Thursday, November 29, 2012

SSH File Permissions

If your permissions on your SSH files are out of whack (i.e. id_rsa/config) than ssh will simply ignore using them out of security concerns. To fix permission issues you can run the following:


chmod 750 $HOME
chmod -R 700 $HOME/.ssh

This creates the strictest permissions for all the files under .ssh which will satisfy SSH's requirements for those files. SSH's recommendations and requirements (underlined) are below (from the manpage):

  • ~/.ssh/id_rsa (OR ANY PRIV KEY) - These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute).  ssh will simply ignore a private key file if it is accessible by others.
  • ~/.ssh/config - Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others.
  • ~/.ssh/authorized_keys - This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
  • ~/.ssh/ - There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others.
  • ~/.rhosts - Additionally, this file must be owned by the user, and must not have write permissions for anyone else.  The recommended permission for most machines is read/write for the user, and not acces- sible by others.
  • ~/.shosts - Same as rhosts
  • ~/.ssh/id_rsa.pub (OR ANY PUB KEY) - These files are not sensitive and can (but need not) be readable by anyone.
  • /etc/hosts.equivIt should only be writable by root
  • /etc/shosts.equiv - same as above
  • /etc/ssh/ssh_known_hosts - It should be world-readable

No comments:

Post a Comment