Openssh and the perils of encrypted home

Let’s say you have just prepared a new server and you make all your stuff. Nowadays Linux distro have an option to enable home encryption for users, a feature I feel interesting for a system administrator as reduces the always present danger of leaving something valuable lingering around for an attacker.
It presents also a lesser know issue. If you use ssh Pubkey authentication (and you probably should by now) only, you may find yourself being out of the server in a subtle way, as OpenSsh will start refusing key intermittently, or SSH public key login  will fail for first login. It may seem a permission issue, at first. It may be not. Anyway you log back in directly and try to ssh to the box again to see what’s happening. It works again. No permissions issues on /var/log/secure or whatever.
Logging off, you try again the next gain, and the server refuses again any key, until you log in directly in some other way. It took me a while to sort it out, but the issue is the encrypted home directory for the user. As ssh reads the ~/.ssh/authorized_keys file, it turns out that it can’t if the home user is encrypted. When you log in to assert the problem you are unencrypting the directory and ssh starts working again. Log out, and the problem is back.
The solution is to move the .ssh/autorized_keys where sshd can read it without the user logging in and unencrypting the directory (having to log in directly to make ssh works vanifies using ssh a bit…)
Here (help.ubuntu.com OpenSSH Troubleshooting) you can find a better explanation.
I have to thank Wibb-untu for this post pointing me in the right direction.

Advertisements

One thought on “Openssh and the perils of encrypted home

Comments are closed.