SSH Public Key authentication – works only after a physical login

I am trying to connect via SSH to my ubuntu server with public key authentication.
For some reasons I get an “Permission denied (publickey).” on the client, whenever I execute

ssh -i ~/.ssh/id_rsa <username>@<ip> -p <port>.

The auth.log on my server has the following output:

sshd[1425]: Connection closed by <client-ip> [preauth]

But as soon as I login physically on my server, with the samer username, the following ssh connection from my client successes. But as soon as I logout physically, the next ssh session from my client fails.


# What ports, IPs and protocols we listen for
Port <port>
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no

PermitEmptyPasswords no
ChallengeResponseAuthentication no

PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no

ClientAliveInterval 30
ClientAliveCountMax 99999    

Any clues why this could happen? Or do you have any recommendations according security?
Thank you!

Asked By: caiuspb


As mentioned in the comment, you’re using an encrypted home directory, and are likely using pam_mount to mount it.
pam_mount mounts the partition using the password acquired during login. Since you’re trying to log in via ssh public keys there are 2 issues:

  1. There is no password being sent during public key authentication, so it can’t mount your home directory using it.
  2. When using pam_mount, your home directory is mounted after login, but sshd needs to get your authorized_keys file before login, and thus it’s not mounted.

Either of these issues is enough to prevent it from working.

The only solution is to get your public keys out of the home directory. This is actually rather simple.

First copy the authorized_keys file out of the home directory:

cp -a /home/$USER/.ssh/authorized_keys /home/$USER-authorized_keys

Then tell sshd to use that file by adding the following to /etc/ssh/sshd_config (replace existing entry if present):

AuthorizedKeysFile .ssh/authorized_keys /home/%u-authorized_keys

And bounce sshd.

Note however that this will not mount your home directory. Your home directory still needs your password to decrypt. Depending on how you have pam_mount configured, it might prompt you for your password, or it might just drop you into a shell with your home unmounted.

Answered By: phemmer