用户主目录加密 – 必须像authorized_keys一样保持未加密的文件
在我们走远之前,我的问题是:
如果这是错误的方式,或者我做错了,那么正确的方法是什么?
根据这个方法: https : //help.ubuntu.com/community/EncryptedHome
所以我在上面的howto中看到了这一点:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427/comments/12
问题是没有本地登录,它不起作用。 怀疑作者忘记注销所有本地用户并从远程测试。 可能有一个本地tty登录隐藏屏幕的某个地方。
注意:密码身份validation已禁用,仅限公钥。
从远程机器我得到:
myuser@remotemachine:~$ ssh oh Permission denied (publickey). 通过以下测试程序validation:
从相关机器上的GUI登录屏幕:
[CTRL][ALT][F1] Ubuntu 14.04.2 LTS otherhost tty1 otherhost login: myuser Password: ####### Last login: Thu Apr ... ... etc. etc. myuser@otherhost:~$ w 17:00:57 up 2:05, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT myuser tty1 16:40 1.00s 0.22s 0.00sw
好的,所以没有其他用户登录。只有这一个本地tty。 然后:
myuser@otherhost:~$ cd .. myuser@otherhost:/home$ cp ~/.ssh/authorized_keys /tmp/myuser.authorized_keys myuser@otherhost:/home$ umount.ecryptfs_private;cd $HOME myuser@otherhost:~$ mkdir -m 700 .ssh myuser@otherhost:~$ chmod 500 . myuser@otherhost:~$ cat /tmp/myuser.authorized_keys > .ssh/authorized_keys myuser@otherhost:~$ /sbin/mount.ecryptfs_private Signature not found in user keyring Perhaps try the interactive 'ecryptfs-mount-private'
好的,这是第一个问题。
myuser@otherhost:~$ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [XXXXXXXXXXXXXXXX] into the user session keyring INFO: Your private directory has been mounted. INFO: To see this change in your current shell: cd /home/jim myuser@otherhost:~$ ls Access-Your-Private-Data.desktop README.txt myuser@otherhost:~$ cd /home/jim
检查以确保我仍然是唯一的用户,然后退出并切换机器:
myuser@otherhost:~$ w 17:00:57 up 2:05, 1 user, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT myuser tty1 16:40 1.00s 0.22s 0.00sw myuser@otherhost:~$ exit
现在可以从没有用户登录到具有加密主目录的框的远程计算机上:
myuser@otherhost:~$ ssh oh Permission denied (publickey). myuser@otherhost:~$
提出详细程度:
myuser@otherhost:~$ ssh -v oh OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to oh [192.168.1.111] port 22. debug1: Connection established. debug1: identity file /home/myuser/.ssh/id_rsa type 1 debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1 debug1: identity file /home/myuser/.ssh/id_dsa type -1 debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1 debug1: identity file /home/myuser/.ssh/id_ecdsa type -1 debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/myuser/.ssh/id_ed25519 type -1 debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA ********************************************* debug1: Host 'oh' is known and matches the ECDSA host key. debug1: Found key in /home/myuser/.ssh/known_hosts:2 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Trying private key: /home/myuser/.ssh/id_dsa debug1: Trying private key: /home/myuser/.ssh/id_******* debug1: Trying private key: /home/myuser/.ssh/id_******* debug1: No more authentication methods to try. Permission denied (publickey).
另一种方法是为AuthorizedKeysFile指定另一个位置(默认为~/.ssh/authorized_keys ),这是SSH检查以传递密钥的位置。 您可以通过编辑服务器上的/etc/ssh/sshd_config并设置:
AuthorizedKeysFile /some/path/authorized_keys
根据man 5 sshd_config :
AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of sshd(8). AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
我建议设置一个:
AuthorizedKeysFile /some/path/%u/authorized_keys .ssh/authorized_keys .ssh/authorized_keys2
这应该允许回退到默认位置,并允许您为不同的用户使用单独的文件。