用户主目录加密 - 必须保持未加密的文件,如 authorized_keys

tag-icon tag-icon ssh encryption home-directory
用户主目录加密 - 必须保持未加密的文件,如 authorized_keys

在我们进一步讨论之前,我的问题是:

如果这是错误的方法,或者我做错了,那么正确的方法是什么?

按照本指南: https://help.ubuntu.com/community/EncryptedHome

因此,我认为上述操作指南中提到了这一点:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427/comments/12

问题是,如果没有本地登录,它就无法工作。怀疑作者忘记注销所有本地用户并从远程进行测试。可能在某个隐藏的屏幕上登录了本地 tty。

注意:密码验证已禁用,仅使用公钥。

从远程机器我得到:

myuser@remotemachine:~$ ssh oh
Permission denied (publickey).

通过以下测试程序验证:

从相关机器上的 GUI 登录屏幕:

[CTRL][ALT][F1]
Ubuntu 14.04.2 LTS otherhost tty1

otherhost login: myuser
Password: #######
Last login: Thu Apr ...
... etc. etc. 
myuser@otherhost:~$ w
 17:00:57 up  2:05,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
myuser   tty1                      16:40    1.00s  0.22s  0.00s w

好的,没有其他用户登录。只有这一个本地 tty。然后:

myuser@otherhost:~$ cd ..
myuser@otherhost:/home$ cp ~/.ssh/authorized_keys /tmp/myuser.authorized_keys
myuser@otherhost:/home$ umount.ecryptfs_private;cd $HOME
myuser@otherhost:~$ mkdir -m 700 .ssh
myuser@otherhost:~$ chmod 500 .
myuser@otherhost:~$ cat /tmp/myuser.authorized_keys > .ssh/authorized_keys
myuser@otherhost:~$ /sbin/mount.ecryptfs_private
Signature not found in user keyring
Perhaps try the interactive 'ecryptfs-mount-private'

好的,这是第一个问题。

myuser@otherhost:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [XXXXXXXXXXXXXXXX] into the user session keyring

 INFO: Your private directory has been mounted.
 INFO: To see this change in your current shell:
   cd /home/jim

 myuser@otherhost:~$ ls
 Access-Your-Private-Data.desktop  README.txt
 myuser@otherhost:~$ cd /home/jim

检查以确保我仍然是唯一的用户,然后退出并切换机器:

myuser@otherhost:~$ w
 17:00:57 up  2:05,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
myuser   tty1                      16:40    1.00s  0.22s  0.00s w
myuser@otherhost:~$ exit

现在可以从没有用户的远程机器登录到具有加密主目录的框:

myuser@otherhost:~$ ssh oh
Permission denied (publickey).
myuser@otherhost:~$

提高详细程度:

myuser@otherhost:~$ ssh -v oh
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to oh [192.168.1.111] port 22.
debug1: Connection established.
debug1: identity file /home/myuser/.ssh/id_rsa type 1
debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_dsa type -1
debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_ecdsa type -1
debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_ed25519 type -1
debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA *********************************************
debug1: Host 'oh' is known and matches the ECDSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug1: Trying private key: /home/myuser/.ssh/id_*******
debug1: Trying private key: /home/myuser/.ssh/id_*******
debug1: No more authentication methods to try.
Permission denied (publickey).

答案1

AuthorizedKeysFile另一种方法是为(默认)指定另一个位置,~/.ssh/authorized_keysSSH 将检查该位置以传递您的密钥。您可以通过/etc/ssh/sshd_config在服务器上编辑并设置来执行此操作:

AuthorizedKeysFile /some/path/authorized_keys

根据man 5 sshd_config

AuthorizedKeysFile
     Specifies the file that contains the public keys that can be used
     for user authentication.  The format is described in the
     AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
     AuthorizedKeysFile may contain tokens of the form %T which are
     substituted during connection setup.  The following tokens are
     defined: %% is replaced by a literal '%', %h is replaced by the
     home directory of the user being authenticated, and %u is
     replaced by the username of that user.  After expansion,
     AuthorizedKeysFile is taken to be an absolute path or one
     relative to the user's home directory.  Multiple files may be
     listed, separated by whitespace.  The default is
     “.ssh/authorized_keys .ssh/authorized_keys2”.

我建议这样设置:

AuthorizedKeysFile /some/path/%u/authorized_keys .ssh/authorized_keys .ssh/authorized_keys2

这应该允许回退到默认位置,并允许您为不同的用户使用单独的文件。

相关内容