SSH Public Key authentication – works only after a physical login
I am trying to connect via SSH to my ubuntu server with public key authentication.
For some reasons I get an “Permission denied (publickey).” on the client, whenever I execute
ssh -i ~/.ssh/id_rsa <username>@<ip> -p <port>.
The auth.log on my server has the following output:
sshd: Connection closed by <client-ip> [preauth]
But as soon as I login physically on my server, with the samer username, the following ssh connection from my client successes. But as soon as I logout physically, the next ssh session from my client fails.
# What ports, IPs and protocols we listen for Port <port> # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM no ClientAliveInterval 30 ClientAliveCountMax 99999
Any clues why this could happen? Or do you have any recommendations according security?
As mentioned in the comment, you’re using an encrypted home directory, and are likely using pam_mount to mount it.
pam_mount mounts the partition using the password acquired during login. Since you’re trying to log in via ssh public keys there are 2 issues:
- There is no password being sent during public key authentication, so it can’t mount your home directory using it.
- When using pam_mount, your home directory is mounted after login, but
sshdneeds to get your
authorized_keysfile before login, and thus it’s not mounted.
Either of these issues is enough to prevent it from working.
The only solution is to get your public keys out of the home directory. This is actually rather simple.
First copy the
authorized_keys file out of the home directory:
cp -a /home/$USER/.ssh/authorized_keys /home/$USER-authorized_keys
sshd to use that file by adding the following to
/etc/ssh/sshd_config (replace existing entry if present):
AuthorizedKeysFile .ssh/authorized_keys /home/%u-authorized_keys
Note however that this will not mount your home directory. Your home directory still needs your password to decrypt. Depending on how you have pam_mount configured, it might prompt you for your password, or it might just drop you into a shell with your home unmounted.