Encrypted /home versus ssh/2FA login

So we read online that if you encrypt your /home/user directory in Linux (a typical option at installation time) that it’s much harder, if not impossible to get a secure ssh login using pub-pvt keys and 2FA code.

Well, we don’t think so. That opinion is driven by the knowledge that, well, we do all of the above. It does require some tweaking of config files, but hardly what we would call Rocket Science.

The basic problem is that before the FIRST login after a reboot, a users ecryptfs /home/user directory is not mounted until after the password is entered. So if you attempt an ssh login that uses pub-pvt keys the key can’t be read, so you fail login. The same goes for a 2FA credential using e.g. Google’s 2FA Authentication app: you need /home/user to be decrypted before you can read the users 2FA credentials and thus validate a 2FA login.

The solution is simple and built into linux: store your SSH pub key and 2FA credentials in a directory that is automatically decrypted prior to login, such as /etc or /var (or most any place really).

If there’s any interest, we might even write up a tutorial on how to do this. Let us know. 🙂