No way to mount the encrypted private directory when logging in over ssh using public key auth
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ecryptfs-utils (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: ecryptfs-utils
Observed with ecryptfs-untils 53-1ubuntu8.
Steps to reproduce:
1) Set up your box so that you can login via ssh using public key authentication
2) Set up an encrypted private folder for yourself
3) Logout locally so that the encrypted private folder is unmounted
4) Login remotely using your ssh key
What happens:
The encrypted private directory is not mounted automatically and can't be mounted manually using ecryptfs-
What should happen:
I understand why the above happens, and I appreciate that the ideal solution (automount of the encrypted private folder in this case) may well not be feasible because of security considerations, but I think that ecryptfs-
I wouldn't even mind if I have to write something like ecryptfs-
Thanks for the report.
I'm intrigued, because I've been struggling with this mightily, what the best solution might be here.
I really think the best option is to *ONLY* put your private key in the encrypted private directory (or at the very least, keep authorized_keys in the public).
I suggest a structure like the following:
~$ tree -a
|-- .ssh
| |-- config
| |-- id_rsa -> Private/.ssh/id_rsa
| |-- id_rsa.keystore
| |-- id_rsa.pub
| `-- known_hosts
`-- Private
`-- .ssh
`-- id_rsa
3 directories, 6 files
Here, only your private key is in ~/Private, and linked into its proper place. The only time you should need access to your private key, you'd presumably be logged into your system and have your ~/Private directory mounted.
What do you think?
To answer your question about a hypothetical "ecryptfs- mount-private --ask-password", let me explain how it would flow... add-passphrase)
* user requests a mount of encrypted ~/Private
* if it's already mounted, exit
* try to mount with the key(s) currently in the user's keyring (see: keyctl show), exit on success
* key is not in the keyring, so ask the user if they know the mount passphrase
* prompt for mount passphrase and add to keyring (see: ecryptfs-
* retry the mount
I think this is a reasonable feature request, and I'll open a new bug upstream about it (and link here). But specifically for the ssh issue, I think that would be better handled by intelligently selecting what belongs in an encrypted ~/Private, and what does not (or cannot).
Thanks,
:-Dustin