主页 / ubuntu / 问题 / 604674
Accepted
user447607
Asked: 2015-04-03 16:54:42 +0800 CST

用户主目录加密 - 必须像 authorized_keys 一样保持未加密的文件

  • 772

在我们深入之前,我的问题是:

如果这是错误的方法,或者我做错了,那么正确的方法是什么?

根据这个方法: https ://help.ubuntu.com/community/EncryptedHome

所以我在上面的 howto 中看到了这一点:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/362427/comments/12

问题是如果没有本地登录,它是行不通的。怀疑作者忘记注销所有本地用户并从远程进行测试。可能有一个本地 tty 在某处的隐藏屏幕上登录。

注意:密码验证被禁用,只有公钥。

从远程机器我得到:

myuser@remotemachine:~$ ssh oh
Permission denied (publickey).

通过以下测试程序验证:

从相关机器上的 GUI 登录屏幕:

[CTRL][ALT][F1]
Ubuntu 14.04.2 LTS otherhost tty1

otherhost login: myuser
Password: #######
Last login: Thu Apr ...
... etc. etc. 
myuser@otherhost:~$ w
 17:00:57 up  2:05,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
myuser   tty1                      16:40    1.00s  0.22s  0.00s w

好的,所以没有其他用户登录。只有这个本地 tty。然后:

myuser@otherhost:~$ cd ..
myuser@otherhost:/home$ cp ~/.ssh/authorized_keys /tmp/myuser.authorized_keys
myuser@otherhost:/home$ umount.ecryptfs_private;cd $HOME
myuser@otherhost:~$ mkdir -m 700 .ssh
myuser@otherhost:~$ chmod 500 .
myuser@otherhost:~$ cat /tmp/myuser.authorized_keys > .ssh/authorized_keys
myuser@otherhost:~$ /sbin/mount.ecryptfs_private
Signature not found in user keyring
Perhaps try the interactive 'ecryptfs-mount-private'

好的,那是第一个问题。

myuser@otherhost:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [XXXXXXXXXXXXXXXX] into the user session keyring

 INFO: Your private directory has been mounted.
 INFO: To see this change in your current shell:
   cd /home/jim

 myuser@otherhost:~$ ls
 Access-Your-Private-Data.desktop  README.txt
 myuser@otherhost:~$ cd /home/jim

检查以确保我仍然是唯一的用户,然后退出并切换机器:

myuser@otherhost:~$ w
 17:00:57 up  2:05,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
myuser   tty1                      16:40    1.00s  0.22s  0.00s w
myuser@otherhost:~$ exit

现在可以从没有用户登录到具有加密主目录的框的远程计算机:

myuser@otherhost:~$ ssh oh
Permission denied (publickey).
myuser@otherhost:~$

调高冗长:

myuser@otherhost:~$ ssh -v oh
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to oh [192.168.1.111] port 22.
debug1: Connection established.
debug1: identity file /home/myuser/.ssh/id_rsa type 1
debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_dsa type -1
debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_ecdsa type -1
debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_ed25519 type -1
debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA *********************************************
debug1: Host 'oh' is known and matches the ECDSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug1: Trying private key: /home/myuser/.ssh/id_*******
debug1: Trying private key: /home/myuser/.ssh/id_*******
debug1: No more authentication methods to try.
Permission denied (publickey).
ssh

1 个回答

  1. Best Answer

    一种替代方法是为AuthorizedKeysFile(default ~/.ssh/authorized_keys) 指定另一个位置,这是 SSH 检查以传递您的密钥的位置。您可以通过/etc/ssh/sshd_config在服务器上进行编辑和设置来做到这一点:

    AuthorizedKeysFile /some/path/authorized_keys

    根据man 5 sshd_config:

    AuthorizedKeysFile
     Specifies the file that contains the public keys that can be used
     for user authentication.  The format is described in the
     AUTHORIZED_KEYS FILE FORMAT section of sshd(8).
     AuthorizedKeysFile may contain tokens of the form %T which are
     substituted during connection setup.  The following tokens are
     defined: %% is replaced by a literal '%', %h is replaced by the
     home directory of the user being authenticated, and %u is
     replaced by the username of that user.  After expansion,
     AuthorizedKeysFile is taken to be an absolute path or one
     relative to the user's home directory.  Multiple files may be
     listed, separated by whitespace.  The default is
     “.ssh/authorized_keys .ssh/authorized_keys2”.

    我会建议设置:

    AuthorizedKeysFile /some/path/%u/authorized_keys .ssh/authorized_keys .ssh/authorized_keys2

    这应该允许回退到默认位置,并允许您为不同的用户使用单独的文件。

    • 2

相关问题