SSH With Public Keys, Encrypted ZPool

[McKenn55]

I'm sure this issue has been discovered before by others, but I am not finding the solution myself.

I've got FreeNAS-9.3-STABLE-201509160044 running on my server. It has a single zpool using encryption mounted at /mnt/MyRaidName/. My user account is username1 and that user's home directory is located at /mnt/MyRaidName/Home/username1. That user account is the only one permitted to SSH into the machine and I've set it up to work with public key authentication. I've tested this thoroughly and have no issues with the public key authentication. However, after a reboot, the zpool is locked, due to the encryption, and therefore, my user's home directory and the keyfile are unavailable. SSH denies me access until I log into the web interface and enter the zpool's passphrase. I would prefer to not move my username1 user's home directory outside of the zpool if at all possible. Is there another way I can handle this so that my user can connect to the freenas instance using my established public key via ssh even when the zpool is locked or otherwise unavailable?

 

[CaptainSensible]

If u are the admin as in root, u can do anything. U may have to rethink security.

Public key is bullshit, if u are the Admin.

My password is 12345

 

[cyberjock]

The only solution to login as your user is move the ssh directory to someplace that is available to login. You said you don't want to move your home directory outside of the zpool, so there seems to be no solution. Either you'll have to move your home directory elsewhere, or decrypt the pool before you login first.

The root user is NOT stored on your zpool (its on the boot device) so you could simply change your configuration so root accepts your key. That would obviously work.

 

[McKenn55]

Thanks, CyberJock. I would have preferred to not move my home, but if that is the option that allows me to accomplish this, I'll do it.

 

[fta]

https://www.freebsd.org/cgi/man.cgi...=FreeBSD+9.3-RELEASE&arch=default&format=html

See the AuthorizedKeysFile setting. You can put your authorized keys wherever you want. If you only want a specific user to have the authorized keys located off the pool, you can use the AuthorizedKeysCommand to write a script to handle that.