Friday, August 6, 2010

eCryptFS and SSH authorized_keys

I updated ubuntu earlier this week which broke ssh via public key encryption if your home directory is encrypted with eCryptFS. Here's the error from my /var/log/auth.log file:
sshd[27665]: Passphrase key already in keyring; rc = [1]
sshd[27665]: ecryptfs_add_passphrase_key_to_keyring: Error adding auth tok with sig [679363337585871a] to the keyring; rc = [1]
sshd[27665]: Error attempting to add filename encryption key to user session keyring; rc = [1]

The problem is your encrypted home directory is not mounted if you are not logged in, so the authorized_keys file which is normally in your ~/.ssh/ path doesn't exist yet. The solution is to login with your encrypted home directory unmounted and recreate the .ssh/authorized_keys file in the unmounted state. Described here.
$ /sbin/umount.ecryptfs_private
$ cd $HOME
$ chmod 700 .
$ sudo mkdir -m 700 .ssh
$ chmod 500 .
$ echo $YOUR_PUBLIC_KEY > .ssh/authorized_keys
$ /sbin/mount.ecryptfs_private

Note that you must do this for all users who want to login with ssh.