My friend Mike Jansen pinged me this afternoon with an interesting problem.
Here is the background:
He has setup a Linux VM and needs to get to it remotely from his PC running Windows. He has xming(A great free XWindows server for Windows) and connects to the machine over SSH. He decided he would take security to the next level and encrypted his personal directory. Interesting fact is that when you do this on Ubuntu your home directory isn’t decrypted or mounted until you actually login. Why is that a problem? Well as part of the login process SSH puts the magic-coookie XWindows needs to start into your /home/<UserID>/.Xauthority file. The next thing that happens is that your encrypted directory is decrypted and mounted to /home/<UserID>/ which then hides /home/<UserID>/.Xauthority under the mount. At that point it breaks X and stops you from running the XWindows Programs. Unless you do something like what Mike pieced together. What Mike has below should work system wide for all users. You should as with all scripts test this out on a non-production system first.
Here is what he gave back to be to post to for everyone:
So I got my issue with encrypted home and ssh/xauth figured out. The solution is actually simple once it’s figured out 🙂
The basic idea for xauth transfer was from http://froebe.net/blog/2008/11/14/getting-xlib-putty-x11-proxy-wrong-authentication-protocol-attempted-i-have-the-answer/
SSHRC
The idea for this came from the man page for SSH.
I got rid of ~/.ssh/rc and put this in /etc/ssh/sshrc:
if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY | cut -c11-` $proto $cookie
else
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | xauth -q -
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
xauth list > $MYXAUTH
chmod go-r $MYXAUTH
fi
Mount encrypted home
The idea’s behind this section came from this page http://ubuntuforums.org/showpost.php?p=8452729&postcount=7
In /etc/profile, I mount encrypted home (if it’s not already mounted):
if test -e $HOME/.ecryptfs/auto-mount; then
mount | grep "$HOME type ecryptfs"
if test $? != 0; then
ecryptfs-mount-private
fi
fi
BASHRC
I got rid of ~/.bash_login and put this in /etc/bash.bashrc:
# Load xauth information from pre-encrypt mounting ssh initialiation
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
if [ -e "$MYXAUTH" ]; then
xauth add `cat $MYXAUTH`
rm $MYXAUTH
fi
Sample SSH LOGIN after Implementation
Here’s what my ssh login looks like now (I have a bunch of outputs to understand the flow and make sure my real and effective uid’s are what I expect):
Using username "mike-jansen".
Authenticating with public key "REALLY_COOL_DEV_SERVER" from agent
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic-pae i686)
* Documentation: https://help.ubuntu.com/
56 packages can be updated.
29 updates are security updates.
Last login: Thu Sep 22 15:48:24 2011 from myworkstation.mynetwork.com
------ BEGIN /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ BEGIN /etc/profile Real [mike-jansen] Effective [mike-jansen]
Enter your login passphrase:
Inserted auth tok with sig [c46ead8832a353d7] into the user session keyring
INFO: Your private directory has been mounted.
INFO: To see this change in your current shell:
cd /home/mike-jansen
------ BEGIN /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.profile Real [mike-jansen] Effective [mike-jansen]
Notes:
*For those who don't know ~ is a shortcut to the current users home directory as recorded in the user repoistory for the system.
linuxinstall.net 