SSH Public Key authentication – works only after a physical login
I am trying to connect via SSH to my ubuntu server with public key authentication.
For some reasons I get an “Permission denied (publickey).” on the client, whenever I execute
ssh -i ~/.ssh/id_rsa <username>@<ip> -p <port>.
The auth.log on my server has the following output:
sshd[1425]: Connection closed by <client-ip> [preauth]
But as soon as I login physically on my server, with the samer username, the following ssh connection from my client successes. But as soon as I logout physically, the next ssh session from my client fails.
/etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port <port>
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no
ClientAliveInterval 30
ClientAliveCountMax 99999
Any clues why this could happen? Or do you have any recommendations according security?
Thank you!
As mentioned in the comment, you’re using an encrypted home directory, and are likely using pam_mount to mount it.
pam_mount mounts the partition using the password acquired during login. Since you’re trying to log in via ssh public keys there are 2 issues:
- There is no password being sent during public key authentication, so it can’t mount your home directory using it.
- When using pam_mount, your home directory is mounted after login, but
sshdneeds to get yourauthorized_keysfile before login, and thus it’s not mounted.
Either of these issues is enough to prevent it from working.
The only solution is to get your public keys out of the home directory. This is actually rather simple.
First copy the authorized_keys file out of the home directory:
cp -a /home/$USER/.ssh/authorized_keys /home/$USER-authorized_keys
Then tell sshd to use that file by adding the following to /etc/ssh/sshd_config (replace existing entry if present):
AuthorizedKeysFile .ssh/authorized_keys /home/%u-authorized_keys
And bounce sshd.
Note however that this will not mount your home directory. Your home directory still needs your password to decrypt. Depending on how you have pam_mount configured, it might prompt you for your password, or it might just drop you into a shell with your home unmounted.