2

My server is running Ubuntu-Server and ahs OpenSSH-Server installed on it. I set up the /etc/ssh/sshd_config file to accept and require rsa keys, it looks for keys in the 'AuthorizedKeys ~/.ssh/authorized_keys' file. In that file I have two separate public keys, one created using putty that I am using with WinSCP and one created from Secure Shell Client.

My issue is that I have to log in as my user on the server before the authentication works. If I were to remotely reboot the server, then try to ssh into it, I get an error saying my key could not be authenticated and I am rejected access. Soon as I walk over and login to the sever locally I can then ssh in remotely as long as that user stays logged in.

Any idea on what I may be doing wrong here? Im thinking I have my AuthorizedKeys parameter set up incorrectly in the /etc/ssh/sshd_config file

Improve this question
4
  • 1
    Do you run some kind of disk-encryption?
    – akira
    Commented Oct 15, 2014 at 18:07
  • Actually, I think ubuntu server has a disk encryption on the Home directory as an option, I may have enabled that when I did the system install.
    – Brian Adam
    Commented Oct 15, 2014 at 18:56
  • 1
    Check this because your .ssh/* folder on that encrypted home-folder will be only visible once it is .. well .. decrypted :)
    – akira
    Commented Oct 15, 2014 at 18:57
  • Your right, that is the case. Any idea of how to work around this?
    – Brian Adam
    Commented Oct 15, 2014 at 19:05

1 Answer 1

Reset to default
3

So, just as i guessed: Your $HOME is actually within an encrypted container whic is only opened upon login. In order to let you into the system the sshd wants the public-key before it lets you in and thus is some kind of egg-chicken problem.

One option to dance around the problem is to put the .ssh/authorized_keys file into some other place via the following change to the /etc/ssh/sshd_config:

 AuthorizedKeysFile      /home/.ssh/%u

So, user joe has his public-keys in /home/.ssh/joe etc etc.

Another idea worth trying is to do something like this:

$> login
<os unlocks encrypted /home/joe>
$> cp .ssh/authorized_keys /tmp/
$> logout
<os locks encrypted /home/joe again>
$> mkdir /home/joe/.ssh/
$> cp /tmp/authorized_keys /home/joe/.ssh/

The idea is to pull the authorized_keys file out of the encrypted container (just like the first idea) and then place that unencrypted file at the right place. When you log into the system the OS then will mount your encrypted home as some kind of 'overlay' ontop of /home/joe, hiding the unencrypted .ssh/authorized_keys.

The third idea might involve some port-knocking: You trigger some kind of network-traffic to some secret port(s) with some secret data which then triggers the OS to unlock your encrypted home. After the knocking procedure you will be able to log into the system.

General disadvantage / things to consider: these ideas depend on how you have encrypted your $HOME. If the encryption needs your password to unencrypt the data then you have to provide it somehow.

Improve this answer
1
  • 1
    I think what you have here would have worked, but I didnt want to over think the problem. I went and decrypted the home directory based on a previous post Q&A askubuntu.com/questions/138950/…
    – Brian Adam
    Commented Oct 15, 2014 at 20:04

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .