Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm confused. Why can't they remote login to a box with their home directory encrypted?

Is it not enough to have the pubkey stored outside their home? e.g.

    # /etc/ssh/sshd_config
    AuthorizedKeysFile /var/ssh/%u/authorized_keys
Once they authenticate they can run cryptsetup or what-have-you. To me that sounds way better than having randos guess your luks passphrase.


Yes, that's certainly a solution.

Or using a certification authority for users (TrustedUserCAKeys in sshd_config), so that any user that has a signed certificate, and owns the corresponding private key, would be allowed to login. No further updates of authroized_keys files needed.

And, to further automate the ssh login, maybe your LUKS container could have a second (Nth) key-slot being a random key RSA-encrypted with the other machine's identity private key? (https://bjornjohansen.no/encrypt-file-using-ssh-key for examples)

But generally, I really dislike the use of LUKS in this case, as I think a filesystem based encryption (not encrypting whole block devices) would make more sense. I understand that this isn't as mature as LUKS, though.


We actually use something like the above. But thats not sufficient since we cannot set up the PAM session fully if $HOME is not accessible because we can't acquire a password for it...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: