The following instructions are to set up an ssh server on Ubuntu linux with an encrypted home directory.
<username> refers to an actual username like
Install OpenSSH server:
sudo apt-get install openssh-server
Create a backup of
ssh_config, note the
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sshd_config to initially accept password logins:
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults sudo gedit /etc/ssh/sshd_config
Change the line
#PasswordAuthentication yes to read
PasswordAuthentication yes (i.e. remove the #) and only allow certain users:
PasswordAuthentication yes AllowUsers <username>
Finally tell the configuration file to look in
/etc/ssh/username/authorized_keys for client keys.
The default is to look in
~/.ssh/ which is no good because this is encrypted until you’ve logged in!
Restart the ssh server with:
sudo service ssh restart
Next create the
authorized_keys file and give it the appropriate permissions:
sudo mkdir /etc/ssh/<username>/ sudo chown username /etc/ssh/<username> sudo chmod 755 /etc/ssh/<username> sudo touch /etc/ssh/<username>/authorized_keys sudo chown username /etc/ssh/<username>/authorized_keys sudo chmod 644 /etc/ssh/<username>/authorized_keys
Then copy the client’s public key to
The easiest way to do that is to ssh in to the server (which is why we allowed password logins earlier) and do it from there.
So from the client:
Copy the key to the clipboard then:
Enter log in password when prompted, then:
nano /etc/ssh/username/authorized_keys # Paste the key here and save
Disable password logins from
/etc/ssh/sshd_config and restart the ssh server (
sudo service ssh restart from the server).
Log in is now done using the ssh keys and without prompting for a password.
The client will prompt to see if the public key fingerprint sent from the server is correct and to add it to the white list.
Check it’s right by running
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key on the server.