Mint: No SSH key-based login with encrypted home directory

The problem

We had a PC running Ubuntu 14.04 (with encrypted home folders), and OpenSSH.  We use key-based authentication on all our servers, and so we duly copied our public SSH key into ~/.ssh/authorized_keys.  However, the computer seemed to ignore this key!  Whenever we tried to SSH into the PC, we would be forced to enter a password.

After a bit of troubleshooting we realised that, if an SSH session was already established and the user opened a second session, the key-based authentication worked just fine!
What is happening?

The Cause

The clue is in the first sentence of this post.  Within a user’s home directory is a hidden directory called .ssh, and within that a file named authorized_keys. This file is used to store the public key of every user that is allowed to use key-based authentication to SSH in.

Because the home directory was encrypted, the authorized_keys file was inaccessible, so the user had to be prompted for the next best thing, which just happened to be a password.  Of course, once the user has been authenticated, the home directory is unencrypted – which is why the second session worked.

The Solution

Preventing this is a simple fix; by moving your authorized_keys file to another location, the public key can be accessed without compromising the computer’s security. Hat tip to Ubuntu’s Community Help Wiki for the process!

Note: ‘$(id -un)below simply inserts your current username.  If this isn’t what you want, replace it with the desired username.

First of all, we need to create a folder outside of your home directory to house the authorized_keys file:

sudo mkdir /etc/ssh/$(id -un)

This directory should have 755 permissions (owner has full access and groups/others have read/execute access) and be owned by the user.

sudo chmod 755 /etc/ssh/$(id -un)
sudo chown $(id -un):$(id -un) /etc/ssh/$(id -un)

Move the authorized_keys file into it.

sudo mv ~/.ssh/authorized_keys /etc/ssh/$(id -un)

The authorized_keys file should have 644 permissions (owner has read/write access and groups/others have read access) and be owned by the user.

sudo chmod 644 /etc/ssh/$(id -un)/authorized_keys
sudo chown $(id -un) /etc/ssh/$(id -un)/authorized_keys

Now open up your sshd_config file in whichever text editor you prefer (we’ve gone with nano, as always):

sudo nano /etc/ssh/sshd_config

We need to add the following line, which tells the config file where to look when querying the authorized_keys file

AuthorizedKeysFile    /etc/ssh/%u/authorized_keys

Finally, restart ssh with:

sudo service ssh restart

And that should be all she wrote! The next time you try to log into that user account via SSH, the authorized_keys file can be accessed and you should be logged in without a password prompt.