How do I get Xwindows to work when I am using an encrypted Drive?

My friend Mike Jansen pinged me this afternoon with an interesting problem.  

Here is the background:

He has setup a Linux VM and needs to get to it remotely from his PC running Windows.  He has xming(A great free XWindows server for Windows) and connects to the machine over SSH.  He decided he would take security to the next level and encrypted his personal directory.  Interesting fact is that when you do this on Ubuntu your home directory isn't decrypted or mounted until you actually login.  Why is that a problem?  Well as part of the login process SSH puts the magic-coookie XWindows needs to start into your /home/<UserID>/.Xauthority file.  The next thing that happens is that your encrypted directory is decrypted and mounted to /home/<UserID>/ which then hides /home/<UserID>/.Xauthority under the mount.  At that point it breaks X and stops you from running the XWindows Programs.  Unless you do something like what Mike pieced together.  What Mike has below should work system wide for all users.  You should as with all scripts test this out on a non-production system first.

Here is what he gave back to be to post to for everyone:

So I got my issue with encrypted home and ssh/xauth figured out. The solution is actually simple once it's figured out :)

The basic idea for xauth transfer was from http://froebe.net/blog/2008/11/14/getting-xlib-putty-x11-proxy-wrong-authentication-protocol-attempted-i-have-the-answer/

SSHRC

The idea for this came from the man page for SSH. 

I got rid of ~/.ssh/rc and put this in /etc/ssh/sshrc:


if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY | cut -c11-` $proto $cookie
else
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | xauth -q -
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
xauth list > $MYXAUTH
chmod go-r $MYXAUTH
fi

Mount encrypted home

The idea's behind this section came from this page http://ubuntuforums.org/showpost.php?p=8452729&postcount=7

In /etc/profile, I mount encrypted home (if it's not already mounted):


if test -e $HOME/.ecryptfs/auto-mount; then
mount | grep "$HOME type ecryptfs"
if test $? != 0; then
ecryptfs-mount-private
fi
fi

BASHRC


I got rid of ~/.bash_login and put this in /etc/bash.bashrc:


# Load xauth information from pre-encrypt mounting ssh initialiation
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
if [ -e "$MYXAUTH" ]; then
xauth add `cat $MYXAUTH`
rm $MYXAUTH
fi

Sample SSH LOGIN after Implementation



Here's what my ssh login looks like now (I have a bunch of outputs to understand the flow and make sure my real and effective uid's are what I expect):


Using username "mike-jansen".
Authenticating with public key "REALLY_COOL_DEV_SERVER" from agent
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic-pae i686)

* Documentation: https://help.ubuntu.com/

56 packages can be updated.
29 updates are security updates.

Last login: Thu Sep 22 15:48:24 2011 from myworkstation.mynetwork.com
------ BEGIN /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ BEGIN /etc/profile Real [mike-jansen] Effective [mike-jansen]
Enter your login passphrase:
Inserted auth tok with sig [c46ead8832a353d7] into the user session keyring

INFO: Your private directory has been mounted.
INFO: To see this change in your current shell:
cd /home/mike-jansen

------ BEGIN /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.profile Real [mike-jansen] Effective [mike-jansen]

 

 

Notes:  

*For those who don't know ~ is a shortcut to the current users home directory as recorded in the user repoistory for the system.

 

 

 

 

 

 

Brian Wagner

Brian started working with *nix in while a student at Kent State University in the early 90's. In 1995, as an E-Mail Administrator for Caliber Technology (now part of Fedex) he was tasked with administering Sendmail on both Slackware Linux and Solaris Systems. His first home install of Linux was MkLinux DR1 in 1996 on his 60 Mhz PowerMac. Since then Brian has been working and consulting on Linux and it's uses in the Enterprise to support everything from E-Mail, Firewalls, Web and File serving to custom cluster solutions and grid solutions. Brian has had the opportunity to work in both Fortune 500 companies and small 2 person organizations. This has given him the unique insight into the differences every size business faces.

Ever want to know how to do cool Command line tricks?

I ran across this site tonight, www.bashscripts.info, while playing with G+.  It's a site with a lot of videos of how to do all kinds of useful stuff in Bash.  You can never beat seeing what it's gonna look like.  They have scripts going back several years.  They all looked pretty cool and most are less than 5 minutes. Check it out.

Brian Wagner

Brian started working with *nix in while a student at Kent State University in the early 90's. In 1995, as an E-Mail Administrator for Caliber Technology (now part of Fedex) he was tasked with administering Sendmail on both Slackware Linux and Solaris Systems. His first home install of Linux was MkLinux DR1 in 1996 on his 60 Mhz PowerMac. Since then Brian has been working and consulting on Linux and it's uses in the Enterprise to support everything from E-Mail, Firewalls, Web and File serving to custom cluster solutions and grid solutions. Brian has had the opportunity to work in both Fortune 500 companies and small 2 person organizations. This has given him the unique insight into the differences every size business faces.