pam_ssh does not work with ecryptfs for ~ enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpam-ssh (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Binary package hint: libpam-ssh
Running Ubuntu 10.04 (x86_64, Xubuntu variant), installed from Xubuntu Desktop-LiveCD with the "encrypted home directory"-option enabled.
There apparently is a problem in how pam_ssh and ecryptfs (via PAM) work together: If both are set up in the packages' respective default manners (as pam-auth-update sets them up), pam_ssh will do its magic before ecryptfs has decrypted and mounted the user's home directory, which also happens to contain his/her private key.
If that's the case, pam_ssh will fail in very strange ways (only to be observed when debugging is enabled for the module). For example, during the session phase, it logs that it was unable to start ssh-agent - ony for the user to find out later that it actually started it, but did not add any identities (because they weren't available in the filesystem at the time it tried to add them to the agent, I guess).
Afaict, there needs to be some sort of synchronisation introduced between (those two) PAM modules - pam_ssh must not do its stuff before ecryptfs is finished decrypting and mounting over ~. I guess that'll involve some finnicky stuff being done in pam_ssh.c - at least I haven't found a way to get what is needed by fiddling with PAM's configuration alone.
I worked around the problem for now by copying my private key into ~/.ssh whilst my ecryptfs-protected private directory was _not_ mounted over ~. This is somewhat ugly, but appears to work fine enough for now.
Thanks for reporting this bug and any supporting documentation. Since this bug has enough information provided for a developer to begin work, I'm going to mark it as confirmed and let them handle it from here.
The user should not have to provide the unencrypted key to get this to work.
Thanks for taking the time to make Ubuntu better!