~/.ssh directory permissions
Brent Bloxam
brentb at beanfield.com
Wed Jun 24 16:49:33 UTC 2009
Chris Rees wrote:
>
> Although I think it's not a big deal, as long as your id_?sa has
> permissions 600 like mine, or even 400.
>
> Chris
>
The man page for ssh(1) provides a lot of detail about the sensitivity
of the various files related to ssh. To quote it regarding a few of them:
> ~/.ssh/
> This directory is the default location for all user-specific configuration and authentication information. There is no
> general requirement to keep the entire contents of this directory secret, but the recommended permissions are
> read/write/execute for the user, and not accessible by others.
So as you can see, 700 is recommended (but not necessary).
> ~/.ssh/identity
> ~/.ssh/id_dsa
> ~/.ssh/id_rsa
> Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not
> accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others. It is
> possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file
> using 3DES.
However, identity, id_dsa and id_rsa _must_ be 700 at a maximum. It's
best to follow the recommendations from the man page unless you have
very specific reasons for needing more lax permissions on these files.
Regards,
Brent
More information about the freebsd-questions
mailing list