Linux – OpenSSH server refuses to accept key authentication unless logged into server locally

linuxopensshrsasshUbuntu

My server is running Ubuntu-Server and ahs OpenSSH-Server installed on it. I set up the /etc/ssh/sshd_config file to accept and require rsa keys, it looks for keys in the 'AuthorizedKeys ~/.ssh/authorized_keys' file. In that file I have two separate public keys, one created using putty that I am using with WinSCP and one created from Secure Shell Client.

My issue is that I have to log in as my user on the server before the authentication works. If I were to remotely reboot the server, then try to ssh into it, I get an error saying my key could not be authenticated and I am rejected access. Soon as I walk over and login to the sever locally I can then ssh in remotely as long as that user stays logged in.

Any idea on what I may be doing wrong here? Im thinking I have my AuthorizedKeys parameter set up incorrectly in the /etc/ssh/sshd_config file

Best Answer

So, just as i guessed: Your $HOME is actually within an encrypted container whic is only opened upon login. In order to let you into the system the sshd wants the public-key before it lets you in and thus is some kind of egg-chicken problem.

One option to dance around the problem is to put the .ssh/authorized_keys file into some other place via the following change to the /etc/ssh/sshd_config:

 AuthorizedKeysFile      /home/.ssh/%u

So, user joe has his public-keys in /home/.ssh/joe etc etc.

Another idea worth trying is to do something like this:

$> login
<os unlocks encrypted /home/joe>
$> cp .ssh/authorized_keys /tmp/
$> logout
<os locks encrypted /home/joe again>
$> mkdir /home/joe/.ssh/
$> cp /tmp/authorized_keys /home/joe/.ssh/

The idea is to pull the authorized_keys file out of the encrypted container (just like the first idea) and then place that unencrypted file at the right place. When you log into the system the OS then will mount your encrypted home as some kind of 'overlay' ontop of /home/joe, hiding the unencrypted .ssh/authorized_keys.

The third idea might involve some port-knocking: You trigger some kind of network-traffic to some secret port(s) with some secret data which then triggers the OS to unlock your encrypted home. After the knocking procedure you will be able to log into the system.

General disadvantage / things to consider: these ideas depend on how you have encrypted your $HOME. If the encryption needs your password to unencrypt the data then you have to provide it somehow.

Related Solutions

Ubuntu – OpenSSH server refuses to accept key authentication

Check that your .ssh folder and the files inside it on the client machine are only readable by the owner (chmod -R 600 .ssh) and that the owner is correct for the folder and files (use chown command if necessary).

Also check the authorized_keys folder and file on the server (probably in /root/.ssh or the home folder of the user trying to login) to make sure their permissions and owner are set in the same way.

Edit: based on more feedback (and some guesswork!) - can you check /etc/ssh/sshd_config and see whether the following parameter is set like below. If not, try editing it.

AuthorizedKeysFile /home/%u/.ssh/authorized_keys

Note, this assumes you don't login remotely as root

Linux – Can’t ssh into remote server unless I login locally on the server first

The answer was as Michal Politowski said in the comments. Encrypted home directory contained the .ssh folder, so it wasn't accessible to ssh command until I logged on locally and decrypted the folder. Solution was to create /home/ssh/%user%/ and place the authorized_keys file there, then direct ssh to look there via sshd_config. See comments for link to useful web page.

Best Answer

Related Solutions

Ubuntu – OpenSSH server refuses to accept key authentication

Linux – Can’t ssh into remote server unless I login locally on the server first

Related Question