The following instructions are to set up an ssh server on Ubuntu linux with an encrypted home directory. Throughout username refers to an actual username like phil.
Install OpenSSH server:
sudo apt-get install openssh-server
Configure sshd_config (NOT ssh_config, note the d) to initially accept password logins, after creating a backup:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults sudo chmod a-w /etc/ssh/sshd_config.factory-defaults sudo gedit /etc/ssh/sshd_config
Change the line #PasswordAuthentication yes to read PasswordAuthentication yes (i.e. remove the #) and only allow certain users:
PasswordAuthentication yes AllowUsers username
Finally tell the configuration file to look in /etc/ssh/username/authorized_keys for client keys. The default is to look in ~/.ssh/ which is no good because this is encrypted until you’ve logged in!
Restart the ssh server with:
sudo service ssh restart
Next create the authorized_keys file and give it the appropriate permissions:
sudo mkdir /etc/ssh/username/ sudo chown username /etc/ssh/username sudo chmod 755 /etc/ssh/username sudo touch /etc/ssh/username/authorized_keys sudo chown username /etc/ssh/username/authorized_keys sudo chmod 644 /etc/ssh/username/authorized_keys
Then copy the client’s public key to authorized_keys. The easiest way to do that is to ssh in to the server (which is why we allowed password logins earlier) and do it from there. So from the client:
Copy the key to the clipboard then:
Enter log in password when prompted, then:
nano /etc/ssh/username/authorized_keys # Paste the key here and save
Disable password logins from /etc/ssh/sshd_config and restart the ssh server (sudo service ssh restart from the server). Log in is now done using the ssh keys and without prompting for a password. The client will prompt to see if the public key fingerprint sent from the server is correct and to add it to the white list. Check it’s right by running ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key on the server.