2

I set up an sshd passwordless server, and I got the following problem:

If I log into my 16.04 box physically, I can, afterwards, log in on it via ssh.

If I don't do it (e.g. remotely reboot my machine) I cannot log in on it via ssh, because it rejects my key.

Suggestions?

NOTE: Here is my configuration file:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 1907
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
#
# Compression
Compression yes
Improve this question
7
  • Can you add the output you get when you attempt to log in and the certificate is refused ? use ssh -vvv -p 1907 jdoe@myserver Also, is your home folder local or remote (NFS...) or maybe encrypted ? Commented Nov 17, 2017 at 11:34
  • As A.B points out, the SSH server logs will show much more information than verbosely running ssh. It would be useful to edit your questions to include the relevant entries from the SSH server logs (could also be /var/log/secure, depending on distribution). See the SSH tag help: unix.stackexchange.com/questions/tagged/ssh Commented Nov 17, 2017 at 11:48
  • Thanks for your replies, I will include my logs next time I have access to the machine (I hope it will be today). Commented Nov 17, 2017 at 13:21
  • 1
    I didn't mention that my home is encrypted. I think this is my problem. Is there any workaround? Commented Nov 17, 2017 at 13:22
  • Unsure what you mean by Passwordless Server. You've set, PasswordAuthentication no + PermitRootLogin prohibit-password, so it appears you'll have to login as non-root person, using a keyfile (so /etc/passwd + /etc/shadow will be ignored). Maybe you can clarify how you'd like to login + someone can assist you. Commented Nov 17, 2017 at 14:05

1 Answer 1

Reset to default
2

If your home directory is encrypted, then SSH does not have access to the authorized_keys before you login. You have to login with a password for your home directory to be unencrypted.

One workaround is to change the source of authorized keys in SSH configuration as mentioned in the comments. Another is to copy your authorized_keys to your bare home directory. Assuming you have admin privileges, you could:

  • remount the root device at another location so that you have access to your bare home directory (which is masked by the encrypted directory mounted over it when you login)
  • copy ~/.ssh/authorized_keys there, replicating the structure and permissions

First find out which device is mounted on / (use lsblk, mount, etc. - I'll use /dev/sda1 for example). Then:

sudo mount /dev/sda1 /mnt
mkdir "/mnt/$HOME/.ssh"
cp "$HOME/.ssh/authorized_keys" "/mnt/$HOME/.ssh/authorized_keys" 
chmod -R og-rwx "/mnt/$HOME/.ssh"

You'll have to repeat the copying each time you update it.

Improve this answer
2
  • Thanks. May I ask what you do mean by "bare" home, and where to learn more about it? Commented Nov 18, 2017 at 10:29
  • @MadHatter as in your home directory before the encrypted contents are mounted on it. Sorry, I couldn't think of anything better to call it. Commented Nov 18, 2017 at 10:35

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.