User profile for user: Miguel Almeida
Miguel Almeida Author
User level: Level 1
25 points

Remote Login (SSH) and File Vault

Hello all : ) I'm having a small problem related to File Vault and logging in remotely via SSH. And this is the thing: All user accounts have File Vault enabled. This setting works alright when users login directly at the computer. However, when connecting via SSH (Remote Login), the home folders are not yet attached, i.e. File Vault is not yet active. Each folder can be attached if a command like "hdiutil attach /Users/username/username.sparcebundle" is executed. But this isn't very cool... So, my question is: are there any configuration parameters one can fiddle with to ensure that each home folder is automatically attached when a user logs in remotely? TIA! -- Miguel

MacBook, Mac OS X (10.5.2)

Posted on May 10, 2008 5:43 PM

Reply
17 replies
User profile for user: Topher Kessler
Topher Kessler
User level: Level 6
9,935 points

May 10, 2008 8:31 PM in response to Miguel Almeida

I'm not certain if this would work, but you can give it a shot.

Create a file called "rc" in the user's ~/.ssh/ directory. Then add the "hdiutil" command to the file. The rc file is run before the user's home directory becomes available upon login, so hopefully that will mount the home directory properly and then log the user on properly and have everything be accessible.

I'm not too familiar with the ssh autorun scripts and whatnot, but there is definitely an elegant way to get this sort of automounting going with ssh.
Reply
User profile for user: deh2k
deh2k
User level: Level 4
1,890 points

May 10, 2008 8:50 PM in response to Miguel Almeida

I think what you should do it to create a file in the ~/.ssh directory of the computer that you are connecting from that contains these lines:

*Host <File Vault Mac host name>*
*PermitLocalCommand yes*
*LocalCommand hdiutil attach /Users/username/username.sparcebundle*

Another possible way to do it is to put the hdiutil command in the /etc/sshrc file of the File Vault Mac.
Reply
User profile for user: Topher Kessler
Topher Kessler
User level: Level 6
9,935 points

May 10, 2008 8:52 PM in response to Miguel Almeida

To do this navigate to the ~/.ssh/ folder once you've logged in, and then create the "rc" file using a text editor such as "vi" or "pico". If you dont know how to use either, here's a simple step-by-step for pico:

Once in the directory type:
1. pico rc
2. enter the "hdiutil attach /Users/username/username.sparcebundle" command
3. type ctrl-o to write the file
4. type ctrl-x to exit the program

Then logout and log back in and it should run the command when you login.
Reply
User profile for user: deh2k
deh2k
User level: Level 4
1,890 points

May 10, 2008 9:06 PM in response to Topher Kessler

Topher,
The problem that I see with your suggestion is that the user's home directory is encrypted so I don't think the ~/.ssh/rc file will be accessible until after the sparsebundle is attached. That's why I mentioned the /etc/sshrc file. Though now that I think of it, that won't be so hot either with multiple user accounts. Unless the environment variables are set up so you could use

*hdiutil attach /Users/$USER/$USER.sparcebundle*

I still suspect that the "config" file on the local machine is the best solution.
Reply
User profile for user: Topher Kessler
Topher Kessler
User level: Level 6
9,935 points

May 10, 2008 9:23 PM in response to deh2k

One thing though, he'd have to make it conditional upon the login name, since being in the main /etc/sshrc file would mean that the same command would be run for every user. This would mean everyone would mount the same home folder, unless the sshrc file has a structure that passes the username to the filename of the sparsebundle. I'm not sure how to do this, but it can definitely be done with scripts.
Reply
User profile for user: Miguel Almeida
Miguel Almeida Author
User level: Level 1
25 points

May 11, 2008 4:14 AM in response to Miguel Almeida

Hey : ) First of all, thank you for your replies! I just read them and as far as I can tell, your suggestions are all valid. I've tested them before.

As regards the doubts whether the ~/.ssh/rc file is (or is not) available when the users logs in, the answer is clear: it is. And one can use this command to attach the volume. However, even though this automates the process, it still doesn't give the user the same experience. I mean, using this procedure, the user still doesn't have it REAL unencrypted home directory at /Users/username; The volume is attached at some folder you designate (the default being /Volumes/username)...

If it could just "remount" on top of the /Users/username folder... Any ideas?

One last thing that is still missing is the "detach". But that part I think one could get done with a logout script. But I'm not quite sure where to put it, though. Because, if its inside the folder we're detaching with the script, I can't see how the system would do it... Detach while a script is still running? hmmm.....

Anyway, thanks again for your ideas! Cheers! -- Miguel
Reply
User profile for user: Topher Kessler
Topher Kessler
User level: Level 6
9,935 points

May 11, 2008 6:33 AM in response to Miguel Almeida

To unmount the disk on exit, you'd have to create an exit script to execute instead of using the built-in "exit" or "logout" commands. Create a script file that contains your unmount command followed by the "exit" command, and then name the script something easy like "exituser". Then put the script in the /usr/bin folder so it's accessible, make it executable, and then run the command when you want to exit.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Remote Login (SSH) and File Vault

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up