 4 '12 at 20:02
@derobert you're right! but, when I first copy id_rsa to /etc the owner was changed to root and the only way to work was giving to it 666. I just fix it putting my user as owner and the permissions to 600.
– lucasvscn
Sep 4 '12 at 20:24
permissions of 400 should be sufficient
– Jens Timmerman
Oct 26 '16 at 14:55
add a comment |
After seeing cjc's answer, it brings up an important detail that you left out. Is the encrypted home folder on your workstation or on the server? If it's on the server, then you need to follow cjc's instructions.
– Safado
Sep 4 '12 at 15:03
thank you! this worked for me. I put my id_rsa under /etc/ssh/keys with 666 permissions and so I was able to login :)
– lucasvscn
Sep 4 '12 at 19:34
@lucasvscn Please change those permissions immediately. You do not want that to be go+w.
– derobert
Sep 4 '12 at 20:02
@derobert you're right! but, when I first copy id_rsa to /etc the owner was changed to root and the only way to work was giving to it 666. I just fix it putting my user as owner and the permissions to 600.
– lucasvscn
Sep 4 '12 at 20:24
permissions of 400 should be sufficient
– Jens Timmerman
Oct 26 '16 at 14:55
After seeing cjc's answer, it brings up an important detail that you left out. Is the encrypted home folder on your workstation or on the server? If it's on the server, then you need to follow cjc's instructions.
– Safado
Sep 4 '12 at 15:03
After seeing cjc's answer, it brings up an important detail that you left out. Is the encrypted home folder on your workstation or on the server? If it's on the server, then you need to follow cjc's instructions.
– Safado
Sep 4 '12 at 15:03
thank you! this worked for me. I put my id_rsa under /etc/ssh/keys with 666 permissions and so I was able to login :)
– lucasvscn
Sep 4 '12 at 19:34
thank you! this worked for me. I put my id_rsa under /etc/ssh/keys with 666 permissions and so I was able to login :)
– lucasvscn
Sep 4 '12 at 19:34
@lucasvscn Please change those permissions immediately. You do not want that to be go+w.
– derobert
Sep 4 '12 at 20:02
@lucasvscn Please change those permissions immediately. You do not want that to be go+w.
– derobert
Sep 4 '12 at 20:02
@derobert you're right! but, when I first copy id_rsa to /etc the owner was changed to root and the only way to work was giving to it 666. I just fix it putting my user as owner and the permissions to 600.
– lucasvscn
Sep 4 '12 at 20:24
@derobert you're right! but, when I first copy id_rsa to /etc the owner was changed to root and the only way to work was giving to it 666. I just fix it putting my user as owner and the permissions to 600.
– lucasvscn
Sep 4 '12 at 20:24
permissions of 400 should be sufficient
– Jens Timmerman
Oct 26 '16 at 14:55
permissions of 400 should be sufficient
– Jens Timmerman
Oct 26 '16 at 14:55
add a comment |
up vote
7
down vote
If your home directory is encrypted, the ssh daemon can't get in it to check if your private key matches your public one. Your .ssh folder is encrypted after all.
A workaround for this might be to have your .ssh folder with your authorized_keys in plaintext in your unencrypted home directory.
But if your encryption techinque uses your password as a key to decrypt everything you will still have to type it in to get everything decrypted.
So a true passwordless login will not work here. (unless you want to store your password somewhere in cleartext to be automatically fed to the decryption process, but this is even more unsecure then not encrypting at all.)
What technique are you using to encrypt your home directory?
Update:
ubuntu uses ecryptfs to mount an encrypted partition on login time (so when you supply your password)
To make ssh find your .ssh folder again you can do this:
# copy your .ssh folder
cp -r .ssh /tmp # Don't do this on a shared system where others are logged in at this moment! they could get access to your ssh secrets
cd /tmp
# unmount your encrypted home drive
/sbin/umount.ecryptfs_private
# copy your ssh folder to the place ssh will actually look for
cp -r .ssh ~
# be sure to remove it again from /tmp
rm .ssh -rf
You should now be able to login again, but you will not have your home folder unencrypted automatically. To mount it unencrypted you will have to enter this on every login:
/sbin/mount.ecryptfs_private
Which will ask you for your login password again.
More information on this can be found here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
hi Jens, yes.. I know the implications. I choose the option "encrypt my home folder" under Ubuntu install setup, so I don't know what encrypt technique was used.
– lucasvscn
Sep 4 '12 at 19:33
add a comment |
up vote
7
down vote
If your home directory is encrypted, the ssh daemon can't get in it to check if your private key matches your public one. Your .ssh folder is encrypted after all.
A workaround for this might be to have your .ssh folder with your authorized_keys in plaintext in your unencrypted home directory.
But if your encryption techinque uses your password as a key to decrypt everything you will still have to type it in to get everything decrypted.
So a true passwordless login will not work here. (unless you want to store your password somewhere in cleartext to be automatically fed to the decryption process, but this is even more unsecure then not encrypting at all.)
What technique are you using to encrypt your home directory?
Update:
ubuntu uses ecryptfs to mount an encrypted partition on login time (so when you supply your password)
To make ssh find your .ssh folder again you can do this:
# copy your .ssh folder
cp -r .ssh /tmp # Don't do this on a shared system where others are logged in at this moment! they could get access to your ssh secrets
cd /tmp
# unmount your encrypted home drive
/sbin/umount.ecryptfs_private
# copy your ssh folder to the place ssh will actually look for
cp -r .ssh ~
# be sure to remove it again from /tmp
rm .ssh -rf
You should now be able to login again, but you will not have your home folder unencrypted automatically. To mount it unencrypted you will have to enter this on every login:
/sbin/mount.ecryptfs_private
Which will ask you for your login password again.
More information on this can be found here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
hi Jens, yes.. I know the implications. I choose the option "encrypt my home folder" under Ubuntu install setup, so I don't know what encrypt technique was used.
– lucasvscn
Sep 4 '12 at 19:33
add a comment |
up vote
7
down vote
up vote
7
down vote
If your home directory is encrypted, the ssh daemon can't get in it to check if your private key matches your public one. Your .ssh folder is encrypted after all.
A workaround for this might be to have your .ssh folder with your authorized_keys in plaintext in your unencrypted home directory.
But if your encryption techinque uses your password as a key to decrypt everything you will still have to type it in to get everything decrypted.
So a true passwordless login will not work here. (unless you want to store your password somewhere in cleartext to be automatically fed to the decryption process, but this is even more unsecure then not encrypting at all.)
What technique are you using to encrypt your home directory?
Update:
ubuntu uses ecryptfs to mount an encrypted partition on login time (so when you supply your password)
To make ssh find your .ssh folder again you can do this:
# copy your .ssh folder
cp -r .ssh /tmp # Don't do this on a shared system where others are logged in at this moment! they could get access to your ssh secrets
cd /tmp
# unmount your encrypted home drive
/sbin/umount.ecryptfs_private
# copy your ssh folder to the place ssh will actually look for
cp -r .ssh ~
# be sure to remove it again from /tmp
rm .ssh -rf
You should now be able to login again, but you will not have your home folder unencrypted automatically. To mount it unencrypted you will have to enter this on every login:
/sbin/mount.ecryptfs_private
Which will ask you for your login password again.
More information on this can be found here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
If your home directory is encrypted, the ssh daemon can't get in it to check if your private key matches your public one. Your .ssh folder is encrypted after all.
A workaround for this might be to have your .ssh folder with your authorized_keys in plaintext in your unencrypted home directory.
But if your encryption techinque uses your password as a key to decrypt everything you will still have to type it in to get everything decrypted.
So a true passwordless login will not work here. (unless you want to store your password somewhere in cleartext to be automatically fed to the decryption process, but this is even more unsecure then not encrypting at all.)
What technique are you using to encrypt your home directory?
Update:
ubuntu uses ecryptfs to mount an encrypted partition on login time (so when you supply your password)
To make ssh find your .ssh folder again you can do this:
# copy your .ssh folder
cp -r .ssh /tmp # Don't do this on a shared system where others are logged in at this moment! they could get access to your ssh secrets
cd /tmp
# unmount your encrypted home drive
/sbin/umount.ecryptfs_private
# copy your ssh folder to the place ssh will actually look for
cp -r .ssh ~
# be sure to remove it again from /tmp
rm .ssh -rf
You should now be able to login again, but you will not have your home folder unencrypted automatically. To mount it unencrypted you will have to enter this on every login:
/sbin/mount.ecryptfs_private
Which will ask you for your login password again.
More information on this can be found here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
edited Nov 20 at 10:40
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
answered Sep 4 '12 at 13:26
Jens Timmerman
22626
22626
hi Jens, yes.. I know the implications. I choose the option "encrypt my home folder" under Ubuntu install setup, so I don't know what encrypt technique was used.
– lucasvscn
Sep 4 '12 at 19:33
add a comment |
hi Jens, yes.. I know the implications. I choose the option "encrypt my home folder" under Ubuntu install setup, so I don't know what encrypt technique was used.
– lucasvscn
Sep 4 '12 at 19:33
hi Jens, yes.. I know the implications. I choose the option "encrypt my home folder" under Ubuntu install setup, so I don't know what encrypt technique was used.
– lucasvscn
Sep 4 '12 at 19:33
hi Jens, yes.. I know the implications. I choose the option "encrypt my home folder" under Ubuntu install setup, so I don't know what encrypt technique was used.
– lucasvscn
Sep 4 '12 at 19:33
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f47122%2fcant-do-ssh-public-key-login-under-encrypted-home%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Add -v to your ssh commandline and see if you find any interesting entries. If not, increase the verbose level to -vv, and then -vvv.
– pkhamre
Sep 4 '12 at 13:00
1
When you say you've tried another workstation, did it have an encrypted home directory as well?
– Safado
Sep 4 '12 at 14:10